Skip to Content

Cloud Storage Security Matrix

Provider CASIT CASIT Google Apps Google Apps for Business SpiderOak Google Drive Dropbox
Initial Allocation 50GB Home, 100GB Dept 25GB 25GB 2GB 5GB 2GB 5GB
Initial Cost Free Free $50/user/year Free Free Free Free
Data Mining No No No No Yes Yes Yes
FERPA Yes Yes Yes Yes No No No
HIPAA Yes No Yes Yes No No No
Data-at-rest in USA Yes No No Yes No No No
Backup Yes (tape; off-site) Cloud Cloud Cloud Cloud Cloud Cloud
Cost for Additional Storage Just ask $4/month/25GB $100/year/100GB $2.50/month/25GB $100/year/100 GB $10/month/25GB
Notes 100% on campus Encrypted Transmission Encrypted Transmission 100% Encrypted transmission and stored fully encrypted in the USA Encrypted transmission: Dropbox uses Amazon Simple Storage Service for storage

The University of Oregon has not yet created a clear policy on cloud storage but is working on one. Users should proceed with caution – laws regarding data storage have not kept up with current technological offerings.


(Please note the below list of terms are terms that we are using as working definitions.)

FERPA – The Family Educational Rights and Privacy Act of 1974, is a federal law that pertains to the release of and access to educational records. The law applies to all schools that receive funds under an applicable program of the US Department of Education.  FERPA applies to personally identifiable information in educational records. This includes items such as the student’s name, names of family members, addresses, personal identifiers such as social security numbers, and personal characteristics or other information that make the student’s identity easily traceable.

HIPAA – The HIPAA Privacy Rule established national standards to guard the privacy of a patient’s protected health information. Protected health information includes:
1) Information created or received by a health care provider or health plan that includes health information or health care payment information plus information that personally identifies the individual patient or plan member.
2) Personal identifiers include: a patient’s name and email, web site and home addresses; identifying numbers (including Social Security, medical records, insurance numbers, biomedical devices, vehicle identifiers and license numbers); full facial photos and other biometric identifiers; and dates (such as birth date, dates of admission and discharge, death).

ITAR – Federal regulations promulgated and enforced by the Department of Commerce, Export Administration Regulations (EAR), and the Department of State, International Traffic in Arms Regulations (ITAR), prohibit the unlicensed export of specific technologies for reasons of national security or protection of trade. If University research involves such specified technologies, the EAR and/or ITAR may require the University to obtain prior approval from State or Commerce before allowing foreign nationals to participate in the research, partnering with a foreign company and/or sharing research—verbally or in writing—with persons who are not United States citizens or permanent resident aliens.

Export control regulations have the potential to harm the quality of University research, undermine publication rights, and prohibit international collaboration if the dissemination of University research is not placed in the public domain and does not qualify for the “fundamental research” exclusion (see below). The consequences of violating these regulations can be quite severe, ranging from loss of research contracts to monetary penalties to jail time for the individual violating these regulations.

Fundamental Research – The export control regulations do not apply to the results of “fundamental research” at universities and other institutions of higher learning. Under the EAR and the ITAR, fundamental research is defined to mean “basic and applied research” in science and engineering at accredited institutions of higher learning in the United States where the resulting information is ordinarily published and shared broadly within the scientific community. Fundamental research is distinguished from research where the results are subject to access or publication restrictions for proprietary, national security or foreign policy reasons.

Data Mining –  is the computer-assisted process of digging through and analyzing enormous sets of data and then extracting the meaning of the data. Data mining tools predict behaviors and future trends, allowing businesses to make proactive, knowledge-driven decisions. Data mining tools can answer business questions that traditionally were too time consuming to resolve. The tools scour databases for hidden patterns, finding predictive information that lies outside expectations. Consider the implications if every telephone call you make, every credit card purchase you make, every flight you take, every visit to the doctor you make, every warranty card you send in, every employment application you fill out, every school record you have, your credit record, every web page you visit was all collected together? A lot would be known about you.

Data at rest – Any data that is stored on a device as opposed to data that is traversing a network.

Encryption – An algorithmic process of encoding data to make it unintelligible except to users with the keys to decode the data.

Sensitive University Data – University Data that includes information that personally identifies individuals and any other data that is identified by law, regulation, policy or practice as confidential or registered confidential. (See Sensitive Data Checklist for specific data included in this category.)

University Data – Items of information that are collected, maintained, and utilized by the University for the purpose of carrying out institutional business subject to or limited by any overriding contractual or statutory regulations. University Data may be stored either electronically or on paper and may be of many forms (including but not limited to: text, graphics, images, sound, or video).

Research data – scholarly work of faculty or students, and intellectual property that do not contain personally-identifiable information or other data protected by law or University policy. The data, records, files or other evidence, irrespective of their content or form (e.g. in print, digital, physical or other forms), that comprise research observations, findings or outcomes, including primary materials and analyzed data.

Last updated: 10/22/2015