Selecting cloud solutions
Selecting cloud solutions to support teaching, learning & research
When looking for opportunities to introduce a cloud solution to support teaching, learning and/or research, many things need to be considered before using a cloud solution – privacy, information management and protection, and legislative compliance to name a few. When considering teaching and learning technologies, the Centre for Innovation in Teaching and Learning (CITL) should be consulted first to assist with finding the right tool(s).
When considering research technologies, submit a Research IT Request first to see if there’s a solution already available to you that meets your needs. Information from researchers will be reviewed by a research IT advisory group to connect researchers with research IT services as well as to identify gaps in services.
If a suitable technology is not available, the Office of the Chief Information Officer (OCIO) has established an IT Governance and Collaboration Framework to support the university community in selecting the right tools for its specific needs. An IT Investment Proposal is the first step to initiate that process. The primary benefits for availing of this process are:
- Each proposal is reviewed to determine if the same or similar IT solution is already licensed at the university before new solutions are acquired or created. There is the potential to save time and money.
- Solutions receive a thorough review by the Office of the CIO and Office of General Counsel. Technologies identified in an IT Investment Proposal receive priority over requests to review technologies that do not go through the IT Investment process.
- Solutions are reviewed to determine the complexity and potential challenges of implementing – determining compatibility with the University’s network, systems, etc.
- As proposals are reviewed by the appropriate committee(s), it is common for other areas of the University to have a similar need. There are opportunities to cost share.
Should an employee choose to use/procure a cloud solution outside of the IT Governance and Collaboration Framework, the following advice/considerations are offered:
Prior to Purchasing
1. Visit the company website to identify where it is headquartered, where it will store your data, and its business affiliations. Try to find out the locations of the company’s production servers, data backups, and disaster recovery. Avoid a company that refuses to tell you where its servers are located.
2. Look for articles about the company and reviews of its product from reputable sources and, in particular, articles and reviews about its privacy and security practices. Avoid vendors that have been found by regulatory authorities to be guilty of privacy or security breaches.
3. Look for the company’s compliance with security and regulatory standards depending on the nature of the cloud service and the type of information being collected/processed:
General/baseline security best practices – ISO/IEC 27001 (focused on information security), ISO/IEC 27017:2015 (information security in the cloud), ISO/IEC 27018:2019 (protection of personally identifiable information in the cloud), System and Organization Controls (SOC 2) Reporting.
Personal information - General Data Protection Regulation (GDPR). While specific to the collection/processing of personal data of European Union citizens and residents, it identifies a vendor that is compliant with a regulation focused on the handling/use of personal information.
Personal health information - Health Insurance Portability and Accountability Act (HIPAA) – while this is a US based Act, many vendors aim for compliance as it sets standards for those handling electronic personal health information.
Credit card information - Payment Card Industry Data Security Standard (PCI DSS) is MANDATORY if the vendor will be collecting/processing credit card information.
- FREE - The company likely uses and retains your data and your users’ data to generate revenue through advertising, data mining activities, analytics, and/or its sale.
- NOMINAL FEE OR LOW INTRODUCTORY FEE - The company generates some revenue through fees charged but most likely also uses and retains your data and your users’ data to generate revenue through advertising, data mining activities, analytics, and rent or sale.
- COSTLY - The company more likely relies on user fees as its revenue engine but still review how your data and your users’ data will be used.
A vendor’s use of your/your users’ data for its own purposes does not have to be a game changer if
- you minimize the data shared by you and your users, and
- you/your users maximize the privacy settings that you can control
7. Ensure that the vendor guarantees that your data can be permanently purged from its server(s), including backups, at the end of the contract and if required, a copy provided to you in a usable format.
8. Look at the privacy/security settings. Set the default settings to the highest level of security. In the event privacy settings are left to the user, they should be clearly instructed to do the same. You and your users should turn off tracking features. Turn off audio and video recording features, unless you have an operational need to do so.
9. Provide as little personal information as possible. Avoid the use of unique identifiers like student numbers, dates of birth, home addresses, telephone numbers, or anything else that can be matched with other information that identifies who an individual is.
10. Enable multifactor authentication, if it is an option in the application.
11. Regularly delete records (including recordings) that are not required to be retained, if possible.
Upon Termination of Service
12. Once you no longer require the service, export a copy of your data (if required) and request your data be purged from the vendor’s servers, including backups, and request written confirmation from the vendor that the purge has been completed.