CyberSecurity Review Resources for SaaS / PaasS & Other IT Solution

Follow the Stanford cloud solution selection workflow found at Choosing and Purchasing a Cloud Solution.

As far as possible, apply the Stanford Cloud Operational Principles and Practices.

As far as possible, apply the Stanford Cloud Architecture Principles for IaaS.

Provision new cloud accounts through University IT. 

1. Apply high severity security patches within seven days of release.
2. Apply all other security patches within 90 days.
3. Use a supported operating system and application version.
4. Use machine images only from trusted sources.

Additional Elaboration:

• Managed Services — For managed services like Amazon RDS or Google Cloud SQL, define a maintenance window that meets the standard.
• Ephemeral Servers and Containers — If using an automated system to build fully patched machine images, ensure that the patched image, or container base layer, is in use in your environment within the window of time specified in the MinSec standard.

Based on National Vulnerability Database (NVD) ratings: Identify and remediate severity 4 and 5 CVE vulnerabilities within seven days of discovery, and severity 3 vulnerabilities within 90 days.

Stanford provides and recommends the Qualys toolset (which includes the Qualys Cloud Agent), however platform specific tools such as Amazon Inspector and Google Cloud Security Scanner may be used instead.

If a detection tool other than Qualys is used, ISO may request a review and audit of your tool and practices as well as periodic verification of efficacy.

Additional Elaboration:

• Managed Services — Qualys scanning may be omitted on infrastructure provider managed services, however if the platform provides a native vulnerability detection capability, it should be implemented.
• Ephemeral Servers — Build machine images that contain the appropriate agent, or bootstrap the installation and configuration of the agent using the management tools specific to your implementation.
• Containerized Solutions — Scan image for CVEs using CLAIR, Anchore, private DockerHub scan, or similar tool.

Review and update department/MinSec Cloud inventory records quarterly. Must indicate associated risk classification and service ownership.

Additional Elaboration:

• Ephemeral Servers — Systems designed for a lifespan no greater than 7 days (commonly those in autoscaling worker groups) should be inventoried as a single application.
• Managed Services — Infrastructure managed services like Amazon RDS or Google Cloud SQL should be inventoried as applications.

Use the native tools and design patterns of your platform to ensure that only the minimum necessary network communication is permitted through virtual network devices such as VPCs, load balancers, and the like. This includes access to managed services such as hosted database platforms.

1. Where possible, integrate with Stanford SSO authentication for all cloud administration consoles.
2. Abide by Stanford’s password complexity rules.
3. Review administrative accounts and privileges quarterly.
4. API keys:
   1. Minimize their generation.
   2. Grant minimum necessary privileges.
   3. Rotate at least annually.
   4. Do not hardcode.
5. Do not share credentials.

Enforce two-factor authentication for all interactive user and administrator logins. Stanford provided Duo two-factor authentication is recommended, but other two-factor options are acceptable.

1. Enable any available application logging that would assist in a forensic investigation in the event of a compromise. Seek vendor or ISO guidance as needed.
2. Forward logs to remote logging solutions.
   1. University IT Splunk service recommended, but third party SaaS solutions are also acceptable.

Additional Elaboration:

• Administrative Activity Logs —  Log user actions and API calls that create or modify the configuration or metadata of a resource, service or project.
• Data Access Logs — Log user actions and API calls that create, modify, or read High Risk data managed by a service. One example would be to enable data access logs on AWS S3 buckets containing High Risk Data.

1. Backup application data at least weekly.
2. Encrypt backup data in transit and at rest.
3. Store backups in independent cloud accounts.

1. Enable transport layer encryption for all communications external to the private cloud environment.
2. Use TLS 1.2 or higher.
3. Use encryption at rest if available.

Prefer US based data center locations.

Cloud administration consoles should only be accessed through a Privileged Access Workstation (PAW) or Cardinal Protect workstation when logging in with an administrative account. A PAW is required for ring0 access.

Administrative accounts are defined as:

• Accounts with the ability to make unrestricted, potentially adverse, or system-wide changes.
• Accounts with the ability to override or change security control

Follow the Data Risk Assessment process and implement recommendations prior to deployment.

1. Adhere to applicable regulations: PCI, HIPAA/HITECH, NIST 800-171, GDPR, etc.
2. For HIPAA data, ensure that only cloud services covered under a Business Associate Agreement (BAA) are used.

Follow the Stanford cloud solution selection workflow found at Choosing and Purchasing a Cloud Solution.

Follow the SaaS Considerations checklist.

Follow the PaaS Considerations checklist.

Follow the Security When Using a Cloud Product guidelines.

Review and update department/MinSec Cloud inventory records quarterly. Must indicate associated risk classification, data volume estimates, and service ownership.

1. If possible, Integrate with Stanford’s SSO services, preferably SAML.
2. Review administrative accounts and privileges quarterly.
3. Adhere to the Stanford password complexity rules if not integrated with a Stanford SSO service.
4. API keys:
   1. Minimize their generation.
   2. Grant minimum necessary privileges.
   3. Rotate at least annually.
   4. Do not hardcode.
5. Do not share credentials.

1. Enable transport layer encryption TLS 1.2 or higher.
2. Use encryption of data at rest if available.

If user login is not able to be integrated with Stanford SSO, enable two-factor authentication if offered by the solution.

1. Enable any available application logging that would assist in a forensic investigation in the event of a compromise. Seek vendor or ISO guidance as needed.
2. Contractually ensure that the provider can export logs at the request of Stanford within five days.

Contractually ensure that Stanford data are purged upon termination of the agreement with accommodations as necessary to comply with any applicable regulatory obligations.

Administration consoles should only be accessed through a Privileged Access Workstation (PAW) or Cardinal Protect workstation when logging in with an administrative account. A PAW is required for ring0 access.

Administrative accounts are defined as:

1. Accounts with the ability to make unrestricted, potentially adverse, or system-wide changes.
2. Accounts with the ability to override or change security controls.

Follow the Data Risk Assessment process and implement recommendations prior to deployment.

1. Follow all regulatory data controls as applicable (HIPAA/HITECH, NIST 800-171, PCI DSS, GDPR, etc.). 
2. For HIPAA data, ensure that only cloud services covered under a Business Associate Agreement (BAA) are used.