ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
The purpose of this practice directive is to establish a standard that defines campus practices for the assessment, procurement, security, and operation of cloud computing services used for instruction, research, and administrative purposes.
Cloud Computing Service: The utilization of servers or information technology services of any type that are not hosted by the CSU or auxiliaries including, but not limited to, social networking applications, file storage, and content hosting.
SaaS (Software as a Service): An application hosted, maintained, and updated by the cloud service vendor and available to users over the Internet. (Examples include Box.com, Qualtrics, Footprints, Google Apps for Education, Microsoft Office 365, Dropbox).
PaaS (Platform as a Service): The cloud service vendor provides a platform on which the customer can develop and run applications. (Examples include Google App Engine)
IaaS (Infrastructure as a Service): The cloud service vendor provides infrastructure such as hardware, virtual servers, and operating systems. (Examples include Amazon Web Services and Google Compute Engine)
Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually provided by companies such as Apple, Google, Microsoft, and Amazon, enable customers to leverage powerful computing resources that would otherwise be beyond their means to purchase and support. Cloud computing services provide services, platforms, and infrastructure to support a wide range of business activities. These services support, among other things, communication; collaboration; project management; scheduling; and data analysis, reporting, processing, sharing, and storage. Cloud computing services are generally easy for people and organizations to use, they are accessible over the Internet through a variety of platforms (workstations, laptops, tablets, and smart phones), and they may be able to accommodate spikes in demand much more readily and efficiently than in-house computing services.
There are a number of information security and data privacy concerns about use of cloud computing services by University Personnel, departments, auxiliaries and centers. They include but are not limited to:
· University no longer protects or controls its data, leading to a loss of security, lessened security, or inability to comply with various regulations and data protection laws
· Loss of privacy of data, potentially due to aggregation with data from other cloud consumers
· University dependency on a third party for critical infrastructure and data handling processes
· Potential security and technological defects in the infrastructure provided by a cloud vendor
· University has limited service level agreements for a vendor’s services and the third parties that a cloud vendor might contract with
· University is reliant on vendor’s services for the security of some academic and administrative computing infrastructure
The purpose of this standard is to ensure that CSU data is not inappropriately stored or shared using public cloud computing and/or file sharing services. Cloud computing and file sharing, for this purpose, is defined as the utilization of servers or information technology hosting of any type that is not controlled by the CSU or auxiliaries including, but not limited to, social networking applications, file storage, and content hosting.
Note that all requirements from all other relevant CSU policies and standards remain in full effect when cloud computing services are used.
This practice directive applies to all uses of Cloud Computing Services by the SF State and its auxiliaries. The practice directive applies regardless of the method of acquisition and includes purchase orders, procurement cards, petty cash, and services provided free of cost, as a pilot, or proof of concept.
Technology acquisition review
All cloud computing service acquisitions must complete a technology acquisition review (http://tech.sfsu.edu/guides/technologyacquisitionrequest) before they are purchased or deployed. This applies to new acquisitions, software upgrades, deployment scope changes, and renewals. The technology acquisition review form should be completed by an individual with knowledge of planned use
Three service request tickets are created when the technology acquisition review form is submitted: master, security and accessibility reviews. When security and accessibility review tickets are resolved the master ticket will be resolved and the acquisition can proceed.
The Information Technology Services (ITS) Information Security and Disability Programs and Resource Center (DPRC) Accessibility teams will review the acquisition information and may request additional information needed for a risk assessment.
Information Security Review
If the classification of data is not known the assessment will assume it is level 1 confidential data. The security evaluation will identify which IT supplemental conditions the vendor needs to agree to contractually to ensure the Cloud Computing Service complies with CSU Policy. If a Cloud Computing Service handles level 1 or 2 data additional assessments such as CSA STAR may be required.
Acquisition of cloud services which store, or access, or provided access to protected data must comply with ICSUAM 8040 Managing Third Parties.
A formal risk assessment may be necessary where 3rd party contract terms substantially deviate from CSU supplemental or general IT terms in such manner as to pose a risk to the confidentiality, integrity, or availability of CSU protected data.
The first step in an ATI review is to determine the impact of the product being acquired on the campus community. If the product is of a high impact, it will undergo an in-depth accessibility review. Medium impact products are reviewed at the discretion of DPRC and Procurement office. Low impact products are generally not reviewed in-depth.
The steps below are intended to give you an overview of the ATI Review process.
For more information on the ATI review see: http://access.sfsu.edu/ati/procurement/procedure
Inventory of Cloud Computing Services
The data collected from the technology acquisition review process will be used to create an inventory of cloud computing services used campus-wide. The inventory of cloud computing services will be shared with campus IT, procurement, and accounts payable staff. Cloud computing services acquired as campus standards will be clearly identified.
Campus Cloud Service Standards
SF State has evaluated and selected campus-wide cloud-based solutions for Web surveys and storage. The evaluation included:
- Enterprise-grade security and data privacy
- University data ownership and management model
- University protected data must be stored in U.S. data centers
- Ability to influence product features for the benefit the SF State campus
- Vendor solution must demonstrate commitment to delivering an accessible alternative
- Compatibility with SF State’s authentication system
Standard solutions provide cost savings to the campus by reducing the number of products that need to be acquired, supported, and assessed for accessibility and information security compliance.
Departments wishing to acquire alternative survey or storage solutions must document why the campus solution cannot be used and receive approval from the information security and accessibility teams before acquiring the technology. Exception requests can be made using the Technology Acquisition Review Request form.
Authentication to cloud services
Authentication to campus information assets hosted in the cloud shall be subject to no less control than those hosted on campus and must comply with ICSUAM 8060 Access Control and associated standards.
Web-based SaaS cloud services must use a campus central authentication method in order to ensure that campuses may appropriately provision and de-provision identities and authorization for campus personnel. Campus authentication services must be configured in such a manner that the cloud provider does not have access to passwords in either text or encrypted format. SF State uses Shibboleth for single-sign-on because it ensures the cloud provider does not access SF State passwords.
When Central Authentication is Impractical
Where campus authentication is impractical for web-based SaaS cloud services due to size or nature of service, the campus must have a way to recover any account when the community member separates, such as using a campus e-mail address as the contact for password resets, maintaining an appropriately protected list of passwords, or having the campus administer the accounts. Additionally, the cloud host may not store passwords in text, or clear text. All passwords must meet CSU complexity standards.
To mitigate the risk of a data breach occurring as a result of compromised credentials (such as through a successful phishing attack), multi-factor authentication is required for access to level one data from off-campus.
The individual(s) responsible for managing user access levels and roles must be identified and the task included in their position description.
When technically feasible Shibboleth attributes and/or active directory security groups should be used to manage user access control.
Access to data stored in the cloud
Campus information assets stored in the cloud shall be protected with no less control than that used for on premise systems, as per ICSUAM 8065 Asset Management and associated standards.
Protected level one data stored in the cloud
Campuses shall not use cloud computing services to store protected level 1 data unless such access can be limited by technical or procedural controls in order to reduce inadvertent exposure. Examples of adequate controls include but are not limited to:
- Periodic reports showing permissions/access granted to “outside” identities
- Configuration options which limit user ability to share documents or folders outside the organization
- Training and awareness for users who store protected level one data
- Periodic assessment of protected level one data stored off campus
- Accurate records of all data stored in cloud
Safety of data
Protected Level 1 and 2 data (including credentials) stored in the cloud (including test and development environments, backups and data warehouses) must be encrypted both at rest and in flight.
Encryption keys must be held by the campus unless vendor has appropriate key management in place.
Synchronization of stored content
Level 1 data stored in a cloud provider may only be automatically synchronized with compliant assets, computers, and devices that are university owned and managed.
Responsibility for implementing this Practice Directive will rest with Information Technology Services and Information Technology (IT) departments across campus. Submit any apparent violation of Cloud Computing Practice Directive to the appropriate administrative authority (vice president, dean, director, department, or program chair) or to email@example.com.
Non-compliance with applicable policies and/or practices may result in suspension of procurement, network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements
cloud, computing, compliance, security, accessibility