Data Elements Allowed in Public Cloud Platform
UW-Madison has classified its institutional data assets into risk based categories for determining who is allowed to access institutional data and what security precautions must be taken to protect it against unauthorized access and use. The four classifications are Restricted, Sensitive, Internal, and Public. Additional details on these definitions can be found on the Data at UW-Madison website and the UW-Madison IT Data Classification Policy.
- Restricted and Sensitive data elements are not allowed in Public Cloud Infrastructure without Cybersecurity Cloud Assessment for Restricted Data.
- Internal and Public data elements are allowed without additional assessment.
As part of your account request (AWS, Azure, GCP), please document the types of data that you plan on processing, storing, or otherwise propagating using this subscription. If you're unsure how to classify your data, please contact the Office of Cybersecurity at firstname.lastname@example.org. Additionally, please review the Cloud Platform Eligibility for Sensitive and Restricted Data document for information on eligible services.
As stated in policy UW-504, it is the responsibility of the faculty and staff to understand the security risk associated with their data projects. Proper classification of data and consequently proper use of storage and computing tools for their research work, teaching/learning and administration is the responsibility of the researcher / faculty / staff.
When accessing public cloud accounts that may host sensitive or restricted data, policies and practices for endpoint security (policy UW-526) should also be kept in mind, particularly as data moves in and out of those accounts. If you have questions, please contact the Office of Cybersecurity or discuss them as part of your assessment.