Endorsed by the Extended Directorate 26 November 2017 Rev.1
Background
Cloud services are divided into two categories, public clouds that are free to use by individuals without conclusion of an agreement, and enterprise clouds whose services are purchased under contract by CERN. This policy anticipates a CERN data classification scheme to be established as an annex to the forthcoming OC11 (on Data Privacy).
A Cloud Licence Office (CLO) has been established to provide guidance on the purchase and use of cloud services by members of CERN’s personnel. The CLO will operate on the basis of a Policy for Cloud Usage described below and established by IT Department.
Cloud Usage Policy
Public Clouds:
- Can only be used for CERN business if they are on the list of compliant clouds maintained by the CLO. New public clouds can be proposed for the list by requestors who satisfactorily complete the associated cloud compliancy self-assessment.
- Cannot be used to host CERN legally protected data
- The user must ensure confidential data restrictions are strictly adhered to, by setting up equivalent access controls in the public cloud to prevent individuals outside the original restriction list from having access
- The user must transfer all CERN data either to a CERN successor in the public cloud or bring back onsite and delete from the public cloud when they cease to have CERN status
Enterprise Clouds:
- Can only be used for CERN business once a contract has been established in consultation with, and approved by, the CLO
- Approval is based on the class of hosted data, ensuring that the enterprise cloud:
- has sufficient exit strategy, business continuity and disaster recovery plans
- has sufficient security and security response capabilities
- meets appropriate privacy, data protection, data ownership, and data locality requirements
- has an appropriate Acceptable Use Policy (AUP) or any other license conditions that are compatible with CERN’s privileges and immunities
- has periodic onsite backup possibilities where deemed necessary
The purchasing service will be responsible for liaising with the CLO to ensure enterprise cloud orders adhere with this policy. The CLO would furthermore operate by liaising with the Data Privacy Office, the Legal Service, the IT Security Officer and the IT Consultancy team before approving compliance of services with this policy and all incumbent requirements.