Skip to Content

Third-Party Cloud Storage

In most instances, Dropbox, Google Drive, or other third-party cloud storage solutions are not authorized for university business or other university operations.

Our enterprise-level Microsoft 365 account provides virtually unlimited cloud storage, integrations with all Microsoft 365 applications (which are available to everyone on campus), as well as the ability to share data with external collaborators. On occasion, there are instances where other tools are authorized for use; for example, when another university is running an enterprise-licensed instance of DropBox.

Why unauthorized 3rd party cloud storage is not a good idea

In general, the use of unauthorized 3rd party cloud storage is not a good idea. Even in cases where it is authorized, that use is typically limited and does not involve the transmission or storage of university data. The reasons blow elaborate on the reasoning behind this position.

Lack of Visibility

Since these software are not integrated into our network, there is no way we can retrieve data stored in these systems if an employee or faculty member leaves the institution and fails to disclose the usage of that account, or has it attached to a personal email account. If Texas State data are present in those accounts, then it can be easily lost or compromised, which can lead to institutional and legal consequences.

Lack of Accountability

There is no way to perform investigations or comply with public records requests if a faculty or staff member is using unauthorized cloud storage. Additionally, there is no way to know if those data have been compromised and no ability for our forensics team to conduct analyses on these data in the event of a security incident.

Lack of Support

We don't offer technical support to these services. So, if something goes wrong, is lost or compromised, ITAC will have no way to help users who have lost data or been locked out of accounts.

Usage Guide

There may be other instances where third-party cloud storage options may be authorized. This guide should help clarify when and why these services are not allowed and provide information on their appropriate use.

Expand or Collapse all.
  • Every system and tool authorized for use at Texas State has gone through a review process to establish service and support requirements, as well as defensible assurances that data will be adequately protected and properly handled. Using unauthorized IT services makes it nearly impossible for the ISO and other teams in DOIT to monitor for security incidents, provide adequate support, fulfill requirements mandated by state law, and ensure that data are adequately protected by the third-party vendor. 

    There are several existing solutions (e.g., S:Drive, SharePoint, OneDrive) that meet most data sharing and storage needs, making Dropbox and other third-party storage options redundant in many cases. As with most other redundant products, the marginal benefit, such as gain in productivity, is more than eclipsed by the risk encumbered by the institution. On a more basic level, existing solutions are provided at no cost to departments, so additional paid subscriptions are an inefficient use of funds. 

  • Information at Texas State University is divided into three categories — Public, Sensitive, and Confidential. Each of these data have different levels of risk which must be considered when deciding how to store and send them. Sensitive and confidential information often have legal requirements for management, which can only be guaranteed through a review process and contractual agreements with vendors. 

    Data management and other IT policies detail how software can be acquired, how access is managed, and establish controls to protect information. They are written and enforced to protect the confidentiality, integrity, and availability of the information we manage, which are often regulated by state and federal law.

    Below, we have provided the policies which concern third-party software applications. They are also important for understanding why certain software is not permitted.

  • On occasion, third-party cloud storage solutions have been authorized for institutional use after other options have been ruled out. The Information Security Office must be consulted to determine if these types of services are suitable. There are a few common factors in those scenarios: 

    • The data being stored or managed is low sensitivity (e.g., no confidential records, no medical data, grades, SSNs)  
    • The cloud storage service involved is an enterprise-level subscription, managed and monitored by another organization's central IT office. In other words, it is not the kind of service geared towards individual consumers as those types of products often lack the layers of protection and administration the university would require for similar systems. 
    • The scope of use and the accompanying justification are well documented.  
    • Browser-only access is used in lieu of the desktop sync app.
    • Additional procedures, such as using Texas State's LastPass Enterprise password management service and opting into the service's multi-factor authentication option, are developed and adhered to. 

    Remember: Only share data with those you trust, and with only the minimum number of people necessary. 

  • Cloud storage should never be used to:

    • Infringe others' intellectual property rights, including by sharing copyrighted content. 
    • Violate the privacy of others. 
    • Distribute harmful or malicious code or content. 
    • Share or store university data without appropriate authorization.
    • Share or store sensitive or confidential information relevant to any university function or operation. This includes:
      • Personal Identifiable Information (SSN, account numbers, birth dates, driver’s license numbers, etc.) 
      • HIPAA information (i.e., ePHI – and any other health related information including diagnosis, dates of service, recommended treatments, prescriptions, etc.
      • PCI (Payment Card Industry) Information – Credit Card Numbers, PINs, verification codes, etc.
      • Protected, unpublished research data or any sensitive or confidential participant data included in unpublished research. 
      • Network Identifier (NetID) Credentials – this includes NetID username, password, and Duo authentication codes, etc. 
      • Access credentials to your university-issued desktop computer, laptop, or any other university-issued device. 

Examples of Appropriate Usage

As noted, products like Dropbox and Google Drive have not been authorized for use. Below are some examples that have been sanitized; sharing details of these specific cases would unduly expose how the groups that use the products operate. These examples should not be taken as policy as there are often other factors complicating the suitability of some products.


General Rules

Okay Maybe Okay Not Okay

Using unauthorized cloud-hosted services for your own personal or confidential information.

Formally or informally collaborating with another organization. Depending on the context of the scenario (i.e., your technical needs, the type of data involved, the other parties with whom you are collaborating),this kind of situation will need to be reviewed and documented by the ISO.

Installing software from unauthorized cloud-hosted storage services that automatically downloads files to your university computer and uploads files from your computer. Except for products provided by DOIT (e.g. TXST's OneDrive for Business, CrashPlan), installing software that automatically transfers files to and from cloud-hosted storage providers is prohibited.

Storing personal projects and research based solely on published, secondary sources. Some types of unpublished research are considered particularly low risk. This includes content such as literary reviews and student drafts of papers for most classes.

Transferring university data to a vendor, auditor, accreditation board, or other oversight group.

Using unauthorized cloud-hosted storage services to store, work on, back up, or transfer sensitive or confidential information. Texas State has other systems and platforms in place better suited to protect these data.

Accessing non-confidential documents and other files hosted by other organizations' authorized cloud-hosted services.

Working with students. In most cases, established Texas State systems such as Microsoft 365 and the Canvas learning management system should be used to collaborate with students, especially when protected research data, official course materials, and course assignments are involved.

 

 

Warning to users: If you should decide to use DropBox or other unauthorized third-party cloud storage for your own, personal data, please be aware that we do not offer support for these services through ITAC and you will have to use solely the assistance provided by the vendor. Texas State takes no responsibility for the misuse of these platforms or the loss of personal data therein. Never use unauthorized 3rd party cloud storage for university data, or sensitive and confidential data of anyone other than yourself.