(warning)This page is only available in English.


Roles and responsibilities when using cloud products

Suppliers:

Role: External partner and provider of cloud services and cloud products. The necessary IT resources are located outside ETH Zurich and cannot usually be managed directly by ETH. 

Responsibilities: Disclosure of the technical, security and legal framework conditions that apply to the services offered. Compliance with contracts/agreements concluded with ETH, e.g. regarding information security and business continuity.

Service brokers:

Role: "Service brokers" procure external IT services such as cloud services and are primarily responsible for contract management with the cloud provider. Typically, service brokers are the central IT services, the IT support groups, but also professors who want to provide a specific cloud service for the members of their group or for the neighboring institute, or department heads and coordinators, as well as department or staff managers, etc.

Responsibilities: As part of contract management, the service broker reviews the protection offered by the external cloud service for the ETH data to be outsourced. Based on this review, he/she approves the external cloud service for the intended use by ETH members, i.e. publishes the terms of use of the cloud service via IT Services (CSC), such as the approval or prohibition of processing confidential information with the external cloud service.

Information owners:

Role: The second important role is that of the “information owners.” They are responsible for the data that is collected and processed on their behalf and essentially decide whether or not they want to outsource their data to external cloud services. (Please note: The decision to outsource ETH Zurich data is not the responsibility of the service providers. They merely provide an external cloud service and approve this cloud service for a specific purpose.)

Responsibilities: Above all, information owners must be able to assess whether a cloud service approved within ETH Zurich meets the protection requirements for their data. They should therefore assess the risk they are taking by outsourcing their data to the intended cloud service. Depending on the data to be outsourced, they must also check whether their data is subject to export controls or whether a data protection impact assessment is necessary before the data is outsourced to the external cloud service.

Users:

Role: Users are all members of ETH Zurich and third parties who are authorized to use ETH Zurich's ICT resources (e.g., guests, conference participants, affiliated organizations, library customers at public workstations, employees of ETH Zurich spin-off companies or other companies, provided that a corresponding contractual agreement exists, emeritus professors, and retired employees). They process the data on behalf of the information owners.

Responsibilities: The use of external ICT resources to support day-to-day business (e.g., applications such as online translation services and others) that are not managed by ETH Zurich is the responsibility of the user. Confidential data, strictly confidential data, or personal data may not be processed using such services. External cloud services managed by ETH Zurich may also be used by users for internal and, where applicable, confidential data under certain circumstances, but only if these services have been approved for such data by the relevant service providers and if the information owner responsible for the users permits such use. In case of doubt, the information owner should be contacted.

User applications from various cloud stores such as Apple, Google, Microsoft, etc.

Here you will find the rules applicable at ETH for the use of external cloud services:

If you have any further questions, please contact the Cloud Service Center, which will be happy to assist you in cooperation with the CISO.


Adoption of cloud products in the ETH Zurich portfolio

Process-CSC-Adoption