UIS.501.3 Platform-as-a-Service Guidelines
In support of UIS.501 Vendor Security Policy
Georgetown University has adopted the security audit and accountability principles established in NIST SP 800-53 “Risk Assessment” guidelines as the official policy for this security domain. Each departmental technology requisitioner, sponsor, administrator, steward and owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.
Platform as a Service (PaaS) Business Requirements
- The product provides functional support for Georgetown’s business
- The product must satisfy the Georgetown functional business requirements
- The product must fit well with other products in the University department’s portfolio
- Provider support and viability
The cloud technology vendors must be a stable entity running on a sustainable business model. They should be a reliable player in their segment of the market, with an existing client base representative of higher education. They should interact with other services or tools supporting activities in their segment of the market.
The cloud technology vendors offers multiple levels of support and defines them clearly in their terms. The roles and contacts are known, and known to be responsive.
The technology vendor must offer multiple levels of support and define them clearly in their terms. Roles and contacts must be clearly documented, and the department responsible party should verify that contacts are responsive.
- Cost is in line with University pricing standards for technology services
- Steep costs are often associated with increased application resource consumption, and the University department considering the cloud solution must be capable of absorbing reasonable provider costs
- Lifecycle and exit strategy
There must be a clear understanding of the workflow, business data exit strategy, and contractual obligations. UIS must clearly understand the technology vendor’s responsibilities for supporting an exit strategy for the University.
Platform as a Service Technical Integration Requirements
Scalability and availability
PaaS technology vendors’ scalability should be elastic and increase or reduce compute, storage, or network capacity automatically, as resource monitoring indicates.
PaaS resource scaling should be customer configurable, with defined price ranges corresponding to bounded capacities within which a running application can grow.
- Capability for service health monitoring
PaaS technology vendors should include a companion status and health check monitoring service so that Georgetown University can know the current health of the service.
For any service outage or security incident, the PaaS technology vendors should have incident notification mechanisms in place, such as email, SMS, etc.
Ability to integrate with and operate with Georgetown services and products
Ability to integrate with Georgetown access management infrastructure
- PaaS products universally provide some application programming interface (API) to integrate with other products and services. Where data or protocol standards exist for data exchange and/or transactions, the PaaS provider must support them.
- The PaaS provider must support account provisioning and authentication integrations with the University’s infrastructure. To enable GU users to use their central single-sign-on credentials, and to centrally control the authentication process and group membership/access control, the cloud service must ensure that:
SAML2 is supported by the product
There is a way to provision and control group memberships programmatically by some integration
Platform as a Service Risk Management Requirements
- Ability to support Georgetown’s data security requirements
The solution must comply with the appropriate standards for the University’s risk classifications. For restricted and sensitive data or business processes (for example, related to financial or student data), you must contact the Georgetown University Information Security Office (UISO) before selecting or using a PaaS provider
- Support for business continuity and disaster recovery
The PaaS technology vendors must have a track record for availability, both on uninterrupted normal service and during upgrades/changes.
Ability to notify Georgetown University about outages and breaches
Beyond the operational reporting necessary for incidents, there must be defined cloud technology vendor responsibilities for reporting timeliness, completeness, root cause, and mitigation strategy.
Compliance with University policy and legal requirements
Depending upon the type of data/business process involved with a PaaS provider, statutory regulations (such as PCI-DSS or HIPAA) may constrain the location of the data and require very specific notification requirements.