UM Cloud Computing Security Standard

   
Issued Under Authority of UM Information Security Policy
Responsible Office UM Information Security Office
Category Technology and Platform Security

IN PLAIN LANGUAGE

Cloud services like Microsoft 365 and AWS are essential tools for University work — but not every cloud service is approved, and not every type of data can go into every cloud environment. This standard sets the rules for how cloud services are selected, approved, and used safely. Any cloud service used for University business must go through a formal review process before use. Confidential or high-risk data is generally prohibited from cloud services unless a specific exception has been approved. University units are responsible for understanding their share of the security responsibility — the cloud provider secures the infrastructure, but we are responsible for how we configure it, who has access, and what data we put in it.

1. Purpose

The purpose of this Standard is to establish minimum security, risk management, and governance requirements for the use of cloud computing services at the University of Montana. This Standard ensures that cloud services are selected, configured, and operated in a manner that protects University Data, supports institutional missions, and aligns with the University's Information Security Program.

This Standard aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 and applies a risk-based approach to cloud adoption and operation.

2. Scope

This Standard applies to:

  • All cloud computing services used to store, process, or transmit University Data
  • Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) offerings
  • University-owned, centrally managed cloud accounts and tenants
  • Third-party cloud services accessed by University faculty, staff, students, or affiliates for University business

This Standard applies regardless of funding source or procurement method when cloud services are used for University purposes.

3. Cloud Service Models

For purposes of this Standard:

Software-as-a-Service (SaaS) — Vendor-managed applications delivered over the internet (e.g., Microsoft 365, Qualtrics, Asana).

Platform-as-a-Service (PaaS) — Vendor-managed platforms on which the University deploys applications.

Infrastructure-as-a-Service (IaaS) — Cloud-hosted infrastructure such as virtual servers, storage, and networking (e.g., AWS).

Cloud security responsibilities vary by service model and are governed by the shared responsibility model described below.

4. Shared Responsibility Model

Security responsibilities for cloud services are shared between the University and the cloud service provider.

  • Cloud providers are responsible for the security of the cloud, including physical data centers and underlying infrastructure
  • The University is responsible for security in the cloud, including data protection, identity and access management, configuration, and monitoring

University units must understand and fulfill their responsibilities for any cloud service they use.

5. Approved Cloud Platforms

5.1 Pre-Approved Institutional Platforms

The University designates the following as pre-approved institutional cloud platforms, subject to service-level controls:

Microsoft 365 — Enterprise collaboration and productivity platform.

Amazon Web Services (AWS) — Centrally managed cloud infrastructure for approved use cases.

Use of these platforms must comply with this Standard and all applicable Information Security Standards.

5.2 Service-Level Distinctions

Not all services within a pre-approved platform are automatically approved for all data types or use cases.

  • Specific services or features may be restricted based on data classification, risk, or regulatory requirements
  • The Information Security Office may impose additional controls or limitations on specific services

6. Data Classification and Cloud Use

6.1 Confidential (High Risk) Data

Confidential (High Risk) Data is generally prohibited from being stored, processed, or transmitted using cloud services.

Exceptions may be granted only for:

  • Explicitly approved institutional platforms
  • Systems that have undergone formal risk assessment and approval
  • Services with contractual, technical, and administrative controls sufficient to protect the data

All exceptions must be documented and approved by the CISO or designee.

6.2 Restricted (Moderate Risk) and Public (Low Risk) Data

Restricted and Public (Low Risk) Data may be used in cloud services when:

  • The service has been approved through the centralized cloud approval process
  • Required security controls are implemented
  • Use complies with applicable standards and procedures

7. Cloud Approval and Onboarding

7.1 Centralized Approval Requirement

All cloud services used for University business must be reviewed and approved through a centralized process prior to use. Approval includes security, privacy, risk, and contractual review, and Vendor Risk Management and procurement requirements apply.

7.2 Account Provisioning

  • Cloud infrastructure accounts (e.g., AWS) must be centrally provisioned and managed
  • Decentralized or individually managed cloud accounts are not permitted without explicit approval

8. Security Requirements

8.1 Identity and Access Management

  • Cloud services must integrate with University identity systems where supported
  • Least privilege access must be enforced
  • Multi-factor authentication is required for administrative and privileged access

8.2 Configuration and Hardening

  • Cloud resources must follow secure configuration baselines
  • Default configurations must be reviewed and hardened

8.3 Logging and Monitoring

  • Cloud services must generate logs sufficient to support security monitoring and incident response
  • Logs must be protected and retained in accordance with University standards

8.4 Vulnerability Management

  • Cloud-hosted systems must participate in the University Vulnerability Management Program
  • Patch management and remediation must follow established standards

9. Incident Response and Reporting

  • Cloud-related security incidents must be reported promptly through established incident response channels
  • Cloud services must support investigation, containment, and recovery activities

10. Enforcement and Risk Response

When cloud security requirements are not met and no approved exception exists:

  • Additional controls or restrictions may be applied
  • Access to cloud services may be limited or revoked
  • Risk may be escalated to appropriate management or executive leadership

11. Exceptions

Exceptions to this Standard must:

  • Be formally documented
  • Include risk justification and compensating controls
  • Be approved by the CISO or designee
  • Be reviewed periodically

12. Review and Maintenance

This Standard must be reviewed at least annually and updated as necessary to reflect changes in technology, risk, or regulatory requirements.

13. References

  • UM Information Security Policy
  • UM Data Governance Policy
  • UM Data Security Standard
  • UM Vendor Risk Management Standard
  • UM Endpoint Management & Configuration Standard
  • UM Network Security Standard
  • NIST Cybersecurity Framework (CSF) 2.0
Print Article