Local and Cloud Services Decision Matrix

Risks and Considerations of Cloud Services

Approved Services

This table indicates which data categories (Published, Controlled, and Confidential) are allowed on a selection of common IT services.

Published Data -----> Generally Low Risk
Controlled Data -----> Generally Presents a Moderate Risk
Confidential Data -----> Can be High to Very High Risk Depending on the Type of Data and the Compliance Framework it Falls Under

For more information on data classification, please see UT's Data Classification Standard.

The cloud services below have color coded checkboxes below to help you know which types of university data is authorized to be used.

Cloud Collaboration Services	Published	Controlled	Confidential	HIPAA¹	FERPA	SSNs	PCI²	ITAR⁶	IRB
Cisco Spark/Webex Teams	$Approved for Public Data	$Approved for Controlled Data	→	$Approved for Confidential Data	$Approved for Confidential Data				$Approved for Confidential Data
Instant Messaging: Skype for Business ⁴	$Approved for Public Data	$Approved for Controlled Data	→	$Approved for Confidential Data	$Approved for Confidential Data				$Approved for Confidential Data
Slack³ (slack.com)	$Approved for Public Data	$Approved for Controlled Data	→		$Approved for Confidential Data
Teams⁴	$Approved for Public Data	$Approved for Controlled Data	→	$Approved for Confidential Data	$Approved for Confidential Data				$Approved for Confidential Data
Zoom	$Approved for Public Data	$Approved for Controlled Data	→	$Approved for Confidential Data	$Approved for Confidential Data
Panopto	$Approved for Public Data	$Approved for Controlled Data	→		$Approved for Confidential Data
Canvas	$Approved for Public Data	$Approved for Controlled Data	→		$Approved for Confidential Data
Spacer
Cloud Document Services
Apple iCloud	$Approved for Public Data
Google Suite for Education (utmail.utexas.edu)⁴	$Approved for Public Data	$Approved for Controlled Data	→		$Approved for Confidential Data
Docusign (docusign.utexas.edu)	$Approved for Public Data	$Approved for Controlled Data	→	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data			$Approved for Confidential Data
Smartsheet	$Approved for Public Data	$Approved for Controlled Data	→		$Approved for Confidential Data
Spacer
Cloud Email Services
Apple iCloud	$Approved for Public Data
Email: UTmail ⁴	$Approved for Public Data	$Approved for Controlled Data	→		$Approved for Confidential Data
Email: UT Office365 ⁴	$Approved for Public Data	$Approved for Controlled Data	→	$Approved for Confidential Data	$Approved for Confidential Data
Spacer
Cloud Infrastructure Services (IaaS)
Cloud Infrastructure: Amazon (AWS)⁴, MS Azure ⁴	$Approved for Public Data	$Approved for Controlled Data	→	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data		$Approved for Confidential Data
Spacer
Cloud Storage Services
Apple iCloud	$Approved for Public Data
Box (utexas.box.com)	$Approved for Public Data	$Approved for Controlled Data	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	³	$Approved for Confidential Data
DropBox⁵ (www.dropbox.com)	$Approved for Public Data
Google Suite for Education (utmail.utexas.edu)⁴	$Approved for Public Data	$Approved for Controlled Data	→		$Approved for Confidential Data
Microsoft OneDrive ⁴	$Approved for Public Data	$Approved for Controlled Data	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data
Spacer
Cloud Survey Services
Qualtrics)	$Approved for Public Data	$Approved for Controlled Data	→	$Approved for Confidential Data	$Approved for Confidential Data				$Approved for Confidential Data
Microsoft Forms)	$Approved for Public Data	$Approved for Controlled Data	→	$Approved for Confidential Data	$Approved for Confidential Data				$Approved for Confidential Data
Spacer
Cloud Web Hosting Services
Content Management: UT Drupal Kit - Managed, Pantheon Web Hosting (Drupal, WordPress, etc.)	$Approved for Public Data	$Approved for Controlled Data	→		$Approved for Confidential Data
Spacer
Notes on Cloud Services
¹ HIPAA data has special regulatory requirements; read this for more info.
² Payment Card Industry (PCI) data has special regulatory requirements; read this for more info.
³ No enterprise contract currently; each department must go through the Contracts Office for their own contract with a FERPA agreement.
⁴ Authorized usage is limited to services provided under the ITS-managed vendor contract to remain compliant. Any use of the standard consumer-grade offerings of these products is not approved. Also, depending on the associated university data for certain cloud infrastructure it may be necessary to implement additional security monitoring. Please consult with the Information Security Officer to determine if monitoring is needed and to understand how we can assist you.
⁵ As there is no university contract in place for DropBox, no usage involving protected or restricted university data is permitted. Use of Dropbox with Confidential data is a violation of Section 2 of the IRUSP.
⁶It may be possible to store ITAR protected data if properly encrypted prior to being uploaded, but faculty should consult with the Information Security Office to determine if there are any other issues or concerns.

Local Services

For comparison purposes, select services run by ITS and offered to campus are listed below with the types of data that are approved for use with each. Use of locally hosted services is encouraged over cloud services when possible. This table is not intended to be a comprehensive list of all ITS offered services.

Local Service	Published	Controlled	Confidential	HIPAA¹	FERPA	SSNs	PCI²	ITAR	IRB
Database Hosting: ITS-Supported MySQL, SQLServer, Oracle	$Approved for Public Data	$Approved for Controlled Data	→	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data		$Approved for Confidential Data
File Storage: Austin Disk	$Approved for Public Data	$Approved for Controlled Data	→		$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	³	$Approved for Confidential Data
UT Wikis	$Approved for Public Data	$Approved for Controlled Data
UTBackup(On Premise and Cloud)	$Approved for Public Data	$Approved for Controlled Data	→	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data		$Approved for Confidential Data
Virtual Servers (UT VMG)	$Approved for Public Data	$Approved for Controlled Data	→	⁴$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	³	$Approved for Confidential Data
On Premise GitHub	$Approved for Public Data	$Approved for Controlled Data	→		$Approved for Confidential Data	$Approved for Confidential Data	$Approved for Confidential Data	³	$Approved for Confidential Data
Spacer
Notes on Local Services
¹ HIPAA data has special regulatory requirements; read this for more info.
² Payment Card Industry (PCI) data has special regulatory requirements; read this for more info.
³ It may be possible to store ITAR protected data if properly encrypted prior to being uploaded, but faculty should consult with the Information Security Office to determine if there are any other issues or concerns.
⁴ The high-performance storage (Tier H a.k.a Hitachi) option is recommended for HIPAA use as encryption is standard. If users elect Tier 1 or Tier 2 storage (Compellent) instead they will need to verify that encryption is enabled throughout the life of the HIPAA-covered asset on UT-VMG.

Back to top

Security Review for New Services

Departments evaluating the purchase and/or use of a cloud service not covered on this page with any Confidential university data must request a security review of that service by sending a written description of the proposed implementation to the Information Security Office. During service selection, departments should inform vendors that security testing (either performed by the Information Security Office or a qualified third party to the vendor) is mandatory for the university purchasing process.

Back to top

Non-Compliance and Exceptions

If, for any purpose, a non-approved cloud service is used with any Confidential university data, an Exception Process must be initiated that includes reporting the non-compliance to the Information Security Office, along with a plan for risk assessment and management. (See Security Exception Report) Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit.

University of Texas at Austin employees are required to comply with institutional rules and regulations, applicable UT System rules and regulations, state laws and regulations, and federal laws and regulations.

Back to top

Related UT Austin Policies

The policies and practices listed here inform the system hardening procedures described in this document and with which you should be familiar. (This is not an all-inclusive list of policies and procedures that affect information technology resources.)

Back to top

Search form

Local and Cloud Services Decision Matrix

Table of Contents

Risks and Considerations of Cloud Services

Approved Services

Local Services

Security Review for New Services

Non-Compliance and Exceptions

Related UT Austin Policies

Information Security Office