Minimum Security Standards:
Infrastructure-as-a-Service (IaaS) and Containerized Solutions
Applicability:
- The minimum security standards found here apply to IaaS managed services — virtual servers that are designed to be ephemeral — and containerized solutions.
- All other persistent virtual servers, regardless of infrastructure, are to be managed under the Minimum Security Standards: Servers guidelines.
Standards | What to do | Low Risk | Moderate Risk | High Risk |
---|---|---|---|---|
Platform Selection |
Follow the Stanford cloud solution selection workflow found at Choosing and Purchasing a Cloud Solution. |
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Operational Practices |
As far as possible, apply the Stanford Cloud Operational Principles and Practices. |
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
System Architecture |
As far as possible, apply the Stanford Cloud Architecture Principles for IaaS. |
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Account Management |
Provision new cloud accounts through University IT. |
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Patching and Application Lifecycle |
Additional Elaboration:
|
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Vulnerability Management |
Based on National Vulnerability Database (NVD) ratings: Identify and remediate severity 4 and 5 CVE vulnerabilities within seven days of discovery, and severity 3 vulnerabilities within 90 days. Stanford provides and recommends the Qualys toolset (which includes the Qualys Cloud Agent), however platform specific tools such as Amazon Inspector and Google Cloud Security Scanner may be used instead. If a detection tool other than Qualys is used, ISO may request a review and audit of your tool and practices as well as periodic verification of efficacy. Additional Elaboration:
|
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Inventory and Asset Classification |
Review and update department/MinSec Cloud inventory records quarterly. Must indicate associated risk classification and service ownership. Additional Elaboration:
|
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Firewall |
Use the native tools and design patterns of your platform to ensure that only the minimum necessary network communication is permitted through virtual network devices such as VPCs, load balancers, and the like. This includes access to managed services such as hosted database platforms. |
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Credential and Key Management |
|
Required for Low Risk Data | Required for Moderate Risk Data | Required for High Risk Data |
Two-Step Authentication |
Enforce two-factor authentication for all interactive user and administrator logins. Stanford provided Duo two-factor authentication is recommended, but other two-factor options are acceptable. |
Required for Moderate Risk Data | Required for High Risk Data | |
Logging and Alerting |
Additional Elaboration:
|
Required for Moderate Risk Data | Required for High Risk Data | |
Backups |
|
Required for Moderate Risk Data | Required for High Risk Data | |
Encryption |
|
Required for Moderate Risk Data | Required for High Risk Data | |
Data Centers |
Prefer US based data center locations. |
Required for Moderate Risk Data | Required for High Risk Data | |
Secure Admin Workstation |
Cloud administration consoles should only be accessed through a Privileged Access Workstation (PAW) or Cardinal Protect workstation when logging in with an administrative account. A PAW is required for ring0 access. Administrative accounts are defined as:
|
Required for High Risk Data | ||
Security, Privacy, and Legal Review |
Follow the Data Risk Assessment process and implement recommendations prior to deployment. |
Required for High Risk Data | ||
Regulated Data Security Controls |
|
Required for High Risk Data |