Use of Off-Campus Administrative and Academic Systems and Services Guidelines

 

Appropriate Use of Off-Campus Internet-based (Cloud or Hosted) Administrative and Academic Computing Services 1

 

Purpose:

Off-Campus Internet-based Computing Services represent a growing variety of services available on the Internet. Such services can be useful to Youngstown State University (YSU) in its administrative and academic pursuits.

The business models and terms of use of these services often involve a variety of real risks to the university, users and the content stored in these services. This document is intended to provide guidance to help individuals and departments make informed, well-considered choices about appropriate use of Internet-based services. It includes explanation of current concepts of Internet- based computing services, current examples, and factors all faculty, staff, and students should review when interested in pursuing a cloud solution.

 

Background:

Internet-based computing is a general term used to include a variety of computing and information services and applications run by users across the Internet on the service provider's systems, instead of run "locally" on personal computers or campus-based servers.

Definition: These Internet-based services are sometimes called:

  • Hosted Applications
  • Hosted Storage
  • Hosted Computing
  • Cloud Computing (where the Internet is referred to as a "cloud" or shown as a "cloud" on diagrams)

Some examples of these Internet-based services are:

  • Google Apps
  • Microsoft Office 365
  • YouTube
  • Facebook
  • Various on-line homework web sites
  • Various on-line course supplement
  • Various Learning Management Systems (LMS) 

Internet-based services are still an early and somewhat immature business model. Because of heated competition in this space, we can expect considerable innovative investment will be focused here. Many Internet-based services are offered free or at very low cost in order to attract and compete for user volume. After the normal market shake out, surviving vendors will and have (e.g. SkyDrive, Google Drive) begun charging for services or “Premium Services”. Therefore, Internet-based services will likely be used by Youngstown State University (YSU) students, faculty, and staff. Several such systems are already in use by administration2.

 

Why is this Important?

Almost all decisions to use Internet-based applications are made by individual departments or faculty members.

  • Administration Use: The content the department enters into the service may involve sensitive/personal data, or valuable intellectual property, or institutional business records. The service may play a key role in the execution of an important business process, such as processing or storing University business records. The University has a vested interest in protecting business processes against unwanted disruptions, and protecting intellectual property and sensitive data against loss or unauthorized access and use.
  • Academic Use: The service may play a key role in the execution of an important academic or business process, such as teaching or taking a class, analyzing research data or developing a paper for publication, or processing or storing academic records. We all have a shared interest in protecting academic and business processes against unwanted disruptions, and protecting intellectual property and sensitive data against loss or unauthorized access and use.
  • Therefore, all individuals need to be prepared to take responsibility for their own individual choices to use Internet-based applications in support of their university duties.

 

Factors that Must be Addressed for Administrative or Academic Use:

When contracting for an Internet-based service the department must document that the vendor adequately addresses the following items:

 

Terms of use 3:

The terms of use of many Internet-based services are non-negotiated. The customer has only the choice to "accept" the terms of use as they are (or may become; as vendors often change their terms of use without notification to customers), or to not accept the terms of use and stay away from the service. This makes it very important to analyze and perhaps get legal consul on the terms of use that are presented.

 

Transfer of license: 

Do the terms of use involve any transfer of license giving the service provider rights to make use of the user's content? Terms of use may include a provision that, by using the service, the user is granting the service provider a broad range of rights to use the content the user places in the service. Users should take care to note the difference between ownership and rights of use. Terms of use often state that user content is owned solely by the user, but the terms of use sometimes also grant the service provider the right to make its own use of user-owned content in ways the user-owner may find objectionable. Ownership and rights of use are generally addressed in separate sections of terms of use, sometimes obscuring the distinction between ownership and rights of use in the agreement.

 

Security, Privacy, and Authentication:

  • Do the terms of use commit the service provider to keeping a user's data secure or even private from other legitimate users of the service? Do the terms of use give the service provider rights to make use of the user's identity (may the service provider share user information with business partners, or sell user information)?
  • Do the terms of use commit the service provider to meet and support various legal and security requirements such as:
    • FERPA
    • HIPAA
    • GLBA
    • Red Flag
    • PCI DSS
    • Rediscovery
    • YSU Guidebook Policy 4012.01 Sensitive Information
    • YSU Guidebook Policy 9009.01 Records Management
    • Ohio Revised Code (ORC) 1347.01 Personal information systems definitions o ORC-1349.17 Restricting recording credit card, telephone or social security numbers
    • ORC-1349.19 Private disclosure of security breach of computerized personal information data
  • Services must integrate with YSU's authentication system of Usernames (UserIDs) and passwords or "YSU's Remote Authentication Policy"4

 

Backups:

Do the terms of use commit the service provider to backup user data? In what cycles? What are the retention periods? Can or should YSU get a copy of its data on request or on a regular basis?

 

Data Storage:

Do the terms of use commit the service provider to store the data and its backups in the United States of America? 

 

Assured purging:

Do the terms of use commit the service provider to fully delete from the service any content, including distributed or backup copies that the user has intentionally deleted from their use of the service? Who can delete accounts? Can a YSU employee? Can a instructor? Can a student?

 

Non-negotiated changes to terms of use:

  • Are the terms of use posted clearly on the service's website, or are they hard to find?
  • What do the terms of use say about the service provider's ability to change the terms of use?
  • Do the terms of use commit the service provider to:
    • Notifying the user of any such changes?
    • Or simply posting changes on the service's website, with the user being responsible for constantly monitoring the posted terms of use to know when they have changed?
  • Do the terms of use require that the user formally acknowledge changes to the terms of use, or does the user accept the new terms simply by continuing to use the service?

It is not unusual for terms of use to grant the service provider the right to change the terms of use at any time and in any way without the permission of the user and frequently without notifying the user. This simple provision means that the "agreement" essentially provides no real protections for the user, because any of the protections articulated in the version to which the user agrees can be changed at any time by the vendor 5.

 

Non-negotiated changes to the service:

  • Can the service provider change the service itself (for example, stop providing it at all) without notice to the user?
  • If with notice to the user, what period of advance notice is provided to the user by the service provider, and by what means (direct notification; a posting on the service website?)?

Remember that a service may terminate due to the service provider's business failure or acquisition by another party, and that this may cause abrupt changes not addressed by the terms of use.

 

Non-negotiated changes to the business model.

  • Can the service provider change its business model?; how likely is this?
  • Critical changes to the business model could include changes to the service feature set, or changes to the pricing model, or a combination (e.g., moving from "all features free" to "basic features free; valuable features at a price").

 

Data formats: 

  • Are the formats in which data are stored by the service standard or proprietary?
  • Will the user be able to easily remove their content, or make copies of the content, from the service and use it in other places or with other applications?
  • Indemnity: Just how vital to University business is the use being made of the service?
  • What if something truly unwanted happened while University data was deployed in the service (e.g., a major business disruption; loss of vital data or business records; unauthorized access to sensitive data)?

Terms of use generally contain language by which the user agrees to hold the service provider harmless if the service provider does any damage to the user's data or ability to use the service (to support the user's business uses). Sometimes the indemnity language is even more favorable to the service provider, and may expose the user (University) to liability to pay the service provider's legal expenses.

 

Risk Analysis:

The following risk analysis steps can be helpful to determine the appropriateness of using a Internet-based service. The analysis is designed to help identify potentially appropriate uses by eliminating the riskiest use cases, based on the types of data intended to be deployed in using the service. The triage also identifies ethical issues worth consideration.

  1. Confidential institutional data: YSU is obligated by law and certain contractual obligations to protect certain types of data. Compliance with Guidebook Policy 4012.01 on Sensitive Information should be observed. Internet-based services must NOT be used with any of these confidential data types, unless an appropriate contractual agreement can be negotiated with the service provider by the University. Click-through terms of use rarely if ever provide appropriate contractual terms.
  2. Institutional business records: The International Standard for records management, ISO 15489, defines a "record" as "information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business." Many types of data we receive or create every day fit this definition and do not necessarily involve confidential data types, but deserve appropriate care in how we manage the records. Compliance with Guidebook Policy 9009.01 on Records Management must be maintained. Business records can take the form of e-mail, e-mail attachments and other electronic communications, calendar entries (particularly those involving important meetings or events; e.g. meetings involved in due process protocols; vendor contacts during bidding; etc.), and documents posted and edited in file shares, wikis and a variety of other electronic tools. Cloud- computing services must not be used for work involving University business records, unless an appropriate contractual agreement can be negotiated with the service provider by the University. Click-through terms of use rarely if ever provide appropriate contractual terms.
  3. Student, faculty and staff intellectual property: YSU's Intellectual Property policy ( Guidebook Policy 1018.01 ) regarding intellectual property define the types of intellectual property that belong to students, faculty and staff. Sometimes this property needs to be protected carefully (e.g., content with patent or other commercial potential) and should not be placed in an Internet-based computing situation unless an appropriate contractual agreement can be negotiated between the University and the service provider. Sometimes the owners of this property care less about its protection than they care about the value of the services they will be receiving from Internet-based service. These trade- offs should be considered before using an Internet-based service, and the choices should be made by the involved content owners.
  4. Agency decisions: One person should not make a decision regarding use of Internet- based services when others who are party to the use but not party to the decision may have valued data involved.
    1. ​Academic Use: A student's class work is their own intellectual property; if an instructor chooses to use a cloud-computing application in a class, the application's terms of use should be reviewed with the students in the class, and the instructor must be willing and able to provide an alternative if a student decides not to use the service due to objections to its terms of use.
    2. Collaborative Use: Similar regard should be given to faculty or student collaborators and their intellectual property if an Internet-based service is chosen for use to support a research project or other form of group collaborative effort. All members of the collaboration or work group should be aware of the conditions of use for the tools they are using, and should reach a consensus decision about the value of using those tools.

​When you are not sure, ask If you are unsure about a choice regarding Internet-based, please do not hesitate to contact the Associate Vice President of Information Technology Services, or the Director of Network Telecommunications and Security. 

 

Endnotes:

1 Derived from Appropriate Use of "Cloud Computing" Services by the Michigan State University Community 22 April 2008

2 (expanded documentation in-progress)
2 (expanded documentation in-progress)

3 The most common model used for marketing and the user relationship with these services is a "business to individual" (B2I) model, wherein the service provider (a business) offers the service to individual users. These Internet-based services also may be offered in a "business to business" (B2B) model, wherein the service provider (a business) offers its services to other business entities. B2I models most typically involve a service agreement (usually called "Terms of Use") that may be executed by the individual end user at the time of initiating the service by clicking an "I Accept" button on the service's website (called a "click-through agreement"), or by the user indicating their acceptance of the terms of use simply by beginning, and continuing, to use the service. B2B models generally involve a service agreement that is formally negotiated and executed between the service provider and the user business entities.

 

4 YSU's Remote Authentication Policy:

Federated Authentication:

YSU has several mechanisms to help limit the exposure of user’s passwords to 3rd party remote servers having a need to use our user’s login and password. These methods are based around standards based implementation whenever possible.

  1. The first and least desirable method is the use of secure lightweight directory access protocol (LDAPS). YSU has the ability to open specific 3rd party remote system and allow access to authenticate our users through this system.
  2. Secondly, YSU has the ability to integrate to a 3rd party system using the provided application programming interface (API) provided by the 3rd party. This would allow YSU to host the authentication page on one of our web servers securely and have the 3rd party redirect to YSU for the authentication portion of the application. This method can also allow for single sign-on integration using our portal system.
  3. Lastly, YSU can leverage federated directory technology. This method uses SAML-based authentication and authorization systems like InCommon or Shibboleth.

5 (Note: In early 2008, some terms of use for Internet-based services were observed to change as frequently as every 2 months. This practice has continued into 2012. Because this business model is highly competitive and rapidly, terms of use often/usually change in favor of the user.)