Cloud Computing

Division: 

Administration and Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Associate Vice President and Chief Information Officer / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Wednesday, February 1, 2017

Authority: 

ICSUAM 8040 Managing Third Parties

ICSUAM 8060 Access Control

ICSUAM 8065 Asset Management

ICSUAM 5500 ITR Procurement

ICSUAM 5228 Accessibility of Public Solicitations and Acquisition of Electronic and Information Technology (E&IT) Goods and Services

ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services


Objective: 

The purpose of this practice directive is to establish a standard that defines campus practices for the assessment, procurement, security, and operation of cloud computing services used for instruction, research, and administrative purposes. 

 

Definitions 

Cloud Computing Service: The utilization of servers or information technology services of any type that are not hosted by the CSU or auxiliaries including, but not limited to, social networking applications, file storage, and content hosting.

SaaS (Software as a Service): An application hosted, maintained, and updated by the cloud service vendor and available to users over the Internet.  (Examples include Box.com, Qualtrics, Footprints, Google Apps for Education, Microsoft Office 365, Dropbox).

PaaS (Platform as a Service): The cloud service vendor provides a platform on which the customer can develop and run applications. (Examples include Google App Engine)

IaaS (Infrastructure as a Service): The cloud service vendor provides infrastructure such as hardware, virtual servers, and operating systems. (Examples include Amazon Web Services and Google Compute Engine)


Statement: 

Cloud computing services are application and infrastructure resources that users access via the Internet.  These services, contractually provided by companies such as Apple, Google, Microsoft, and Amazon, enable customers to leverage powerful computing resources that would otherwise be beyond their means to purchase and support. Cloud computing services provide services, platforms, and infrastructure to support a wide range of business activities. These services support, among other things, communication; collaboration; project management; scheduling; and data analysis, reporting, processing, sharing, and storage. Cloud computing services are generally easy for people and organizations to use, they are accessible over the Internet through a variety of platforms (workstations, laptops, tablets, and smart phones), and they may be able to accommodate spikes in demand much more readily and efficiently than in-house computing services.

There are a number of information security and data privacy concerns about use of cloud computing services by University Personnel, departments, auxiliaries and centers.  They include but are not limited to:

·         University no longer protects or controls its data, leading to a loss of security, lessened security, or inability to comply with various regulations and data protection laws

·         Loss of privacy of data, potentially due to aggregation with data from other cloud consumers

·         University dependency on a third party for critical infrastructure and data handling processes

·         Potential security and technological defects in the infrastructure provided by a cloud vendor

·         University has limited service level agreements for a vendor’s services and the third parties that a cloud vendor might contract with

·         University is reliant on vendor’s services for the security of some academic and administrative computing infrastructure

 

The purpose of this standard is to ensure that CSU data is not inappropriately stored or shared using public cloud computing and/or file sharing services. Cloud computing and file sharing, for this purpose, is defined as the utilization of servers or information technology hosting of any type that is not controlled by the CSU or auxiliaries including, but not limited to, social networking applications, file storage, and content hosting.

Note that all requirements from all other relevant CSU policies and standards remain in full effect when cloud computing services are used.

Scope

This practice directive applies to all uses of Cloud Computing Services by the SF State and its auxiliaries. The practice directive applies regardless of the method of acquisition and includes purchase orders, procurement cards, petty cash, and services provided free of cost, as a pilot, or proof of concept.

Acquisition Review

Technology acquisition review

All cloud computing service acquisitions must complete a technology acquisition review (http://tech.sfsu.edu/guides/technologyacquisitionrequest) before they are purchased or deployed. This applies to new acquisitions, software upgrades, deployment scope changes, and renewals. The technology acquisition review form should be completed by an individual with knowledge of planned use

Three service request tickets are created when the technology acquisition review form is submitted: master, security and accessibility reviews. When security and accessibility review tickets are resolved the master ticket will be resolved and the acquisition can proceed.

The Information Technology Services (ITS) Information Security and Disability Programs and Resource Center (DPRC) Accessibility teams will review the acquisition information and may request additional information needed for a risk assessment.

Information Security Review

If the classification of data is not known the assessment will assume it is level 1 confidential data. The security evaluation will identify which IT supplemental conditions the vendor needs to agree to contractually to ensure the Cloud Computing Service complies with CSU Policy. If a Cloud Computing Service handles level 1 or 2 data additional assessments such as CSA STAR may be required.

Acquisition of cloud services which store, or access, or provided access to protected data must comply with ICSUAM 8040 Managing Third Parties.

A formal risk assessment may be necessary where 3rd party contract terms substantially deviate from CSU supplemental or general IT terms in such manner as to pose a risk to the confidentiality, integrity, or availability of CSU protected data.

ATI/Accessibility review

The first step in an ATI review is to determine the impact of the product being acquired on the campus community. If the product is of a high impact, it will undergo an in-depth accessibility review. Medium impact products are reviewed at the discretion of DPRC and Procurement office. Low impact products are generally not reviewed in-depth.

The steps below are intended to give you an overview of the ATI Review process.

1. Determining Impact

2. Obtaining the VPAT

3. Reviewing and validating the VPAT

4. Documentation and forms

5. Exemptions

6. Exclusions

For more information on the ATI review see: http://access.sfsu.edu/ati/procurement/procedure

 

Inventory of Cloud Computing Services

The data collected from the technology acquisition review process will be used to create an inventory of cloud computing services used campus-wide. The inventory of cloud computing services will be shared with campus IT, procurement, and accounts payable staff. Cloud computing services acquired as campus standards will be clearly identified.

Campus Cloud Service Standards

SF State has evaluated and selected campus-wide cloud-based solutions for Web surveys and storage. The evaluation included:

  • Enterprise-grade security and data privacy
  • University data ownership and management model
  • University protected data must be stored in U.S. data centers
  • Ability to influence product features for the benefit the SF State campus
  • Vendor solution must demonstrate commitment to delivering an accessible alternative
  • Compatibility with SF State’s authentication system

 

Standard solutions provide cost savings to the campus by reducing the number of products that need to be acquired, supported, and assessed for accessibility and information security compliance.

Departments wishing to acquire alternative survey or storage solutions must document why the campus solution cannot be used and receive approval from the information security and accessibility teams before acquiring the technology. Exception requests can be made using the Technology Acquisition Review Request form.

Access Control

Authentication to cloud services

Authentication to campus information assets hosted in the cloud shall be subject to no less control than those hosted on campus and must comply with ICSUAM 8060 Access Control and associated standards.

Central Authentication

Web-based SaaS cloud services must use a campus central authentication method in order to ensure that campuses may appropriately provision and de-provision identities and authorization for campus personnel. Campus authentication services must be configured in such a manner that the cloud provider does not have access to passwords in either text or encrypted format. SF State uses Shibboleth for single-sign-on because it ensures the cloud provider does not access SF State passwords.

When Central Authentication is Impractical

Where campus authentication is impractical for web-based SaaS cloud services due to size or nature of service, the campus must have a way to recover any account when the community member separates, such as using a campus e-mail address as the contact for password resets, maintaining an appropriately protected list of passwords, or having the campus administer the accounts. Additionally, the cloud host may not store passwords in text, or clear text. All passwords must meet CSU complexity standards.

Multi-factor Authentication

To mitigate the risk of a data breach occurring as a result of compromised credentials (such as through a successful phishing attack), multi-factor authentication is required for access to level one data from off-campus.

Authorization

The individual(s) responsible for managing user access levels and roles must be identified and the task included in their position description.

 

When technically feasible Shibboleth attributes and/or active directory security groups should be used to manage user access control.

Sensitive Data

Access to data stored in the cloud

Campus information assets stored in the cloud shall be protected with no less control than that used for on premise systems, as per ICSUAM 8065 Asset Management and associated standards.

Protected level one data stored in the cloud

Campuses shall not use cloud computing services to store protected level 1 data unless such access can be limited by technical or procedural controls in order to reduce inadvertent exposure.  Examples of adequate controls include but are not limited to:

  • Periodic reports showing permissions/access granted to “outside” identities
  • Configuration options which limit user ability to share documents or folders outside the organization
  • Training and awareness for users who store protected level one data
  • Periodic assessment of protected level one data stored off campus
  • Accurate records of all data stored in cloud

 

Safety of data

Protected Level 1 and 2 data (including credentials) stored in the cloud (including test and development environments, backups and data warehouses) must be encrypted both at rest and in flight.

Encryption keys must be held by the campus unless vendor has appropriate key management in place.

Synchronization of stored content

Level 1 data stored in a cloud provider may only be automatically synchronized with compliant assets, computers, and devices that are university owned and managed.

Implementation

Responsibility for implementing this Practice Directive will rest with Information Technology Services and Information Technology (IT) departments across campus. Submit any apparent violation of Cloud Computing Practice Directive to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to service@sfsu.edu.

Non-Compliance

Non-compliance with applicable policies and/or practices may result in suspension of procurement, network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements

Searchable Words:

cloud, computing, compliance, security, accessibility