The purpose of this practice directive is to establish a standard that defines campus practices for the assessment, procurement, security, and operation of cloud computing services used for instruction, research, and administrative purposes.
Examples include Box. Examples include Google App Engine.
What is Cloud Security?
Cloud computing services are application and infrastructure resources that users access via the Internet. These services, contractually provided by companies such as Apple, Google, Microsoft, and Amazon, enable customers to leverage powerful computing resources that would otherwise be beyond their means to purchase and support.
Cloud computing services provide services, platforms, and infrastructure to support a wide range of business activities.
These services support, among other things, communication; collaboration; project management; scheduling; and data analysis, reporting, processing, sharing, and storage.
Cloud computing services are generally easy for people and organizations to use, they are accessible over the Internet through a variety of platforms workstations, laptops, tablets, and smart phones , and they may be able to accommodate spikes in demand much more readily and efficiently than in-house computing services.
There are a number of information security and data privacy concerns about use of cloud computing services by University Personnel, departments, auxiliaries and centers. They include but are not limited to:.
The Basics of Cloud Computing | Types ,security and User Guide
Cloud computing and file sharing, for this purpose, is defined as the utilization of servers or information technology hosting of any type that is not controlled by the CSU or auxiliaries including, but not limited to, social networking applications, file storage, and content hosting. Note that all requirements from all other relevant CSU policies and standards remain in full effect when cloud computing services are used. The practice directive applies regardless of the method of acquisition and includes purchase orders, procurement cards, petty cash, and services provided free of cost, as a pilot, or proof of concept.
This applies to new acquisitions, software upgrades, deployment scope changes, and renewals. The technology acquisition review form should be completed by an individual with knowledge of planned use.
Salesforce Certification Training: Admin 201 ...
Three service request tickets are created when the technology acquisition review form is submitted: master, security and accessibility reviews. When security and accessibility review tickets are resolved the master ticket will be resolved and the acquisition can proceed.
If the classification of data is not known the assessment will assume it is level 1 confidential data. The security evaluation will identify which IT supplemental conditions the vendor needs to agree to contractually to ensure the Cloud Computing Service complies with CSU Policy.
A formal risk assessment may be necessary where 3rd party contract terms substantially deviate from CSU supplemental or general IT terms in such manner as to pose a risk to the confidentiality, integrity, or availability of CSU protected data. If the product is of a high impact, it will undergo an in-depth accessibility review. Low impact products are generally not reviewed in-depth. Reviewing and validating the VPAT.
Importance of Cloud Computing:
The data collected from the technology acquisition review process will be used to create an inventory of cloud computing services used campus-wide. The inventory of cloud computing services will be shared with campus IT, procurement, and accounts payable staff.
Cloud computing services acquired as campus standards will be clearly identified.
SF State has evaluated and selected campus-wide cloud-based solutions for Web surveys and storage. The evaluation included:. Standard solutions provide cost savings to the campus by reducing the number of products that need to be acquired, supported, and assessed for accessibility and information security compliance.
Departments wishing to acquire alternative survey or storage solutions must document why the campus solution cannot be used and receive approval from the information security and accessibility teams before acquiring the technology.
Exception requests can be made using the Technology Acquisition Review Request form. Authentication to campus information assets hosted in the cloud shall be subject to no less control than those hosted on campus and must comply with ICSUAM Access Control and associated standards. Web-based SaaS cloud services must use a campus central authentication method in order to ensure that campuses may appropriately provision and de-provision identities and authorization for campus personnel.
Guide to Cloud Certifications
Campus authentication services must be configured in such a manner that the cloud provider does not have access to passwords in either text or encrypted format. Where campus authentication is impractical for web-based SaaS cloud services due to size or nature of service, the campus must have a way to recover any account when the community member separates, such as using a campus e-mail address as the contact for password resets, maintaining an appropriately protected list of passwords, or having the campus administer the accounts.
Additionally, the cloud host may not store passwords in text, or clear text. All passwords must meet CSU complexity standards.
Cloud Tech in your inbox
To mitigate the risk of a data breach occurring as a result of compromised credentials such as through a successful phishing attack , multi-factor authentication is required for access to level one data from off-campus. The individual s responsible for managing user access levels and roles must be identified and the task included in their position description.
Campus information assets stored in the cloud shall be protected with no less control than that used for on premise systems, as per ICSUAM Asset Management and associated standards. Campuses shall not use cloud computing services to store protected level 1 data unless such access can be limited by technical or procedural controls in order to reduce inadvertent exposure.
Examples of adequate controls include but are not limited to:. Protected Level 1 and 2 data including credentials stored in the cloud including test and development environments, backups and data warehouses must be encrypted both at rest and in flight.
You are here
Encryption keys must be held by the campus unless vendor has appropriate key management in place. Level 1 data stored in a cloud provider may only be automatically synchronized with compliant assets, computers, and devices that are university owned and managed.
In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements. Skip to main content Skip to navigation. Image: Photos of SF State students.