Appropriate Use of Off-Campus Internet-based(Cloud) Administrative Computing Services

Purpose:

Off-Campus Internet-based Computing Services represent a growing variety of services available on the internet.  Such services can be useful to SVSU in its administrative pursuits.

The business models and terms of use of these services often involve a variety of real risks to users and the content they deploy in these services. This document is intended to provide guidance to help individuals make informed, well-considered choices about appropriate use of Internet-based services. It includes explanation of current concepts of Internet-based computing services, current examples, and factors all faculty, staff and students should review.

Background:

Internet-based computing is a general term used to include a variety of computing and information services and applications run by users across the Internet on the service provider's systems, instead of run "locally" on personal computers or campus-based servers.

Definition:  These Internet-based services are sometimes called:

• Hosted Applications,

• Hosted Storage

• Hosted Computing

• Cloud Computing (where the Internet is referred to as a "cloud" or shown as a "cloud" on diagrams)[2].

Some examples of these Internet-based services range from Google Apps to Microsoft Live services, and YouTube. As of early 2009, Internet-based services are still an early and somewhat immature business model.  Because of heated competition in this space, we can expect considerable innovative investment will be focused here. Many Internet-based services are offered free or at very low cost in order to attract and compete for user volume. Several such systems are already in use by administration[3].

Why is this Important?

Almost all decisions to use Internet-based applications are made by individual departments. The content the department enters into the service may involve sensitive data, or valuable intellectual property, or institutional business records. The service may play a key role in the execution of an important business process, such as processing or storing University business records. The University has a vested interest in protecting business processes against unwanted disruptions, and protecting intellectual property and sensitive data against loss or unauthorized access and use.

Factors that Must be addressed for Administrative Use:

When contracting for an Internet-based service the Department must document that the vendor adequately addresses the following items::

Terms of use:

The terms of use of many Internet-based services are non-negotiated. The customer has only the choice to "accept" the terms of use as they are (or may become; see below), or to not accept the terms of use and stay away from the service. This makes it very important to analyze and perhaps get legal consul on the terms of use that are presented.

Transfer of license:

Do the terms of use involve any transfer of license giving the service provider rights to make use of the user's content? Terms of use may include a provision that, by using the service, the user is granting the service provider a broad range of rights to use the content the user places in the service. Users should take care to note the difference between ownership and rights of use. Terms of use often state that user content is owned solely by the user, but the terms of use sometimes also grant the service provider the right to make its own use of user-owned content in ways the user-owner may find objectionable. Ownership and rights of use are generally addressed in separate sections of   terms of use, sometimes obscuring the distinction between ownership and rights of use in the agreement.

Security, Privacy, and Authentication:

• Do the terms of use commit the service provider to keeping a user's data secure or even private from other legitimate users of the service? Do the terms of use give the service provider rights to make use of the user's identity (may the service provider share user information with business partners, or sell user information)?

• Services must integrate with SVSU's authentication system of Usernames (UserIDs) and passwords or "SVSU's remote Authentication Policy"[4]

Backups:

Do the terms of use commit the service provider to backup user data? In what cycles? What are the retention periods?  Can or should SVSU get a copy of its data on request or on a regular basis?

Assured purging:

Do the terms of use commit the service provider to fully delete from the service any content, including distributed or backup copies that the user has intentionally deleted from their use of the service? Who can delete accounts?  Can the instructor? Can the student?

Non-negotiated changes to terms of use:

• Are the terms of use posted clearly on the service's website, or are they hard to find?

• What do the terms of use say about the service provider's ability to change the terms of use?

• Do the terms of use commit the service provider to:
  • Notifying the user of any such changes?
  • Or simply posting changes on the service's website, with the user being responsible for constantly monitoring the posted terms of use to know when they have changed?

• Do the terms of use require that the user formally acknowledge changes to the terms of use, or does the user accept the new terms simply by continuing to use the service?

It is not unusual for terms of use to grant the service provider the right to change the terms of use at any time and in any way without the permission of the user and frequently without notifying the user. This simple provision means that the "agreement" essentially provides no real protections for the user, because any of the protections articulated in the version to which the user agrees can be changed at any time by the vendor[5].

Non-negotiated changes to the service:

• Can the service provider change the service itself (for example, stop providing it at all) without notice to the user?

• If with notice to the user, what period of advance notice is provided to the user by the service provider, and by what means (direct notification; a posting on the service website?)? 
  
  

Remember that a service may terminate due to the service provider's business failure or acquisition by another party, and that this may cause abrupt changes not addressed by the terms of use.

Non-negotiated changes to the business model.

• Can the service provider change its business model?; how likely is this?

• Critical changes to the business model could include changes to the service feature set, or changes to the pricing model, or a combination (e.g., moving from "all features free" to "basic features free; valuable features at a price").

Data formats: -

• Are the formats in which data are stored by the service standard or proprietary?

• Will the user be able to easily remove their content, or copies of the content, from the service and use it in other places or with other applications?

• Indemnity: Just how vital to University business is the use being made of the service?

• What if something truly unwanted happened while University data was deployed in the service (e.g., a major business disruption; loss of vital data or business records; unauthorized access to sensitive data)?

Terms of use generally contain language by which the user agrees to hold the service provider harmless if the service provider does any damage to the user's data or ability to use the service (to support the user's business uses). Sometimes the indemnity language is even more favorable to the service provider, and may expose the user (University) to liability to pay the service provider's legal expenses.

Risk Analysis:

The following risk analysis steps can be helpful to determine the appropriateness of using a Internet-based service. The analysis is designed to help identify potentially appropriate uses by eliminating the riskiest use cases, based on the types of data intended to be deployed in using the service. The triage also identifies ethical issues worth consideration.

1. Confidential institutional data. SVSU is obligated by law and certain contractual obligations to protect certain types of data.  Internet-based services must NOT be used with any of these confidential data types, unless an appropriate contractual agreement can be negotiated with the service provider by the University. Click-through terms of use rarely if ever provide appropriate contractual terms.
   
   

1. Institutional business records. The International Standard for records management, ISO 15489, defines a "record" as "information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business." Many types of data we receive or create every day fit this definition and do not necessarily involve confidential data types, but deserve appropriate care in how we manage the records. Business records can take the form of e-mail, e-mail attachments and other electronic communications, calendar entries (particularly those involving important meetings or events; e.g. meetings involved in due process protocols; vendor contacts during bidding; etc.), and documents posted and edited in file shares, wikis and a variety of other electronic tools. Cloud- computing services must not be used for work involving University business records, unless an appropriate contractual agreement can be negotiated with the service provider by the University. Click-through terms of use rarely if ever provide appropriate contractual terms. 
   
   

1. Student, faculty and staff intellectual property. SVSU's Intellectual Property policies and policies regarding student intellectual property define the types of intellectual property that belong to students, faculty and staff. Sometimes this property needs to be protected carefully (e.g., content with patent or other commercial potential) and should not be placed in an Internet-based computing situation unless an appropriate contractual agreement can be negotiated between the University and the service provider. Sometimes the owners of this property care less about its protection than they care about the value of the services they will be receiving from Internet-based service. These trade-offs should be considered before using an Internet-based service, and the choices should be made by the involved content owners. 
   
   

1. Agency decisions. One person should not make a decision regarding use of Internet-based services when others who are party to the use but not party to the decision may have valued data involved. Student's class work is their own intellectual property; if an instructor chooses to use a cloud-computing application in a class, the application's terms of use should be reviewed with the students in the class, and the instructor must be willing and able to provide an alternative if a student decides not to use the service due to objections to its terms of use. Similar regard should be given to faculty or student collaborators and their intellectual property if an Internet-based service is chosen for use to support a research project or other form of group collaborative effort. All members of the collaboration or work group should be aware of the conditions of use for the tools they are using, and should reach a consensus decision about the value of using those tools.

When you are not sure, ask If you are unsure about a choice regarding Internet-based, please do not hesitate to contact the Executive Director or Director of Information Technology Services.

Footnotes: 

[1] Derived from Appropriate Use of "Cloud Computing" Services by the Michigan State University Community 22 April 2008

[2] (expanded documentation in-progress)

Off-Campus Internet-based (hosted/blended) Systems

[3] The most common model used for marketing and the user relationship with these services is a "business to individual" (B2I) model, wherein the service provider (a business) offers the service to individual users. These Internet-based services also may be offered in a "business to business" (B2B) model, wherein the service provider (a business) offers its services to other business entities. B2I models most typically involve a service agreement (usually called "Terms of Use") that may be executed by the individual end user at the time of initiating the service by clicking an "I Accept" button on the service's website (called a "click-through agreement"), or by the user indicating their acceptance of the terms of use simply by beginning, and continuing, to use the service. B2B models generally involve a service agreement that is formally negotiated and executed between the service provider and the user business entities.

[4] SVSU's Remote Authentication Policy:

Federated Authentication:

SVSU uses a simple form of federated authentication that protects SVSU passwords by making it unnecessary for SVSU users to expose their passwords to the Internet or 3^rd party remote servers.

When it comes time to authenticate at a remote site, the 3^rd party remote server forms a call to SVSU, containing the session identifier and USER ID required for authentication. (HTTP GET redirect or HTTP POST auto-submit form)

The process of authentication at SVSU is carried out.

After the authentication is finished at SVSU, the user is sent back to the 3^rd party remote server with an additional proof of the fact that the authentication was successful (token or hash). The server receives and verifies the proof. Upon successful verification, the user can continue with the service offered by the 3^rd party server.

[5] .(Note: In early 2008, some terms of use for Internet-based services were observed to change as frequently as every 2 months. Because this business model is highly competitive and rapidly evolving presently, terms of use often change in favor of the user.)