Skip to content Skip to site navigation Skip to service navigation

Minimum Security Standards for SaaS and PaaS

Minimum Security Standards for Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS)

Stanford is committed to protecting the privacy of its students, alumni, faculty, and staff, as well as protecting the confidentiality, integrity, and availability of information important to the University's mission.

Minimum Security Standards:
Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS)

  1. Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an endpoint storing Low Risk Data but used to access a High Risk application is designated as High Risk.
  2. Follow the minimum security standards in the table below to safeguard SaaS and PaaS.
Standards What to do Low Risk Moderate Risk High Risk
Product Selection

Follow the Stanford cloud solution selection workflow found at Choosing and Purchasing a Cloud Solution.

 Required for Low Risk Data Required for Moderate Risk Data Required for High Risk Data
Pre-implementation Planning

Follow the SaaS Considerations checklist.

Follow the PaaS Considerations checklist.

Follow the Security When Using a Cloud Product guidelines.

 Required for Low Risk Data Required for Moderate Risk Data Required for High Risk Data
Inventory and Asset Classification
  1. List the product in the department's MinSec Inventory.
  2. Ensure the inventory is updated quarterly and reflects accurate data classification and service ownership.
 Required for Low Risk Data Required for Moderate Risk Data Required for High Risk Data
Credential and Key Management
  1. Integrate with Stanford's SSO services, preferably SAML.
  2. Review administrative accounts and privileges quarterly.
  3. Adhere to the Stanford password complexity rules if not integrated with a Stanford SSO service.
  4. API keys:
    1. Minimize their generation.
    2. Grant minimum necessary privileges.
    3. Rotate at least annually.
    4. Do not hardcode.
  5. Do not share credentials.
 Required for Low Risk Data Required for Moderate Risk Data Required for High Risk Data
Encryption
  1. Enable transport layer encryption TLS 1.1 or higher.
  2. Use encryption of data at rest if available.
 Required for Low Risk Data Required for Moderate Risk Data Required for High Risk Data
Two-Step Authentication

If user login is not able to be integrated with Stanford SSO, enable two-factor authentication if offered by the solution.

   Required for Moderate Risk Data Required for High Risk Data
Logging and Auditing
  1. Enable any available application logging that would assist in a forensic investigation in the event of a compromise. Seek vendor or ISO guidance as needed.
  2. Contractually ensure that the provider can export logs at the request of Stanford within five days.
   Required for Moderate Risk Data Required for High Risk Data
Data Management

Contractually ensure that Stanford data is purged upon termination of the agreement.

 
   Required for Moderate Risk Data Required for High Risk Data
Privileged Access Workstation (PAW)

Administration consoles should only be accessed through a PAW when logging in with an administrative account.

Administrative accounts are defined as:

  1. Accounts with the ability to make unrestricted, potentially adverse, or system-wide changes.
  2. Accounts with the ability to override or change security controls.
     Required for High Risk Data
Security, Privacy and Legal Review

Prior to implementation, follow the Stanford Data Risk Assessment process.

     Required for High Risk Data
Regulated Data Security Controls
  1. Follow all regulatory data controls as applicable (HIPAA/HITECH, NIST 800-171, PCI DSS, GDPR, etc.). 
  2. For HIPAA data, ensure that only cloud services covered under a Business Associate Agreement (BAA) are used.
     Required for High Risk Data