US export controls prohibit the unauthorized release of controlled information and data to certain foreign nationals. This prohibition includes the release of data through an actual electronic transmission (e.g. email), as well as sharing of information that could enable unauthorized foreign access to controlled data stored in the cloud.
Basic "off the shelf" cloud computing resources do not offer secure storage and transmission without upgrading directly with the provider. Using these resources for information that is subject to export controls may result in unintended technology transfer as well as legal liability for you and for CU. Examples of providers that require additional steps prior to use include: Dropbox, iCloud, Google Docs, G-mail, Hotmail, Yahoo mail, etc. It is not sufficient to add a VPN or certain types of encrypted channels if the companies involved in providing that service are not cleared by CU Boulder OIS and OEC prior.
CU Boulder has IT infrastructure solutions to secure data and information according to standards required by U.S. export controls. CU IT policies ensure that facilities are located in the US and employees are US citizens or permanent residents. When you use unapproved external resources to store or transmit controlled data, you lose control, and can be liable for any access to that data or software by unauthorized foreign nationals. This is the case even if unintentional, and even if you were not aware of the access occurring. One example of a CU service that maintains effective data security is Large File Transfer, which allows for the secure transfer of files.
The use of external cloud computing services, without an enforcible data security agreement, creates an unacceptable risk to the University. Prior to using an external provider for controlled data, you must, at a minimum, know: a) the location of the relevant servers and infrastructure, b) how the provider will route traffic (particularly during peak- or off-times), c) whether the provider's procedures prohibit access to your data by foreign nationals, and d) the standard of encryption used for data in transit.
If your research is determined to be export-controlled, OEC will work with you to create a Technology Control Plan, which will address the need for secure storage and transmission of controlled data. If you have questions, or need further guidance on data security, please contact OEC at email@example.com.