Skip to main content

Minimum Security Standards for Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS)

Stanford is committed to protecting the privacy of its students, alumni, faculty, and staff, as well as protecting the confidentiality, integrity, and availability of information important to the University's mission.

Minimum Security Standards: SaaS and PaaS

  1. Determine the risk level by reviewing the data risk classification examples, server risk classification examples, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an endpoint storing Low Risk Data but used to access a High Risk application is designated as High Risk.
  2. Follow the minimum security standards in the table below to safeguard SaaS and PaaS.
StandardsWhat to doLow RiskModerate RiskHigh Risk
Product SelectionFollow the Stanford cloud solution selection workflow found at Choosing and Purchasing a Cloud Solution.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Pre-implementation Planning

Follow the SaaS Considerations checklist.

Follow the PaaS Considerations checklist.

Follow the Security When Using a Cloud Product guidelines.

Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Inventory and Asset ClassificationReview and update department/MinSec Cloud inventory records quarterly. Must indicate associated risk classification, data volume estimates, and service ownership.Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Credential and Key Management
  1. If possible, Integrate with Stanford's SSO services, preferably SAML.
  2. Review administrative accounts and privileges quarterly.
  3. Adhere to the Stanford password complexity rules if not integrated with a Stanford SSO service.
  4. API keys:
    1. Minimize their generation.
    2. Grant minimum necessary privileges.
    3. Rotate at least annually.
    4. Do not hardcode.
  5. Do not share credentials.
Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Encryption
  1. Enable transport layer encryption TLS 1.2 or higher.
  2. Use encryption of data at rest if available.
Required for Low Risk DataRequired for Moderate Risk DataRequired for High Risk Data
Two-Step AuthenticationIf user login is not able to be integrated with Stanford SSO, enable two-factor authentication if offered by the solution. Required for Moderate Risk DataRequired for High Risk Data
Logging and Auditing
  1. Enable any available application logging that would assist in a forensic investigation in the event of a compromise. Seek vendor or ISO guidance as needed.
  2. Contractually ensure that the provider can export logs at the request of Stanford within five days.
 Required for Moderate Risk DataRequired for High Risk Data
Data Management

Contractually ensure that Stanford data are purged upon termination of the agreement with accommodations as necessary to comply with any applicable regulatory obligations.

 
 Required for Moderate Risk DataRequired for High Risk Data
Secure Admin Workstation

Administration consoles should only be accessed through a Privileged Access Workstation (PAW) or Cardinal Protect workstation when logging in with an administrative account. A PAW is required for ring0 access.

Administrative accounts are defined as:

  1. Accounts with the ability to make unrestricted, potentially adverse, or system-wide changes.
  2. Accounts with the ability to override or change security controls.
  Required for High Risk Data
Security, Privacy and Legal ReviewFollow the Data Risk Assessment process and implement recommendations prior to deployment.  Required for High Risk Data
Regulated Data Security Controls
  1. Follow all regulatory data controls as applicable (HIPAA/HITECH, NIST 800-171, PCI DSS, GDPR, etc.). 
  2. For HIPAA data, ensure that only cloud services covered under a Business Associate Agreement (BAA) are used.
  Required for High Risk Data