Cloud usage and classification of data confidentiality: new policies now in effect

What kinds of data from ETH can be stored on external cloud services? What rules are in effect for such cloud services operating outside the university? Until now, answers to these questions were insufficiently clear. For confidential information in particular, the rule was that it could not be saved on external cloud servers.

However, this did not account for the fact that scientists and staff at ETH need to exchange data with other parties, both inside and outside the university. For research partnerships, information needs to be sent back and forth to people outside of ETH. This kind of data could include confidential information that shouldn't yet be generally accessible, for instance research data prior to publication.

New framework for cloud services

A new policy on IT guidelines and basic IT protection requirements for ETH Zurich (German version, English translation available in September) defines the type of external cloud services that are suitable for storing and handling confidential information. The policy outlines the technical, organisational and legal criteria that external cloud services have to fulfil (e.g., in terms of data protection and licensing) such that ETH data can be stored and processed.

To lay the groundwork for the approval of this new policy, the Directive on Information Security at ETH Zurich was partially revised to reflect the following key principle:

Confidential information may be (but does not have to be) stored on external cloud services as long as said services fulfil certain criteria and the information owner consents to storing their (confidential) data in this manner. Information owners – for instance, professors or unit heads – are responsible for the data collected or processed on their behalf.

But what information is considered sensitive and deserving of special protection? This issue is not only relevant to cloud usage but is important when it comes to protecting data at ETH in general, whether it's personal data or other kinds of confidential information such as technical or financial details.

Changes to data confidentiality classification levels

To answer this question, ETH has added a new level to its data classification system, bringing the current total to four: public, internal, confidential and strictly confidential data. This classification system is codified in the Directive on Information Security at ETH Zurich. The levels are defined as follows:

• Public information is, as the name implies, information that is generally available to everyone, even people outside the ETH Zurich community.
• Internal information is intended only for members of the ETH Zurich community. This information is protected by standard security measures such as adhering to the terms of use for services that involve handling internal information.
• Until now, all other information was classified as confidential regardless of whether the required level of protection for this data was deemed high (as in the case of students’ grades) or very high (such as company secrets or research results that could cause great damage if published). For this reason, the Executive Board decided to add the new level ‘strictly confidential’ to the partially revised “Information Security Policy at ETH Zurich”. This move came following consultation with around 70 field experts at ETH.
• The label strictly confidential now applies to information that requires a very high level of protection and should only be available to a select group of individually named people.
• Confidential data has been redefined to mean data that “only” requires a high level of protection and that are handled, e.g., by one or more internal units. Student grades would fall under this category.
• The internal and public security levels remain unchanged.

The new system for classifying the confidentiality of information is described in Section 5 of the Information Security at ETH Zurich policy, with detailed recommendations laid out in appendices 1 and 2.

Reasons for the change

The expanded classification system for data confidentiality offers many benefits beyond the aforementioned flexibility regarding cloud services. It became such an important issue because the technical challenges posed by the digital world require a differentiated approach to handling data.

Furthermore, ETH often exchanges data with research institutes and government departments, and they are also obligated to handle this data with the same level of care. Having a similar system of data security classification as these other institutions will simplify the matter, as will be the case with the Paul Scherrer Institute and the institutions of the Swiss federal government.

It is now possible to store and process information classified as ‘confidential’ or ‘internal’ according to the new classification system in specific cloud services that fulfil ETH’s security and data protection requirements. Data classified as ‘highly confidential’ is not permitted to be stored on the cloud.

Important dates and deadlines

There is a transition period for implementing the new data classification system. The following provisions apply (Article 24bis, 24ter of the Information Security Policy at ETH Zurich):

• Starting on 1 December 2021, the classification system is mandatory for all newly created documents.
• For existing data, information owners must apply the new system to their old documents by 1 December 2023.
  
• The new IT Guidelines and Basic Security Requirements policy, which contains detailed rules on the usage of cloud services, must be implemented by March 2023 (Article 16).

On a side note: The Acceptable Use Policy for Information and Communications Technology (BOT) was also partially revised to make it generally applicable to cloud services. Other updates in the partial revision of the acceptable use policy are outlined in the article “Improved security for ETH IT-infrastructure".

This coming autumn, ETH internal news will release additional information to the changes that have been applied to the above policies related to Information Security. In particular, the new rules for using the cloud will then be explained in more detail.