This document is intended to provide guidance to help individuals make informed, well-considered choices about appropriate use of cloud services. It includes information about the Google Apps for Education at MSU (also known as G Suite for Education), explanations and examples of current concepts of cloud services and applications, as well as risk factors all faculty, staff and students should review before using any cloud service.
“Cloud services” is a general term used to include a variety of computing and information services and applications run by users across the Internet (in the “Internet cloud”) on the service provider’s systems, instead of run “locally” on personal computers or campus-based servers. These Internet-based services are sometimes called “software as a service” (SaaS), or “platform as a service” (PaaS), or “hosted” applications, storage or computing.
Some examples of cloud services include Google Apps, Microsoft Live services, Amazon Elastic Compute Cloud, and Simple Storage Service. Cloud services have become a mature business model, but one that continues to rapidly evolve. Because of competition in this space, we expect considerable innovative investment will be focused here for some time. Many cloud services are offered free or at very low cost in order to attract and compete for user volume.
Google Apps for Education at MSU
During the summer of 2009, Michigan State University executed an “Education Edition” (“EE”) agreement with Google for MSU-specific access to Google Apps. This gives MSU and its EE Apps users contractual terms of service that are better, for many MSU purposes, than the standard terms of service one gets when using the Apps as an individual public user; that is, it provides MSU users with the opportunity to shift from the B2C model to the B2B model.
“High consequence” business records are those for which loss or inappropriate disclosure would result in a high consequence in terms of economic loss, legal liability, loss of public trust, or fall within the university’s retention schedules. The EE Apps are NOT for uses involving any types of data that MSU has defined as Confidential (see MSU Institutional Data Policy). Users of the EE Apps are strongly encouraged to exercise caution in their use of this service and to read and apply the guidance provided in the Appropriate Uses of Google Apps for Education Edition at MSU document.
By using the EE Apps services, users consent to the terms of the MSU agreement with Google, which give MSU service administrators the right to manage user accounts, and to access user accounts and contents for purposes of monitoring, use and disclosure of these data as may be required by the agreement with Google. MSU will protect the privacy of users and their content consistent with the Acceptable Use Policy for MSU Information Technology Resources and all applicable laws, University policies, ordinances, business and administrative rules or guidelines, the terms of contractual agreements the university has made, or other applicable restrictions.
Why should everyone be concerned personally about making good choices regarding appropriate uses of cloud services?
Almost all decisions to use cloud applications are made by individual users. The data involved in each instance of use are typically only known to the user, and under MSU’s Institutional Data Policy each user is individually responsible for appropriate stewardship of Institutional Data (as defined in the policy). The cloud service may play a key role in the execution of an important academic or business process, such as teaching or taking a class, analyzing research data or developing a paper for publication. So, we each have individual and shared interests in protecting academic and business processes against unwanted disruptions, and protecting intellectual property and sensitive data against loss or unauthorized access and use. Therefore, all individuals must take responsibility for their own individual choices to use cloud applications in connection with their university work. Specifically, it is the responsibility of the individual using cloud services to ensure that their use is in compliance with all university policies and procedures, and applicable law governing the handling and protection of sensitive data.
Only a small number of individuals at MSU (typically the highest-ranking executive officers) are authorized by the MSU Board of Trustees to enter into legal contracts on behalf of the university. When individual users without such signature authority wish to use a cloud service for their university work and accept a click-through agreement, they are individually responsible and personally liable for any legal liabilities resulting from the use of the cloud service.
Risks and Challenges with Cloud Services: Key Factors to Consider
Before using any cloud provider or service give the following factors due consideration:
Control of user content
Security and privacy
Non-negotiated changes to the service
Non-negotiated changes to the business model
Can the service provider change its business model? How likely is it to change its business model? Critical changes to the business model could include changes to the service feature set, or changes to the pricing model, or a combination (e.g., moving from “all features free” to “basic features free; valuable features at a price”).
Do the formats in which data are stored by the service follow commonly-used standards or are they proprietary and unique to the service provider? Will the user be able to easily remove their content, or copies of the content, from the service and use it in other places or with other applications?
In addition to the foregoing factors, the following risk triage steps can be helpful to determine the appropriateness of using a cloud service. The triage is designed to help identify potentially appropriate uses by eliminating the riskiest use cases, based on the types of data intended to be deployed in using the service. The triage also identifies ethical issues worth consideration.
1. Confidential Institutional Data
It is unlawful to disclose certain types of data to third parties (including cloud service providers) without appropriate safeguards in place. MSU’s Institutional Data Policy defines “Confidential Data” and obligates all members of the MSU community to take individual responsibility for properly securing Confidential Data. Cloud-services must NOT be used with any Confidential Data, unless an appropriate contractual agreement can be negotiated with the service provider by the university.
2. Institutional business records
Business records are “information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business.” Many types of data we receive or create every day fit this definition and do not necessarily involve Confidential Data, but deserve appropriate care in how we manage the records. Business records can take the form of email, email attachments and other electronic communications, calendar entries (particularly those involving important meetings or events; e.g., meetings involved in due process protocols; vendor contacts during bidding; etc.), and documents posted and edited in file shares, wikis and a variety of other electronic tools. Cloud-services must not be used for work involving university business records, unless an appropriate contractual agreement can be negotiated with the service provider by the university.
3. Student, faculty and staff intellectual property
MSU’s Intellectual Property policies (see the MSU Technologies website) and policies regarding student intellectual property (see the Code of Teaching Responsibility) define the types of intellectual property that belong to students, faculty and staff. This property often needs to be protected carefully (e.g., content with patentable subject matter or commercial value) and should not be placed in a cloud situation unless an appropriate contractual agreement can be negotiated between the university and the service provider. Sometimes the owners of this property care less about its protection than they care about the value of the services they will be receiving from cloud applications. These trade-offs should be considered before using a cloud service, and the choices should be made by the involved content owners.
4. Agency decisions
When you are not sure, ask
If you are unsure about a choice regarding cloud services, please do not hesitate to contact the MSU Libraries Distance Learning Services Help Desk for assistance at (517) 355-2345 or (800) 500-1554 or firstname.lastname@example.org.
If you are unsure about Google Apps usage, please do not hesitate to contact the MSU IT Service Desk for assistance at (517) 432-6200.
The following groups provided editorial review of the initial development of this document: Network Communication, and Instructional Computing and Technology, and Communities for Advising, Facilitating and Enabling.
This document was originally created as a working draft on April 22, 2008 to revise advice provided previously in the Deans/Directors/Chairs memo of November 3, 2007.
Revised in November 2009 to incorporate a section regarding the Google Apps for Education Edition at MSU.
Revised in March 2011 to properly reference the MSU Institutional Data Policy and in September 2011 to update it for current market conditions and to clarify certain legal issues.
Revised in October 2014 to update Google for Education references, moved from PDF to in-line web page text, and add web formatting.
Revised in October 2016 to add a reference to the name G Suite for Education per vendor service name change.