Applicability: The minimum security standards found here apply to IaaS managed services — virtual servers that are designed to be ephemeral — and containerized solutions.

 
Standards What to do
Low Risk
Moderate Risk
High Risk
Platform Selection Review the ISO's Local and Cloud Services Decision Matrix 
Operational Practices Review the guidance from Vendors and 3rd Party controls and compliance
System Architecture Review the guidance from and Risks of Cloud Services
Account Management Ensure that you are adhering to these standards related to the creation of cloud accounts and leverage centrally managed cloud options as much as possible.
Patching and Application Lifecycle
  1. Apply high severity security patches within seven days of release.
  2. Apply all other security patches within 30 days.
  3. Use a supported operating system and application version.
  4. Use machine images only from trusted sources.

Additional Elaboration:

  • Managed Services — For managed services like Amazon RDS or Google Cloud SQL, define a maintenance window that meets the standard.
  • Ephemeral Servers and Containers — If using an automated system to build fully patched machine images, ensure that the patched image, or container base layer, is in use in your environment within the window of time specified in the Minumum Security Standard.
Vulnerability Management

Leverage the UTISO Managed Vulnerability Scanning Service (with Nessus Agents) to ensure that all critical vulnerabilities are remediated within seven days of discovery, and moderate/important vulnerabilities within 30 days.

Systems should also log data to the Managed Splunk Service with analysts regularly reviewing these logs.

For high risk services, UTISO can make additional security monitoring agents available. Please contact us directly about this option (security@utexas.edu).

Additional Elaboration:

  • Managed Services — UTISO scanning may be omitted on infrastructure provider managed services, however if the platform provides a native vulnerability detection capability, it should be implemented.
  • Ephemeral Servers — Build machine images that contain the Nessus Agent, or bootstrap the installation and configuration of the Nessus Agent using the management tools specific to your implementation.
  • Containerized Solutions — Run a Nessus Agent scan on the network where the container runs.
Inventory and Asset Classification

Maintain an inventory of deployed resources as well as the risk classification and service owner of those resource in ISORA.

Additional Elaboration:

  • Ephemeral Servers — Systems designed for a lifespan no greater than 7 days (commonly those in autoscaling worker groups) should be inventoried as a single application.
  • Managed Services — Infrastructure managed services like Amazon RDS or Google Cloud SQL should be inventoried as applications.
Container Registries As more applications move to container-based microservices, those container images need to be stored in a common set of repositories (as much as possible) to help ensure that a container registry security strategy can be carried out. 
This involves scanning the container images for vulnerabilities, auditing image lifespan and outdated packages, etc.  If containers are leveraging the centrally managed registries on campus the ISO will be positioned to scan those for security deficiencies and system admins will be able to more easily assess package gaps, etc. 
Please consult with ITS as to which container registry is right for your use case (help@its.utexas.edu).
Firewall Use the native tools and design patterns of your platform to ensure that only the minimum necessary network communication is permitted through virtual network devices such as VPCs, load balancers, and the like. This includes access to managed services such as hosted database platforms.
Credential and Key Management
  1. Where possible, integrate with UT Austin authentication for all cloud administration consoles.
  2. Abide by UT's  password rules
  3. Review administrative accounts and privileges quarterly.
  4. API keys:
    1. Minimize their generation.
    2. Grant minimum necessary privileges.
    3. Rotate at least annually.
    4. Do not hardcode.
  5. Do not share credentials.
  6. Leverage Stache for management of these (note: Stache offers an API to facilitate this).
Two-Step Authentication Enforce two-factor authentication for all interactive user and administrator logins. UT provided Duo two-factor authentication is recommended, but other two-factor options may be acceptable.  
Logging and Alerting
  1. Enable any available application logging that would assist in a forensic investigation in the event of a compromise. Seek vendor or ISO guidance as needed.
  2. Forward logs to the UTISO Managed Splunk Service.

Additional Elaboration:

  • Administrative Activity Logs —  Log user actions and API calls that create or modify the configuration or metadata of a resource, service or project.
  • Data Access Logs — Log user actions and API calls that create, modify, or read high-risk Confidential data managed by a service. One example would be to enable data access logs on AWS S3 buckets containing high-risk Confidential Data.
 
Intrusion Detection

In most situations involving lower risk university data robust system logging paired with system management insights can be all that is needed.  In situations where higher risk Confidential university data is in scope specific network security monitoring may be required. Please consult with the Information Security Office if your implementation is handling Confidential and you are needing to tie into our intrusion detection services for cloud implementations.  Reach us at (security@utexas.edu).

   
Backups
  1. Backup application data at least weekly.
  2. Encrypt backup data in transit and at rest.
  3. Store backups in independent cloud accounts.
 
Encryption
  1. Enable transport layer encryption for all communications external to the private cloud environment.
  2. Use TLS 1.1 or higher.
  3. Use encryption at rest if available.
 
Data Centers Prefer US based data center locations.  
Privileged Access Workstation (PAW)

Cloud administration consoles should only be accessed through a PAW when logging in with an administrative account.

Administrative accounts are defined as:

  • Accounts with the ability to make unrestricted, potentially adverse, or system-wide changes.
  • Accounts with the ability to override or change security control
   
Security, Privacy, and Legal Review Prior to implementation, ensure that your assets are accounted for in ISORA's inventory and that risk management details are provided​    
Regulated Data Security Controls
  1. Adhere to applicable regulations: PCI, HIPAA/HITECH, NIST 800-171, GDPR, etc.
  2. For HIPAA data, ensure that only cloud services covered under a Business Associate Agreement (BAA) are used.
   

 

Credit where credit is due: Thanks to Stanford's ISO for the content!

This set of standards supplement the UT Austin Information Resources Use and Security Policy and provides additional details related to the minimum security expectations of care required for the university's various types of data.

UT Austin requires individuals granted access to or use of the university's information resources to be aware of and abide by the university's information security policies and requirements.

These standards will evolve over time as technologies and use cases change. All changes will be captured in the respective change log.

Please feel free to contact the UT Information Security Office (security@utexas.edu) with any questions.