Sometimes the best provider for a service is an outside organization. This may take the form of using a cloud service or simply outsourcing. You and your line management are in the best position to identify when this is the case. Use this document to help you make that decision. Although this document focuses on cloud services, it can also be applicable to outsourcing.
Review our Cloud Services - Cyber Controls page if you've already decided to use a cloud service.
Note for Operations: Operations Divisions may not acquire or configure any IT system without coordination with and permission from IT Division (see RPM Lifecycle Management for Information, Hardware, Software, and Services).
Things to Consider Before Using a Cloud Service or Outsourcing
1. Cyber Security Logging, Protection, and Analysis
Understand the cloud service's cyber security capabilities. Just because the service is in the cloud, doesn't mean your responsibility to protect your information goes away.
In general, Berkeley Lab cyber protections do not extend to cloud services. You may be relying on the cloud service to monitor for attacks, stolen credentials, and other issues. Their protections, unfortunately, may not adequately protect your information, or they may provide an avenue to attack Berkeley Lab or other systems.
For example, a Berkeley Lab group was using a cloud based web hosting service. The cloud based system was compromised and was used to host pornography. The cloud service was not able to provide enough information for Berkeley Lab cyber to reconstruct what happened and we were not able to turn it off. A major project at another National Lab was shutdown for weeks in a similar incident.
2. Expectations of Your Colleagues
Colleagues at some research institutions may be accustomed to using cloud services, however colleagues at other National Labs (especially the non-open science Labs like ORNL, PNNL, LLNL, and LANL) may be prohibited or strongly discouraged from using cloud services. Some research sponsors may also prohibit or restrict the use of cloud services.
3. No or Limited Recourse
If the cloud service is free or "clickwrap" you probably have little or no recourse if something goes wrong.
For example, one major free cloud service is notorious for shutting down websites it suspects of spam. How would this affect your project? Some agreements may also run afoul of laws, regulations and Berkeley Lab policy.
No matter what - ensure that the data remains the property of UC/DOE. Ensure the terms do not conflict with UC/DOE requirements regarding ownership of research results and unlimited grant licenses for work completed under the contract.
4. Document Management and Control
Using a cloud service does not relieve you of responsibilities for document management, document control, or archiving. Note in particular that if your project is covered by the Document Control Policy under OQMP, a cloud service may not provide the required controls.
5. Protection from Legal Disclosure / e-Discovery
The University of California has a history of acting to protect the interests of itself and its employees, within the law, when required to legally disclose information. With a cloud service, law enforcement or equivalent could go directly to the cloud service to request you information without notifying you or the University. Many cloud services will try to re-direct the request to you or the University first, but there is no guarantee.
6. Accidental "acceptable use" Issues
Some cloud services may violate our acceptable use policy. Three examples:
- One popular free video conferencing site is also used frequently for adult webcam chatting. Under the main menu, a variety of content may violate policy or be considered unprofessional. This doesn't mean you violated policy, but be aware of how others may perceive your use of it.
- One popular Voice over Internet (VoIP) service makes use of your available bandwidth in so called "supernode" mode. Many Universities find that this represents an unacceptable use of bandwidth. Although we don't have a position on this issue, it may create acceptable use concerns for others.
- Many free services are advertising supported. Be careful that you, Berkeley Lab, or UC do not appear to be endorsing a business since this is prohibited.
7. Be Prepared for Loss or Disclosure of Data
Don't put anything on an external information system that you are not prepared to lose/disclose. That means no Personally Identifiable Information (PII) ever, but it also means strongly considering other operational and pre-publication information.
Bottom line: assume high probability (near 100%) of disclosure in your risk calculation (this is how you should think about risks on open science systems in general) - if you can't live with the near 100%, start thinking seriously about what systems and controls you need to have in place, whether the system is here or somewhere else.
8. Your Responsibilities Don't Change
Your responsibilities don't change when you use a cloud service. You must still comply with Berkeley Lab policy and take personal responsibility for cyber security. Don't assume that the cloud service will provide security for your information. Other responsibilities include: complying with e-Discovery or other court orders, complying with data calls, patching, incident response, and acceptable use.
Consider social engineering attacks using collaborative services. Could someone pretend to be you or one of your collaborators and use this as a foothold for further attacks?
Can you maintain appropriate separation between your collaborative and more operational responsibilities? For example, don't use your outsourced energy policy blog to also store your PRDs.
Berkeley Lab can support a number of cloud services that use "federated authentication". Federated authentication allows you to use your Berkeley Lab password to access cloud services, however, your password is only transmitted to Berkeley Lab - not to the cloud service. More information about federated authentication is available
Made a decision?
If you have decided to use a cloud service or want to do a more in-depth analysis, read our Cloud Services - Cyber Controls. It will walk you through a risk analysis and the control requirements.
