What is cloud computing?
Cloud computing is a model for providing anytime, on-demand access to information and communication technology resources. Rather than investing in traditional physical computing infrastructure, cloud computing networks provide access to services and resources hosted elsewhere. The term itself describes a range of technology components including servers, storage devices, networking components, and specialized cloud software.
Advantages of cloud computing
Cloud computing offers many advantages, including:
- The potential to use services and applications faster than traditional computing, reducing run and response times
- Added functionality and flexibility
- Improvements to operational efficiency and cost reductions (e.g. administrative and equipment costs)
- Enhanced security
Examples of cloud computing at Waterloo
Workday, a cloud-based human resource management system (HRMS), replaced the University's previous HRMS system in January 2019.
Unit4, a cloud-based financial management system, replaced the University's core financial and reporting systems in May 2017.
D2L's Brightspace is the central learning management system (LMS) software for online learning and teaching at Waterloo and was implemented in Fall 2011.
Cloud computing offers many benefits, but before the decision to move to a cloud-hosted environment can be made careful consideration of privacy and security concerns, real or potential, must be given. The University of Waterloo takes both privacy and security seriously. Before a new system that stores or processes personal, highly restricted or other sensitive information can be deployed, an Information Risk Assessment (IRA) must be conducted.
The Information Risk Assessment
The purpose of an Information Risk Assessment (formerly known as a Privacy and Security Impact Assessment; PSIA) is to identify potential privacy and security risks of new or redesigned University business processes or services which use personal or other sensitive information and identify risk mitigation strategies to help Information Stewards decide whether to proceed. An IRA for Microsoft Office 365 completed by Information Security Services and the Secretariat concluded that cloud hosting of employee email would meet applicable privacy legislation and University policy.
Email and your privacy
While the potential move to the Office 365 cloud-based environment complies with outlined privacy legislation and University security policy, email as a service itself, whether in the cloud or on premise, may not be the right tool for certain types of sensitive communications. A variety of threats to the privacy and security of your email accuont and correspondence exist:
- Human error: An individual may send an email to an unintended recipient, who may then also further disseminate the content.
- Illegal action: Accounts are regularly threatened by phishing attempts and malware. There can also be cyber attacks against the University and the cloud provider.
- Legal action: Email correspondence can be made available as a result of legal requests, including freedom of information requests and law enforcement subpoena's. Such requests may even be made by law enforcement agencies outside of Canada (working with Canadian law enforcement).
Requests for information
Microsoft is an American company, and as such, United States law enforcement agencies could make a request for customer data from Microsoft directly. As stated on Microsoft's website:
…we will not disclose customer data hosted in Microsoft business services to a government agency unless required by law. If law enforcement demands customer data, we will attempt to redirect the agency to request that data directly from the customer. If we are compelled to disclose customer data to law enforcement, we promptly notify the customer and provide a copy of the demand, unless legally prohibited from doing so.
This is a known risk, similar to what currently existing for on-premise storage of data, and is in addition to the possibility of US agencies working with their Canadian counterparts to obtain access to email services.
On-premise solutions for extraordindary circumstances
There may be a requirement (temporary and/or on-going) for a solution that allows for a more secure/private exchange, whether on premise or in the cloud. Information Systems & Technology (IST) can receive and assist with such requests.
For more information on cloud computing, see Privacy, security and compliance considerations for Ontario public sector institutions (PDF).