Standards for secure hosting (draft)

This table outlines security requirements and recommendations for hosting University of Waterloo data with respect to the security classifications outlined in the Policy 46.

General security

All security classifications

  • All users are assigned a unique ID. The uwuserid is used unless it is technically prohibitive to do so.
  • A password, passphrase, token, or asymmetric encryption key is used to authenticate users.
  • The University password policy is followed.

Confidential information

  • Audit trails are maintained so that individual accountability can be established.
  • A change management process is in place for all components of the secure hosting facility.
  • Development/Testing environments are used, and isolated from production environments.

Physical security

All security classifications

  • The hosting facility has physical security controls such as badge readers or lock and key.
  • Backup media is stored in a physically secure location which is in a different building from where the hosting facility is located.
  • No network jacks, for the network servicing the secure hosting facility, are publicly accessible.

Confidential information

  • A procedure is in place to help all personnel distinguish between employees, visitors, and students.
  • The hosting facility is being monitored using devices such motion detectors, and video cameras.
  • Electronic media is destroyed in accordance with electronic media disposal guidelines.

Restricted information

  • Where standard RFID readers and tokens are used, two-factor authentication (token+PIN) is needed to gain access to the hosting facility.

Network security

All security classifications

  • Domain Name System (DNS) records must be kept current - this includes contact information.

Restricted information

  • The network servicing the secure hosting facility is isolated from other networks using a stateful firewall. The stateful firewall restricts inbound and outbound traffic to that which is necessary.
  • Network security controls must be in place to prevent direct access of information, on a file or database server, to and from untrusted networks.

System security

All security classifications

  • The default administrative (superuser) account has a strong password or is disabled.
  • Login accounts have strong passwords.
  • All remote administrative access is encrypted.
  • All interactive logins to the system are logged.
  • The network services provided by the host are limited to those required. This is accomplished by a combination of disabling unneeded services and host-based network access controls.
  • The host is running an operating system version actively supported by the operating system's vendor.
  • A patch management strategy is in place. Critical security patches are installed as soon as possible.
  • A backup strategy is in place.

Confidential information

  • Installed software are limited to what are needed.
  • Active processes are limited to what are needed.
  • The system clock is synchronized with a trusted time source.
  • System logs are sent to a remote log server, and the logs are reviewed regularly.

Restricted information

  • No server provides more than one of the following functions: Administration, Teaching, Research.
  • Direct interactive access, from networks outside of the secure hosting environment, to shared/system/application accounts is prohibited.

Database security

A Database normally means 'RDBMS server', but also includes other database systems, such as LDAP servers and certificate servers.

All security classifications

  • The database software runs with reduced privileges on the system.
  • Database users/roles with superuser privileges have a strong password set.
  • Access controls on the database schema are restricted to those users/roles that need access.
  • The database user/role used by the application is granted only the database privileges necessary for the application to function.
  • A backup strategy is in place.

Confidential information

  • The database logs errors to a remote log server and the logs must be reviewed regularly.

Application server security

Application Server means any software system that provides a service over the network. This typically means web and email servers, but could include others.

All security classifications

  • Weak encryption ciphers are disabled.
  • Unnecessary modules/plugins are disabled.
  • SSL version 2 is disabled.
  • The SSL/TLS certificate used by the web server for the application is approved by Information Systems & Technology (IST).
  • Error handling is set-up in such a way so that names of internal database objects are not revealed to the end user.

Confidential information

  • If users are authenticated to the site, then passwords are not stored in clear-text.
  • The application logs to a remote log server. The logs are reviewed regularly.
  • Locally written application is formally reviewed and tested before going into production.

Application security requirements

All security classifications

  • The application runs with the minimal system privileges necessary.
  • The application uses a trusted filesystem PATH.
  • The application validates the use of secure communications (SSL/TLS).
  • The application validates all user input, to prevent injection and cross-site scripting.
  • The application manages sessions securely, through mechanisms such as session timeouts and logout functions.

 Jason Testart - 30 Sep 2011