What is Cloudlock?
Cloudlock is a software system that essentially puts a virtual wrapper around Google Drive in order to prevent accidental sharing of regulated data.
Why does Augsburg have Cloudlock?
Augsburg wants to enable faculty and staff to fully use Google Drive in their work. The ease of sharing regulated data in Google Drive is a large risk to Augsburg. Using Cloudlock will manage that risk by notifying people and removing the sharing in some cases.
Is Cloudlock scanning my Google Drive files?
Yes it is. It is looking for patterns that match social security numbers, credit card numbers, or student ID numbers. It is not looking for anything else. Augsburg IT has defined what kind if data it is looking for and what action it takes.
Who has administrative access to Cloudlock?
Cloudlock administrative access is limited to select IT systems staff (under 5) involved in IT security and compliance. Liaisons for Computing do not have access to Cloudlock.
Does Cloudlock give IT access to my Google Drive files?
Cloudlock administrators may be G Suite non-superadmins or G Suite superadmins. G Suite non-superadmins who have access to Cloudlock can only see an excerpt of a flagged file to verify that the data truly is one of the above types. The excerpt is about a sentence before and a sentence after the data. The G Suite superadmin accounts already have full access to Google Drive files through an API. This is used for programming interfaces to Google. In Cloudlock, a G Suite superadmin can view a file that was flagged as containing one of the above pieces of regulated data.
What is this “regulated data” you are talking about?
You can read more on the data classification work on the Information Security Program page. Basically this is information that is protected or controlled by statutes, regulations, institutional polices or contractual language. Examples include student record information (protected by FERPA), credit card numbers (regulated by PCI-DSS), or critical personal information (like social security numbers). This is the type of information that should be and must be protected.
What does Cloudlock do when it finds a social security number / credit card number / shared student ID number?
If Cloudlock finds a social security number, credit card number or student ID it will take actions as noted on the Information Security Program page.
Does Cloudlock do anything else?
Cloudlock also has an app detection option where it identifies risky apps that people may have given access to. Cloudlock can then could shut off those apps. Malicious apps could scan all your Google Drive files or scan your emails. Currently the app detection is only monitoring apps. If there is another malicious app attack like in May of 2017 this will allow us to stop it immediately.
Cloudlock also has tools to detect account compromises. It can raise alerts when someone logs in from one country and then quickly logs in from another country that is too far to humanly get to. This generally would not happen unless an account was compromised. No alerts are currently active but it could be a feature used in the future to prevent account compromises.