Minimum Security for laaS/Containers

Minimum Security for laaS/Containers
Standards What to do Low Risk System Moderate Risk System High Risk System
Platform Selection Follow the Georgetown Cloud Services Requirements workflow X X X
Account Management Back up user data at least daily. University IT Code42 CrashPlan is recommended (option to set personal password). Encrypt backup data in transit and at rest. X X X
Patching and Application Lifecycle
  • Apply security patches 48 hours:
    • CVSS > 7
    • Vendor “Critial”
    • Other patches within 14 days.
  • Use a supported operating system and application version.
  • Use machine images only from trusted sources.

Additional Elaboration:
Managed Services — For managed services like Amazon RDS or Google Cloud SQL, define a maintenance window that meets the standard.
Ephemeral Servers and Containers — If using an automated system to build fully patched machine images, ensure that the patched image, or container base layer, is in use in your environment within the window of time specified in the MinSec standard.

X X X
Credential and Key Management
  • Where possible, integrate with Georgetown SSO authentication for all cloud administration consoles.
  • Abide by Georgetown’s password complexity rules.
  • Review administrative accounts and privileges quarterly.
  • API keys:
    Minimize their generation.
    Grant minimum necessary privileges.
    Rotate at least annually.
    Do not hardcode.
  • Do not share credentials.
X X X
Encryption
  • Enable transport layer encryption for all communications external to the private cloud environment.
  • Use TLS 1.1 or higher.
  • Use encryption at rest
X X X
Data Centers Prefer US based data center locations.   X X
Logging and Auditing
  • Enable any available application logging that would assist in a forensic investigation in the event of a compromise. Seek vendor or ISO guidance as needed.
  • Forward logs to remote logging solutions.
    • University IT Splunk service recommended, but third party SaaS solutions are also acceptable.

Additional Elaboration:
Administrative Activity Logs — Log user actions and API calls that create or modify the configuration or metadata of a resource, service or project.
Data Access Logs — Log user actions and API calls that create, modify, or read High Risk data managed by a service. One example would be to enable data access logs on AWS S3 buckets containing High Risk Data.

X X X
Privileged Access Workstation (PAW) Administration consoles should only be accessed through a PAW when logging in with an administrative account.
Administrative accounts are defined as:

  • Accounts with the ability to make unrestricted, potentially adverse, or system-wide changes.
  • Accounts with the ability to override or change security controls.
    X
Backups
  • Backup application data at least weekly.
  • Encrypt backup data in transit and at rest.
  • Store backups in independent cloud accounts.
  X X
Multi-Factor Authentication Require Duo multi-factor authentication for all interactive user and administrator logins. X X X
Security, Privacy, and Legal Review Prior to implementation, follow the Georgetown Data Risk Assessment process.     X
Regulated Data Security Controls
  • Adhere to applicable regulations: PCI, HIPAA/HITECH, NIST 800-171, GDPR, etc.
  • For HIPAA data, ensure that only cloud services covered under a Business Associate Agreement (BAA) are used.
    X