CLOUD COMPUTING CONSUMER GUIDELINES
Use of cloud computing services may introduce security challenges and the University must manage how the cloud provider secures and maintains the computing environment and University information assets. These guidelines identify the procedures and responsibilities in the engagement and management of cloud computing services.
Cloud computing can provide highly available, convenient and on-demand access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) via the Internet. Services typically take the form of three service models (SaaS, PaaS, IaaS) that may be deployed as a public cloud available to the general public; a private cloud operated exclusively for a single organization; a community cloud available to multiple organizations with common privacy, security or regulatory requirements; or a hybrid cloud combining two or more clouds where each member is a unique entity but bound to others that enable application and data portability between them:
Software as a Service (SaaS) – Consumer uses the provider’s applications running on a cloud infrastructure through client devices via web browser or program interface. The consumer does not control the underlying cloud infrastructure including network, servers, operating systems, storage and, often, not even applications capabilities with exception of limited user-specific application configuration settings.
Platform as a Service, (PaaS) – Capability for the consumer to deploy and control applications onto the cloud infrastructure, but the consumer does not manage or control the underlying cloud network, servers, operating systems, and storage.
Infrastructure as a Service (IaaS) - Capability for the consumer to provision processing, storage, networks, and other fundamental computing resources where the consumer can deploy and run software including operating systems and applications. The consumer does not manage the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of some network components such as host firewalls.
II. Responsibilities and Procedures:
The representative of Procurement Services responsible for review and negotiation of the contractual terms will identify and collaborate with the Contract Relationship Owner (typically the department head of the requesting department) to determine overall objectives for the services and data identification including sensitivity; service level requirements and/or share of those responsibilities; negotiate contract language, pricing and deliverables; and obtain final fiscal and departmental approvals.
Commensurate with the data sensitivity and handling requirements, Procurement’s representative reviewing and negotiating the contractual terms will ensure inclusion of applicable contract terms to address federal and state regulations (e.g., Family Educational Rights and Privacy Act of 1974 (FERPA), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), Indiana Code 4-1-10, Release of Social Security Number, Indiana Code 4-1-11, Notice of Security Breach); industry-specific contractual requirements such as Payment Card Industry Data Security Standard (PCI-DSS), European Union General Data Protection Regulation (GDPR), or other requirements that may impact the university.
As early in the contract negotiation process as possible, but prior to contract signature at the latest, Procurement Services will engage IT Security & Policy (with copy to the Contract Relationship Owner) to facilitate IT Security & Policy performing a vendor security review to ensure the vendor can meet minimum security requirements for university data.
IT Security & Policy
Information Assurance - Prior to contract signature, IT Security & Policy Information Assurance will perform a vendor security review aligned with common security frameworks such as National Institute of Standards and Technology (NIST) and Cloud Security Alliance (CSA) Controls Matrix, as well as, university policies, standards and data handling guidelines. As part of the review, the vendor is requested to provide any applicable and available third-party security attestations or certifications (e.g. SOC-2, PCI AOC, etc.). Based on the university-classified sensitivity of the data, the review will result in a report identifying controls and risks, effectiveness of those controls or recommendations for controls to mitigate risk. Information Assurance will provide the report to the Contract Relationship Owner for their review of recommendations to either proceed or consider risk mitigating controls. Validation of risk mitigation will take place in the Production Readiness review process.
If necessary, Information Assurance will provide guidance to the Contract Relationship Owner in their review of Service and Organization Controls (SOC) 2 Reports or other third-party attestations, if applicable.
Identity and Access Management – The Identity and Access Management Office will provide authentication and authorization integration services into campus identity and access management infrastructure.
Security Services – ITSP-SS will consult on security architecture, policy management for firewalls, log collection and reporting.
Contract Relationship Owner
In order to effectively manage the services provided by the cloud computing vendor, a contract relationship owner (“Contract Relationship Owner”) will be identified with Procurement Contract Services. The Contract Relationship Owner is responsible for:
- Performing ongoing management of the vendor engagement, deliverables, and relationship including monitoring vendor and university performance to service level agreements and adherence to terms of data protection, including but not limited to:
- availability time and service outages
- routine maintenance timeframes
- hardware & software updates
- application management
- change control
- network controls & management
- data confidentiality
- data integrity
- data availability
- data transmission and storage encryption
- user access controls
- physical and/or data center security controls
- privacy consents and notifications
- audit requirements, including annual review of SOC 2 or other required 3rd party attestations
- assurance of supply chain or other third-party services providers supporting the cloud service provider
- disaster recovery and business continuity
- Initiating dialog to address any performance issues directly with the vendor and collaborate with other university units as needed, including
- collaboration with IT Security and Policy if an exception is noted in a SOC 2 or other 3rd party attestation;
- facilitation of university incident response procedures in the event of a security incident.
- Supporting timely and accurate payment, and engage Procurement Services in contract renewals, amendments, or termination.
III. Related References
The controls frameworks referenced below are the current versions at the time of this publication. These frameworks are subject to periodic updates and the most current, final publication available should be referenced.
Issued September 7, 2010 from Purdue University Data Stewards Group, Security Officer's Group, and IT Networks and Security. Revised October 31, 2017 to update URLs and policy references. Revised March 1, 2019 to define cloud consumer responsibilities and procedures; update URLs and controls frameworks references.