Description of Service/Capability:
U-M Cloudflare provides critical security capabilities to protect university websites, web applications, and DNS (Domain Name System) servers from external attacks, particularly Distributed Denial of Service (DDoS) attacks, as well as attacks that attempt to compromise university websites and applications. U-M Cloudflare also provides a Content Distribution Network to
U-M Cloudflare is available for all university websites and web application regardless of domain name. Costs for regular Cloudflare under the university’s contract are fully covered by ITS Information Assurance. Cloudflare for Government is available at cost for sites with FISMA Moderate requirements.
Which campuses is it available to?
-
Ann Arbor, Dearborn, Flint
Description of Compliance:
U-M Cloudflare is a cloud-hosted vendor service. As of 2024, Cloudflare is used by more than 19% of the Internet for its web security services.
U-M Cloudflare includes the safeguards required by HIPAA and has been approved for protecting university systems that process Protected Health Information by Michigan Medicine Compliance. Complying with HIPAA's requirements is a shared responsibility. Web site and application owners using U-M Cloudflare to protect sites/apps that process PHI are responsible for complying with HIPAA safeguards, including:
- Using and disclosing only the minimum necessary PHI for the intended purpose.
- Obtaining all required authorizations for using and disclosing PHI.
- Ensuring that PHI is seen only by those who are authorized to see it.
- Following any additional steps required by your unit to comply with HIPAA.
Social Security numbers should only be used where required by law or where they are essential for university business processes. If you must use or store SSNs, use institutional resources designed to house this data, such as the Data Warehouse. ITS Information Assurance can help you explore appropriate storage locations or work with you to appropriately encrypt the data if those storage options will not work for you. (Contact IA via the ITS Service Center.)
Data Steward:
-
ITS Information Assurance, Michigan Medicine Corporate Compliance,
Link to Service Information:
Links to additional resources:
U-M Cloudflare support and documentation
RECON results:
RECON CE-06
Data Protection Agreement:
Yes (on file with ITS Purchasing)
Vendor Security & Compliance Assessment:
Yes.
Business Associate Agreement:
Yes (on file with ITS Purchasing – same BAA as Area1, which is a Cloudflare product).
Approved data types:
- Attorney/Client Privileged Information
- IT Security Information
- Other Sensitive Institutional Data
- Personally Identifiable Information (PII)
- Protected Health Information (HIPAA)
- Sensitive Identifiable Human Subject Research
- Student Education Records (FERPA)
- Student Loan Application Information (GLBA)
Data types approved with IA consultation required:
- Controlled Unclassified Information (CUI) (Cloudflare for Government only)
- Credit Card or Payment Card Industry (PCI) Information
- Export Controlled Research (ITAR, EAR) (Cloudflare for Government only)
- Federal Information Security Management Act (FISMA) Data (Cloudflare for Government only)
- Social Security Numbers