This post collects some useful resources to have a proper CyberSecurity review to any SaaS, PaaS, and other IT solutions.
Minimum Security Standards for SaaS and PaaS from Standord Unviersity
Note: https://uit.stanford.edu/guide/securitystandards/iaas
Minimum Security Standards:
Infrastructure-as-a-Service (IaaS) and Containerized Solutions
Applicability:
- The minimum security standards found here apply to IaaS managed services — virtual servers that are designed to be ephemeral — and containerized solutions.
- All other persistent virtual servers, regardless of infrastructure, are to be managed under the Minimum Security Standards: Servers guidelines.
Standards | What to do | Low Risk | Moderate Risk | High Risk |
---|---|---|---|---|
Platform Selection |
Follow the Stanford cloud solution selection workflow found at Choosing and Purchasing a Cloud Solution. |
|||
Operational Practices |
As far as possible, apply the Stanford Cloud Operational Principles and Practices. |
|||
System Architecture |
As far as possible, apply the Stanford Cloud Architecture Principles for IaaS. |
|||
Account Management |
Provision new cloud accounts through University IT. |
|||
Patching and Application Lifecycle |
Additional Elaboration:
|
|||
Vulnerability Management |
Based on National Vulnerability Database (NVD) ratings: Identify and remediate severity 4 and 5 CVE vulnerabilities within seven days of discovery, and severity 3 vulnerabilities within 90 days. Stanford provides and recommends the Qualys toolset (which includes the Qualys Cloud Agent), however platform specific tools such as Amazon Inspector and Google Cloud Security Scanner may be used instead. If a detection tool other than Qualys is used, ISO may request a review and audit of your tool and practices as well as periodic verification of efficacy. Additional Elaboration:
|
|||
Inventory and Asset Classification |
Review and update department/MinSec Cloud inventory records quarterly. Must indicate associated risk classification and service ownership. Additional Elaboration:
|
|||
Firewall |
Use the native tools and design patterns of your platform to ensure that only the minimum necessary network communication is permitted through virtual network devices such as VPCs, load balancers, and the like. This includes access to managed services such as hosted database platforms. |
|||
Credential and Key Management |
|
|||
Two-Step Authentication |
Enforce two-factor authentication for all interactive user and administrator logins. Stanford provided Duo two-factor authentication is recommended, but other two-factor options are acceptable. |
|||
Logging and Alerting |
Additional Elaboration:
|
|||
Backups |
|
|||
Encryption |
|
|||
Data Centers |
Prefer US based data center locations. |
|||
Secure Admin Workstation |
Cloud administration consoles should only be accessed through a Privileged Access Workstation (PAW) or Cardinal Protect workstation when logging in with an administrative account. A PAW is required for ring0 access. Administrative accounts are defined as:
|
|||
Security, Privacy, and Legal Review |
Follow the Data Risk Assessment process and implement recommendations prior to deployment. |
|||
Regulated Data Security Controls |
|
Minimum Security Standards for IaaSFor SaaS / PaaS
Standards | What to do | Low Risk | Moderate Risk | High Risk |
---|---|---|---|---|
Product Selection |
Follow the Stanford cloud solution selection workflow found at Choosing and Purchasing a Cloud Solution. |
|||
Pre-implementation Planning |
Follow the SaaS Considerations checklist. Follow the PaaS Considerations checklist. Follow the Security When Using a Cloud Product guidelines. |
|||
Inventory and Asset Classification |
Review and update department/MinSec Cloud inventory records quarterly. Must indicate associated risk classification, data volume estimates, and service ownership. |
|||
Credential and Key Management |
|
|||
Encryption |
|
|||
Two-Step Authentication |
If user login is not able to be integrated with Stanford SSO, enable two-factor authentication if offered by the solution. |
|||
Logging and Auditing |
|
|||
Data Management |
Contractually ensure that Stanford data are purged upon termination of the agreement with accommodations as necessary to comply with any applicable regulatory obligations. |
|||
Secure Admin Workstation |
Administration consoles should only be accessed through a Privileged Access Workstation (PAW) or Cardinal Protect workstation when logging in with an administrative account. A PAW is required for ring0 access. Administrative accounts are defined as:
|
|||
Security, Privacy and Legal Review |
Follow the Data Risk Assessment process and implement recommendations prior to deployment. |
|||
Regulated Data Security Controls |
|
SaaS Checklist
A SaaS product used for the Stanford community must meet these requirements:
Business requirements:
- The product provides functional support for Stanford’s business.
- The service provider is viable and provides support for the product.
- The service provider has a process to notify the user about changes in the product (e.g., functionality, UI).
Technical/integration requirements:
- The product integrates with Stanford’s IAM (Identity and Access Management) and account provisioning systems.
- The product has the capability for service health monitoring.
- The product includes log and/or event notification (e.g., it tracks administrative access or configuration changes to deployment).
- The product has testing and staging environments.
- The product is scalable and fault-tolerant.
Risk management requirements:
- The product supports Stanford’s data security requirements.
- The product complies with University policy and legal requirements.
- The product supports business continuity and disaster recovery.
PaaS Checklist
When looking to acquire a PaaS product for the Stanford community, follow this checklist of required attributes. More detail can be found in the sections below.
Required attributes — a PaaS candidate solution must address these three sets of considerations:
Business considerations:
- Functional support for Stanford’s business
- Vendor support and viability
- Cost
- Lifecycle and exit strategy
Technical/integration considerations:
- Scalability and availability
- Capability for service health monitoring
- Ability to integrate with and operate with Stanford services and products
- Ability to integrate with Stanford IAM (Identity and Access Management) infrastructure
Risk management considerations:
- Ability to support Stanford’s data security requirements
- Support for business continuity and disaster recovery
- Ability to notify Stanford about breaches or outages
- Compliance with University policy and legal requirements
Minimum Security Standards: Endpoints
An endpoint is defined as any laptop, desktop, or mobile device.
- Determine the risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an endpoint storing Low Risk Data but utilized to access a High Risk application is designated as High Risk.
- Follow the minimum security standards in the table below to safeguard your endpoints.
Standard | Recurring Task | What to do | Low Risk | Moderate Risk | High Risk |
---|---|---|---|---|---|
Patching | Apply security patches within seven days of publish. BigFix is recommended. Use a supported OS version. | ||||
Whole Disk Encryption | Enable FileVault2 for Mac, BitLocker for Windows. SWDE is recommended, option to use VLRE instead. Install MDM on mobile devices. | ||||
Malware Protection | Install antivirus (Recommended: CrowdStrike or Microsoft Defender for Windows, Crowdstrike for Mac). | ||||
Backups | Back up user data at least daily. University IT CrashPlan is recommended (option to set personal password). Encrypt backup data in transit and at rest. | ||||
Inventory | Review and update NetDB records quarterly. Maximum of one node per NetDB record. | ||||
Configuration Management | Install BigFix and SWDE. | ||||
Regulated Data Security Controls | Implement PCI DSS, HIPAA, or export controls as applicable. |
Minimum Security Standards: Servers
A server is defined as a host that provides a network accessible service.
- Determine the risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all. For example, a server running a Low Risk application but storing High Risk Data is designated as High Risk.
- Follow the minimum security standards in the table below to safeguard your servers.
Standard | Recurring Task | What to do | Low Risk | Moderate Risk | High Risk |
---|---|---|---|---|---|
Patching | Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported OS version. | ||||
Vulnerability Management | Perform a monthly Qualys scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days. | ||||
Inventory | Review and update NetDB, SUSI, and department/MinSec inventory records quarterly. Maximum of one node per NetDB record. | ||||
Firewall | Enable host-based firewall in default deny mode and permit the minimum necessary services. | ||||
Credentials and Access Control | Review existing accounts and privileges quarterly. Enforce password complexity. Logins with SUNet credentials via Kerberos recommended. | ||||
Two-Step Authentication | Require Duo two-step authentication for all user and administrator logins. | ||||
Centralized Logging | Forward logs to a remote log server. University IT Splunk service recommended. | ||||
Sysadmin Training | Attend at least one Stanford Information Security Academy training course annually. | ||||
Malware Protection | Deploy Crowdstrike. Review alerts as they are received. | ||||
Intrusion Detection | Deploy OSSEC or Tripwire. Review alerts as they are received. | ||||
Physical Protection | Place system hardware in a data center. | ||||
Secure Admin Workstation | Access administrative accounts only through a Privileged Access Workstation (PAW) or Cardinal Protect workstation. A PAW is required for ring0 access. | ||||
Security, Privacy, and Legal Review | Follow the Data Risk Assessment process and implement recommendations prior to deployment. | ||||
Regulated Data Security Controls | Implement PCI DSS, HIPAA, or export controls as applicable. |
Minimum Security Standards: Applications
An application is defined as software running on a server that is remotely accessible, including mobile applications.
- Determine the risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an application providing access to Low Risk Data but running on a High Risk server is designated as High Risk.
- Follow the minimum security standards in the table below to safeguard your applications.
Standard | Recurring Task | What to do | Low Risk | Moderate Risk | High Risk |
---|---|---|---|---|---|
Patching | Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported version of the application. | ||||
Vulnerability Management | Perform a monthly Qualys application scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days. | ||||
Inventory | Review and update department/MinSec Application inventory records quarterly. Must indicate associated risk classification and data volume estimates. | ||||
Firewall | Permit the minimum necessary services through the network firewall. | ||||
Credentials and Access Control | Review existing accounts and privileges quarterly. Enforce password complexity. Logins with SUNet credentials via WebAuth/SAML recommended. | ||||
Two-Step Authentication | Require Duo two-step authentication for all user and administrator logins. | ||||
Centralized Logging | Forward logs to a remote log server. University IT Splunk service recommended. | ||||
Secure Software Development | Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended. | ||||
Developer Training | Attend at least one Stanford Information Security Academy training course annually. | ||||
Backups | Back up application data at least weekly. Encrypt backup data in transit and at rest. | ||||
Secure Admin Workstation | Access administrative accounts only via a Privileged Access Workstation (PAW) or Cardinal Protect workstation. A PAW is required for ring0 access. | ||||
Security, Privacy, and Legal Review | Follow the Data Risk Assessment process and implement recommendations prior to deployment. | ||||
Regulated Data Security Controls | Implement PCI DSS, HIPAA, FISMA, or export controls as applicable. |
SaaS Vendor Evaluation Template v0.1
T E M P L A T E |
|||
EVALUATING SaaS VENDORS |
|||
This |
|||
|
|
|
|
|
Insert SaaS Vendor 1 |
||
|
Vendor |
Urgency |
Vendor |
Criteria |
Rate |
Rate |
Final |
Security |
|||
GDPR |
|
|
0 |
SOC 2 |
|
|
0 |
ISO/IEC |
|
|
0 |
PCI |
|
|
0 |
HIPAA |
|
|
0 |
FFIEC |
|
|
0 |
Single |
|
|
0 |
Multi-factor |
|
|
0 |
Service |
|||
Uptime |
|
|
0 |
Response |
|
|
0 |
Dedicated |
|
|
0 |
Community/Forum |
|
|
0 |
Automated |
|
|
0 |
Professional |
|
|
|
Support |
|
|
0 |
Cost |
|||
License |
|
|
0 |
Professional |
|
|
|
Pricing |
|
|
0 |
Feature-set |
|||
Automated |
|
|
0 |
Extensive |
|
|
0 |
ERP |
|
|
0 |
HRIS |
|
|
0 |
Single |
|
|
0 |
Advanced |
|
|
0 |
Contract |
|
|
0 |
Contract |
|
|
0 |
Actionable |
|
|
0 |
SaaS |
|
|
0 |
Departmental |
|
|
0 |
Utilization |
|
|
0 |
Compliance |
|
|
0 |
Final |
0 |
Standards
Security
- ISO
- CSA (Cyber Security Alliance)
- ico.
- HIPAA
- SSAE
- PCI DSS
- GDPR
- IEC
- COBIT
- Cyber Essentials
- ISAE
Cloud
- IEEE
- ISO
- IETF
- DMTF
- ETSI
- GICTF
- OpenGridForum
- SNIA
- Open Cloud Consortium
- Cloud Standards Customer Council
- NIST
- OASIS
Operations
- ISO
- ITIL
- IFPUG
- CIF
- DMTF
- COBIT
- TOGAF 9
- MOF
- tmforum
- FitSM