Cloud Platform Eligibility for Restricted Data
Google Cloud is now considered eligible for Restricted and Sensitive data, and is operationally ready for workloads.
A Cybersecurity Cloud Assessment for Restricted Data is necessary to ensure the security of the data, before using restricted data in a GCP project. This assessment should be fairly straightforward for typical projects, but the time required for this assessment will vary based on data risk and desired architecture.
The UW-Madison Google Cloud Platform implementation utilizes an the RHEDCloud Framework to provide some operational security guardrails, and includes some architectural templates that have been developed in collaboration with Cybersecurity. Use of services that are considered HIPAA eligible by Google is also highly recommended, and knowledge of the best practices documented therein will help with this process. The public cloud team can consult with you on these best practices.
Google Cloud platform has been through Cybersecurity’s Risk Assessment Framework and was rated as Low Risk. It also has a Business Associates Agreement (BAA) in place for HIPAA data.
Microsoft Azure is not yet operationally ready for restricted data workloads.
Microsoft Azure has been through Cybersecurity’s Risk Assessment Framework and was rated as Low Risk. It also has a Business Associates Agreement (BAA) in place for HIPAA data.
If you have an upcoming project that requires Microsoft Azure resources, please reach out to the public cloud team to discuss your needs further and potential timeline.
Please also confirm that the Azure services you wish to utilize are considered covered by the HIPAA BAA (https://azure.microsoft.com/mediahandler/files/resourcefiles/microsoft-azure-compliance-offerings/Microsoft%20Azure%20Compliance%20Offerings.pdf see Apendix A)
Amazon Web Services (AWS) is not eligible for restricted data workloads.
Amazon Web Services (AWS) has been through Cybersecurity’s Risk Assessment Framework and was rated as Moderate. The UW has been unable to come to an agreement with our AWS reseller via Internet2 on a Business Associates Agreement (BAA) that meets Wisconsin State statutes and University rules. We do not have an estimated timeline for this to be resolved, though we continue to explore alternatives as we know this is an important need on our campus.
Without an appropriate BAA in place, AWS should not be used for Sensitive or Restricted data workloads.