Skip to main content

Minimum Security Standards for Infrastructure-as-a-Service (IaaS) and Containerized Solutions

Stanford is committed to protecting the privacy of its students, alumni, faculty, and staff, as well as protecting the confidentiality, integrity, and availability of information important to the University's mission.

Minimum Security Standards: IaaS and Containerized Solutions

Applicability:

  1. The minimum security standards found here apply to IaaS managed services — virtual servers that are designed to be ephemeral — and containerized solutions.
  2. All other persistent virtual servers, regardless of infrastructure, are to be managed under the Minimum Security Standards: Servers guidelines.
StandardsWhat to doLow RiskModerate RiskHigh Risk
Platform SelectionFollow the Stanford cloud solution selection workflow found at Choosing and Purchasing a Cloud Solution.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Operational PracticesAs far as possible, apply the Stanford Cloud Operational Principles and Practices.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
System ArchitectureAs far as possible, apply the Stanford Cloud Architecture Principles for IaaS.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Account ManagementProvision new cloud accounts through University ITRequired for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Patching and Application Lifecycle
  1. Apply high severity security patches within seven days of release.
  2. Apply all other security patches within 90 days.
  3. Use a supported operating system and application version.
  4. Use machine images only from trusted sources.

Additional Elaboration:

  • Managed Services — For managed services like Amazon RDS or Google Cloud SQL, define a maintenance window that meets the standard.
  • Ephemeral Servers and Containers — If using an automated system to build fully patched machine images, ensure that the patched image, or container base layer, is in use in your environment within the window of time specified in the MinSec standard.
Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Vulnerability Management

Based on National Vulnerability Database (NVD) ratings: Identify and remediate severity 4 and 5 CVE vulnerabilities within seven days of discovery, and severity 3 vulnerabilities within 90 days.

Stanford provides and recommends the Qualys toolset (which includes the Qualys Cloud Agent), however platform specific tools such as Amazon Inspector and Google Cloud Security Scanner may be used instead.

If a detection tool other than Qualys is used, ISO may request a review and audit of your tool and practices as well as periodic verification of efficacy.

Additional Elaboration:

  • Managed Services — Qualys scanning may be omitted on infrastructure provider managed services, however if the platform provides a native vulnerability detection capability, it should be implemented.
  • Ephemeral Servers — Build machine images that contain the appropriate agent, or bootstrap the installation and configuration of the agent using the management tools specific to your implementation.
  • Containerized Solutions — Scan image for CVEs using CLAIR, Anchore, private DockerHub scan, or similar tool.
Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Inventory and Asset Classification

Review and update department/MinSec Cloud inventory records quarterly. Must indicate associated risk classification and service ownership.

Additional Elaboration:

  • Ephemeral Servers — Systems designed for a lifespan no greater than 7 days (commonly those in autoscaling worker groups) should be inventoried as a single application.
  • Managed Services — Infrastructure managed services like Amazon RDS or Google Cloud SQL should be inventoried as applications.
Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
FirewallUse the native tools and design patterns of your platform to ensure that only the minimum necessary network communication is permitted through virtual network devices such as VPCs, load balancers, and the like. This includes access to managed services such as hosted database platforms.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Credential and Key Management
  1. Where possible, integrate with Stanford SSO authentication for all cloud administration consoles.
  2. Abide by Stanford’s password complexity rules.
  3. Review administrative accounts and privileges quarterly.
  4. API keys:
    1. Minimize their generation.
    2. Grant minimum necessary privileges.
    3. Rotate at least annually.
    4. Do not hardcode.
  5. Do not share credentials.
Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Two-Step AuthenticationEnforce two-factor authentication for all interactive user and administrator logins. Stanford provided Duo two-factor authentication is recommended, but other two-factor options are acceptable. Required for Moderate Risk DataRequired for High Risk Data
Logging and Alerting
  1. Enable any available application logging that would assist in a forensic investigation in the event of a compromise. Seek vendor or ISO guidance as needed.
  2. Forward logs to remote logging solutions.
    1. University IT Splunk service recommended, but third party SaaS solutions are also acceptable.

Additional Elaboration:

  • Administrative Activity Logs —  Log user actions and API calls that create or modify the configuration or metadata of a resource, service or project.
  • Data Access Logs — Log user actions and API calls that create, modify, or read High Risk data managed by a service. One example would be to enable data access logs on AWS S3 buckets containing High Risk Data.
 Required for Moderate Risk DataRequired for High Risk Data
Backups
  1. Backup application data at least weekly.
  2. Encrypt backup data in transit and at rest.
  3. Store backups in independent cloud accounts.
 Required for Moderate Risk DataRequired for High Risk Data
Encryption
  1. Enable transport layer encryption for all communications external to the private cloud environment.
  2. Use TLS 1.2 or higher.
  3. Use encryption at rest if available.
 Required for Moderate Risk DataRequired for High Risk Data
Data CentersPrefer US based data center locations. Required for Moderate Risk DataRequired for High Risk Data
Secure Admin Workstation

Cloud administration consoles should only be accessed through a Privileged Access Workstation (PAW) or Cardinal Protect workstation when logging in with an administrative account. A PAW is required for ring0 access.

Administrative accounts are defined as:

  • Accounts with the ability to make unrestricted, potentially adverse, or system-wide changes.
  • Accounts with the ability to override or change security control
  Required for High Risk Data
Security, Privacy, and Legal ReviewFollow the Data Risk Assessment process and implement recommendations prior to deployment.  Required for High Risk Data
Regulated Data Security Controls
  1. Adhere to applicable regulations: PCI, HIPAA/HITECH, NIST 800-171, GDPR, etc.
  2. For HIPAA data, ensure that only cloud services covered under a Business Associate Agreement (BAA) are used.
  Required for High Risk Data