Cloud Services

Externally hosted solutions (often referred to as "cloud services") can offer flexible, cost-effective and scalable means of fulfilling the University's requirements for storage, sharing and processing of digital data.

However, the use of cloud services entails transmitting and entrusting third parties with potentially sensitive data, and carries risks that should be carefully considered and managed.

As required under the IT Acceptable Use and Security Policy (ITAUSP) and the IT Acceptable Use Procedures, please submitÌý risk assessment request to ITDS BEFORE you sign up to services and start uploading University data.

  • Assessment Process

    Before considering signing up to a new cloud service, you should consider whether existing software and services provided by ITDS will meet your requirements. You can talk to your ITDS Liaison Manager if you are not sure about available services.

    If existing software and services do not meet your needs, then a risk assessment can be requested for a new cloud service from . Someone from the ITDS Cyber Security team may contact you to obtain additional information. They will then undertake a security risk analysis based on the reputation of the product and vendor, as well as any evidence to support their security posture.

    In the event that the risk is deemed to be unacceptably high (e.g, if third party is unable demonstrate sufficient security controls) then the analyst may advise you to explore alternative products or implement additional controls to reduce risks.

  • Scope and Definitions

    There are broadly three categories of cloud services:

    •Software as a Service (SaaS): Typically, software applications accessible via a browser. A majority of use cases fall under this category.
    •Platform as a Service (PaaS): Platform for developing your own applications such as Google App Engine.
    •Infrastructure as a Service (IaaS): Virtual server hosting such as AWS EC2 and Azure VM.
    Ìý

    A cloud service isÌýhosted and managed by a third-party, external to the university: these services are typically not downloaded on to individual computers, rather accessed via the internet through a web browser or website login (there are hybrid solutions where there is a front-end desktop program or mobile application, but the data is stored externally in the cloud).

    Information that is processed, transmitted and stored with a cloud service is not under the protection of the university’s security controls. Cloud services accessible via the internet are also at risk of potential data breaches.

  • Related Policies and Procedures
    All use of University IT (including hosted services) is governed by the ITAUSP.Ìý
    Any research data and primary materials must be handled in accordance with the Research Data and Primary Materials Policy.
    These IT Security Procedures outline responsibilities for IT custodians and establish technical controls to protect University information assets, under the IT Acceptable Use and Security Policy.
    Third Party IT Security Risk Management Standard
    		The University's cyber security policies are structured under the IT Acceptable Use and Security Policy, supported by procedures for user conduct and technical controls, with specific CSF standards guiding IT custodians on security requirements.
    		The University’s Information Management Policy emphasizes proactive management and responsibility for Information Assets, balancing confidentiality with accessibility; information is classified into four levels—Public, University Internal, Confidential, and Restricted—to apply appropriate security based on data value, sensitivity, and potential impact if compromised.
    While most University IT is centrally managed by Information Technology and Digital Services (ITDS), some Distributed IT assets still exist. These assets—data, systems, and services—are locally managed by academic departments, research groups, or outsourced to external vendors for research and teaching.
    Information on our storage services

  • Previously Approved Cloud Services

    Please refer to the following document for a list of services that have previously been assessed and approved for the specific use case (i.e., maximum data classification and number of users).

    Previously approved cloud services (PDF)

    If you would like to sign up to a cloud service on this list for a similar use case, a complete re-assessment will not be required; however, you are still required to submit a request via to enable ITDS to keep track of areas within the University using the cloud service.