Minimum Security Standards for Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS)

Stanford is committed to protecting the privacy of its students, alumni, faculty, and staff, as well as protecting the confidentiality, integrity, and availability of information important to the University's mission.

Minimum Security Standards: SaaS and PaaS

Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an endpoint storing Low Risk Data but used to access a High Risk application is designated as High Risk.
Follow the minimum security standards in the table below to safeguard SaaS and PaaS.

Standards	What to do	Low Risk	Moderate Risk	High Risk
Product Selection	Follow the Stanford cloud solution selection workflow found at Choosing and Purchasing a Cloud Solution.	Required for Low Risk Data	Required for Moderate Risk Data	Required for High Risk Data
Pre-implementation Planning	Follow the SaaS Considerations checklist. Follow the PaaS Considerations checklist. Follow the Security When Using a Cloud Product guidelines.	Required for Low Risk Data	Required for Moderate Risk Data	Required for High Risk Data
Inventory and Asset Classification	Review and update department/MinSec Cloud inventory records quarterly. Must indicate associated risk classification, data volume estimates, and service ownership.	Required for Low Risk Data	Required for Moderate Risk Data	Required for High Risk Data
Credential and Key Management	If possible, Integrate with Stanford's SSO services, preferably SAML. Review administrative accounts and privileges quarterly. Adhere to the Stanford password complexity rules if not integrated with a Stanford SSO service. API keys: Minimize their generation. Grant minimum necessary privileges. Rotate at least annually. Do not hardcode. Do not share credentials.	Required for Low Risk Data	Required for Moderate Risk Data	Required for High Risk Data
Encryption	Enable transport layer encryption TLS 1.2 or higher. Use encryption of data at rest if available.	Required for Low Risk Data	Required for Moderate Risk Data	Required for High Risk Data
Two-Step Authentication	If user login is not able to be integrated with Stanford SSO, enable two-factor authentication if offered by the solution.		Required for Moderate Risk Data	Required for High Risk Data
Logging and Auditing	Enable any available application logging that would assist in a forensic investigation in the event of a compromise. Seek vendor or ISO guidance as needed. Contractually ensure that the provider can export logs at the request of Stanford within five days.		Required for Moderate Risk Data	Required for High Risk Data
Data Management	Contractually ensure that Stanford data are purged upon termination of the agreement with accommodations as necessary to comply with any applicable regulatory obligations.		Required for Moderate Risk Data	Required for High Risk Data
Secure Admin Workstation	Administration consoles should only be accessed through a Privileged Access Workstation (PAW) or Cardinal Protect workstation when logging in with an administrative account. A PAW is required for ring0 access. Administrative accounts are defined as: Accounts with the ability to make unrestricted, potentially adverse, or system-wide changes. Accounts with the ability to override or change security controls.			Required for High Risk Data
Security, Privacy and Legal Review	Follow the Data Risk Assessment process and implement recommendations prior to deployment.			Required for High Risk Data
Regulated Data Security Controls	Follow all regulatory data controls as applicable (HIPAA/HITECH, NIST 800-171, PCI DSS, GDPR, etc.). For HIPAA data, ensure that only cloud services covered under a Business Associate Agreement (BAA) are used.			Required for High Risk Data