Loading...

Table of Contents

Risks and Considerations of Cloud Services

Approved Services

The following table lists the cloud services that have been approved for use and the types of confidential data that are allowed with each service. In some cases, a service may be approved for use only with non-confidential (Category III) university data.
 
Cloud Storage Services
Service Name
UT Contract
Centrally Suported
For Students
For Staff/Faculty
Published Data
Controlled Data
Confidential Data
HIPAA
FERPA
SSNs
PCI
ITAR
IRB
Yes
Yes
Yes
Yes
Yes
Yes
Most →
Yes
Yes
Yes
Yes
No1
Yes
DropBox 2  
(www.dropbox.com)
No
No
Yes
Yes
Yes
No
None →
No
No
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Yes
Some →
No
Yes
No
No
No
No
Microsoft OneDrive 3
(onedrive.live.com)
Yes
No
Yes
Yes
Yes
Yes
Some →
 Yes
Yes
No
No
No
No
Apple iCloud
(www.icloud.com)
No
No
Yes
Yes
Yes
No
None →
No
No
No
No
No
No
 
 
Cloud Infrastructure as a Service (IaaS) Offerings
Cloud Infrastructure as a Service (Iaas) Offerings
Service Name
UT Contract
Centrally Suported
For Students
For Staff/Faculty
Published Data
Controlled Data
Confidential Data
HIPAA
FERPA
SSNs
PCI
ITAR
IRB
Amazon (AWS)5
Yes
Yes
No
Yes
Yes
Yes
Most →
Yes
Yes
 Yes Yes
No
 Yes
MS Azure5
Yes
 Yes
No
Yes
Yes
 Yes Most → Yes Yes
Yes
Yes
No
Yes
 
 
 
 
 
 
 
 
Cloud Web Hosting Services
Cloud Web Hosting Services
Service Name
UT Contract
Centrally Suported
For Students
For Staff/Faculty
Published Data
Controlled Data
Confidential Data
HIPAA
FERPA
SSNs
PCI
ITAR
IRB
Yes
Yes
No
Yes
Yes
Yes
Some →
No
Yes
No
No
No
No
Yes
 Yes
No
Yes
Yes
 Yes Some →
No
 Yes
No
No
No
No
 
 
Cloud Email Services
Cloud Email Services
Service Name
UT Contract
Centrally Suported
For Students
For Staff/Faculty
Published Data
Controlled Data
Confidential Data
HIPAA
FERPA
SSNs
PCI
ITAR
IRB
Yes
Yes
Yes
Yes
Yes
Yes
Some →
Yes
Yes
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Yes
Some →
No
Yes
No
No
No
No
Apple iCloud
(www.icloud.com)
No
No
Yes
Yes
Yes
No
None →
No
No
No
No
No
No
 
Cloud Document Services
Service Name
UT Contract
Centrally Suported
For Students
For Staff/Faculty
Published Data
Controlled Data
Confidential Data
HIPAA
FERPA
SSNs
PCI
ITAR
IRB
Yes
Yes
Yes
Yes
Yes
Yes
Some →
No
Yes
No
No
No
No
Apple iCloud
(www.icloud.com)
No
No
Yes
Yes
Yes
No
None →
No
No
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Yes
Some →
Yes
Yes
Yes
No
No
Yes
 
Cloud Survey Services
Service Name
UT Contract
Centrally Suported
For Students
For Staff/Faculty
Published Data
Controlled Data
Confidential Data
HIPAA
FERPA
SSNs
PCI
ITAR
IRB
Yes
Yes
Yes
Yes
Yes
Yes
Some →
Yes
Yes
No
No
No
Yes
 
Cloud Collaboration Services
Service Name
UT Contract
Centrally Supported
For Students
For Staff/Faculty
Published Data
Confidential Data
HIPAA
FERPA
SSNs
PCI
ITAR
IRB
Slack4 (slack.com)
Yes
No
Yes
Yes
Yes
Some →
No
Yes
No
No
No
No
MS Skype for Business Yes Yes No Yes Yes Some → Yes Yes No No No Yes
 
1It may be possible to store ITAR protected data if properly encrypted prior to being uploaded, but faculty should consult with the Information Security Office to determine if there are any other issues or concerns.
2As there is no university contract in place for DropBox, no usage involving protected or restricted university data is permitted. Use of Dropbox with confidential (Category I) university data is a violation of Section 2 of the Information Resources Use and Security Policy.
3Currently, the MS-Office for iPad suite only allows OneDrive (or DropBox) to be used for backend storage. The MS-Office for iPad is not permitted to be used where any such university data is associated.
4No enterprise contact currently; each department must go through the Contracts Office for their own contract with a FERPA agreement.
5 All uses MUST be associated with the respective UT Austin contract, managed by ITS, to be compliant.  Also, depending on the associated university data it may be necessary to implement security monitoring.  Please consult with the Information Security Officer to determine if monitoring is needed and to understand how we can assist you.

Local Services

For comparison purposes, select services run by ITS and offered to campus are listed below with the types of data that are approved for use with each. Use of locally hosted services is encouraged over cloud services when possible. This table is not intended to be a comprehensive list of all ITS offered services.

Central Storage Services

Service Name UT Contract Centrally Suported For Students For Staff/Faculty Published Data Controlled Data Confidential Data HIPAA FERPA SSNs PCI ITAR IRB
Austin Disk (utexas.edu/its/storage/) Yes Yes No Yes Yes Yes Some --> No Yes Yes Yes No1 Yes

Central Virtual Machine Hosting Services

Service Name UT Contract Centrally Suported For Students For Staff/Faculty Published Data Controlled Data Confidential Data HIPAA FERPA SSNs PCI ITAR IRB
Virtual Servers (UT VMG) (utexas.edu/its/vserver/) Yes Yes No Yes Yes Yes Some --> No Yes Yes Yes No1 Yes

Central Database Services

Service Name UT Contract Centrally Suported For Students For Staff/Faculty Published Data Controlled Data Confidential Data HIPAA FERPA SSNs PCI ITAR IRB
ITS-Supported MySQL (utexas.edu/its/mysql/) Yes Yes No Yes Yes Yes Some --> No Yes Yes Yes No Yes
ITS-Supported SQLServer (utexas.edu/its/sqlserver/) Yes Yes No Yes Yes Yes Some --> No Yes Yes Yes No Yes
ITS-Supported Oracle (utexas.edu/its/oracle/) Yes Yes No Yes Yes Yes Some --> No Yes Yes Yes No Yes

Notes on Local Services

1It may be possible to store ITAR protected data if properly encrypted prior to being uploaded, but faculty should consult with the Information Security Office to determine if there are any other issues or concerns.

Security Review for New Services

Departments evaluating the purchase and/or use of a cloud service not covered on this page with any confidential (Category I) university data should request a security review of the selected service by sending a written description of the proposed implementation to the Information Security Office. During service selection, departments should inform vendors that security testing (either performed by the Information Security Office or a qualified third party to the vendor) is a mandatory part of the university purchasing process.

Non-Compliance and Exceptions

If, for any purpose, a non-approved cloud service is used with any confidential (Category I) university data, an Exception Process must be initiated that includes reporting the non-compliance to the Information Security Office, along with a plan for risk assessment and management. (See Security Exception Report) Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Office of Internal Audit.

University of Texas at Austin employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, University of Texas at Austin employees are required to comply with state laws and regulations.

Related UT Austin Policies

The policies and practices listed here inform the system hardening procedures described in this document and with which you should be familiar. (This is not an all-inclusive list of policies and procedures that affect information technology resources.)

Information Resources Use and Security Policy (IRUSP)

UT Austin Acceptable Use Policy (AUP)

UT Austin Data Classification Standard

UT Austin Information Security Exception Process