Cloud Service Security Policy
This policy forms part of the University’s Information Security Policy.
The overarching Information Security Policy together with its sub-policies can be found at https://www.aber.ac.uk/en/infocompliance/policies/security/
The University has a “cloud-first” approach to software procurement and welcomes applications and services which are hosted cloud based.
All cloud services must be checked against this policy and approved by Information Services for support, security and integration with existing systems, and by The Information Governance Team for data compliance before registering and/or entering an agreement with a cloud service provider.
This policy applies to all departments and members of staff at Aberystwyth University who are considering, in the process of selecting, implementing, or are currently operating a cloud service with the intention of providing a service to, or processing the data of, other University users. If you are unsure whether a service falls within scope of this document, please contact firstname.lastname@example.org.
The Information Security Group will monitor the effectiveness of this policy and carry out regular reviews.
2. Data Privacy
Privacy Impact Assessments (PIAs) are mandatory under the General Data Protection Regulation (GDPR). A PIA must be completed before any cloud provider can store or process any user data.
3. Asset Ownership
Information Services must maintain a list of users responsible for cloud services used by the University. It is the responsibility of the asset owner to ensure that:
- All use of cloud services is registered with Information Services
- Ownership information is kept up to date with Information Services
- The cloud service does not duplicate functionality already offered by the University
- Data is processed in accordance with data protection legislation
- Use of all cloud services is compliant with this document
4. User Access Control
- Cloud services must support multiple users for identity and auditing purposes.
- Cloud services must not hold central Aberystwyth password/hashes or ask users to submit them directly to the service.
- Instead, the cloud service must support integration with the existing centrally maintained identity provider: Azure Single Sign-on ( OpenID / JWT / SAML )
- User accounts must be provisioned either through SCIM or JIT provisioning
- Information Services does not permit LDAP authentication for cloud hosted services.
- End user and privileged access to cloud services must be regularly reviewed to ensure access is granted to those who still require it for their working role.
5. Web URL
- The service may require the use of a subdomain, such as blackboard.aber.ac.uk. All web services must be served exclusively over TLS (HTTPS). The Asset Owner must contact Information Services to reserve a web address on the aber.ac.uk zone to ensure availability.
5.1 TLS Certificates
- TLS certificates can be provided by Information Services, or cloud providers may purchase certificates themselves but only following approval from Information Services.
- The service must use strong, industry standard cryptography to encrypt data in transit and communications between the cloud and end-user.
- The service must support TLS 1.2 and higher and keep up to date with the latest protocol versions and cryptographic ciphers.
- A score of at least an ‘A’ from https://www.ssllabs.com will be required for approval.
5.1.2 Certificate Authority
- The cloud service may only obtain certificates from certificate authorities authorised by Information Services. This list includes the services provided by Jisc, Let’s Encrypt, and AWS. Approval must be gained from Information Services to use any CA not listed in the advertised DNS CAA record.
- Information Services does not support wildcard TLS certificates for cloud services.
- IPv6 support is a strong desirable when selecting cloud services.
- A cloud provider may require the ability to send or receive emails on behalf of the aber.ac.uk domain or its subdomains.
- Information Services is unable to support cloud services that do not support the mail security technologies identified below. Failure to comply with the below standards will result in mail not being delivered.
6.1 Sending Mail
Cloud services must be registered as authorised senders on Information Services systems to prevent mail being treated as spam.
To become a registered sender the cloud provider must support all:
- SPF - Sender Policy Framework
- DKIM – Domain Keys Identified Mail
- DMARC - Domain-based Message Authentication, Reporting & Conformance
6.2 Receiving Mail
Cloud providers may require the use of MX records to receive inbound mail. Supporting MX records for cloud applications will be approved at the discretion of Information Services.
Mail should be TLS encrypted, while in transit between Mail Transfer Agents and support this for the sending or receiving of mail as required.
The provider must be able to rotate their DKIM keys within a reasonable timeframe of less than 28 days should any security breach occur. The provider must rotate their DKIM keys frequently as per NCSC guidelines, preferably biannually but at least once every 12 months.
DKIM keys must be at least 1024-bit, but ideally 2048-bit.
7. Domain Owner Verification
7.1 DNS TXT Records
All DNS TXT record verification must be actioned by Information Services.
Cloud providers may ask that certain processes are done to validate ownership of a domain.
Verification should not grant approval to services that provide access to data outside the scope needed for the application, i.e., analytical data for the whole domain, or be linked to a service account that is outside the control of Information Services which prevents the service being offered centrally in the future.
Cloud data centres should be physically located within Europe, preferably within the United Kingdom. Exceptions to this must be highlighted in the Privacy Impact Assessment.
It is recommended that the cloud provider holds and maintains certification to ISO 27001 and can demonstrate the certification was performed by a suitable qualified provider.
8.3 Data Storage
The cloud provider should utilise encryption to ensure special category data is not written to ‘rest’ storage in an unencrypted form.
8.4 Data retention and deletion
The cloud provider must have a clear and concise data retention policy. The provider must have the ability to delete all information belonging to Aberystwyth University and its users upon the University’s request.
8.5 Data Export
The cloud provider must offer a mechanism for the University to export all of its data from the platform in order for the University to be able to comply with Subject Access Requests, requests from Law Enforcement, and more.
9. Penetration Testing
The cloud provider should undertake regular penetration testing, and ensure the test is performed by a suitably qualified provider such as those certified under the CREST scheme. https://service-selection-platform.crest-approved.org/
This becomes a requirement when processing special category data.
10. Data Breach
All cloud data breaches must either be reported to the Information Services Computer Emergency Response Team or to the Information Governance team.
This Policy is maintained by Information Services, was last reviewed in July 2022 and is due for review in August 2023