Cloud services form an important part of the information technology landscape and are beneficial for science and the planet when used appropriately. Use this document to assess your risk and implement cyber security controls if you are considering using a cloud service for research purposes.
Still trying to decide if a cloud service makes sense? Read our page on Cloud Services - Things to Consider. Contact Cyber Security (security@lbl.gov) if you have additional questions.
Operations Divisions may not acquire or configure any IT system without coordination with and permission from IT Division (Lifecycle Management for Information, Hardware, Software, and Services).
Step 1. Identify and assess the risks
Even though all research work at Berkeley Lab is FIPS-199 Low risk, gradations still exist which may require different controls. Assess your risk level as Green, Yellow, or Red for each of the following risk areas. Some projects may be 'Green' for one risk area and 'Yellow/Red' for another. The following tables are meant to be examples of characteristics for Green, Yellow, or Red categories and may not be applicable nor be the only characteristics in every situation.
| Risk Area | Green | Yellow | Red |
Information Sensitivity | - No Prohibited Information.
| - No Prohibited Information.
| |
- No Personally Identifiable Information.
| - No Personally Identifiable Information.
| - Personally Identifiable Information.
|
- No Controlled Information.
| - No Controlled Information.
| |
- No Prudent to Protect Information.
| - Prudent to Protect Information.
| - Prudent to Protect Information.
|
Trust Relationships | - Does not use Berkeley Lab passwords / authentication.
| - Does not use Berkeley Lab passwords / authentication.
| - Requires the use of Berkeley Lab passwords / authentication.
|
- No administrative access to Berkeley Lab or other systems.
| - No administrative access to Berkeley Lab or other systems.
| - Requires administrative access to Berkeley Lab or other systems.
|
- Does not require access to Berkeley Lab or other systems.
| - May require temporary connections to Berkeley Lab or other systems.
| - Requires persistent connections to Berkeley Lab or other systems.
|
Visibility | - No external collaborators / researchers.
| - Some external collaborators / researchers.
| - Significant collaborations with multiple external participants.
|
- Little to no public interest.
| | - Could be of significant public interest.
|
Step 2. Select and Implement Controls
Note: The user and supervisor “own” the security risk analysis and approach around the use or acquisition of any cloud service.
Controls aren’t limited to the cloud service system, there are implications for Berkeley Lab systems or other systems as well. For example, all systems in a trust relationship (e.g firewall pinholes, batch keys, common user accounts) with a cloud service, including Berkeley Lab systems, should be configured to minimize the impact of any compromise.
Recommended Controls: All projects
- Follow Berkeley Lab procurement rules (which permit click through for low risk software agreements).
- Ensure the information remains the property of UC/DOE.
- Identify a technical point of contact both at the cloud service and at Berkeley Lab.
- e.g. Who to contact if something isn't working right.
- Enable and understand all available cyber security features.
- Turn on extensive logging,
- Use off-site backups,
- Change passwords frequently, etc.
- Keep any installed software up to date.
- Ensure any installed software is legitimate and free of malware, spyware, etc.
- Where applicable, implement Recommended Cloud Configurations
Required Controls: Red
You are required to contact the Cyber Security (security@lbl.gov) if your project has risks in the Red category prior to acquiring or using the cloud service. |
PII or information normally contained in the Business Systems Enclave (FIPS 199 Moderate) cannot be processed outside the BSE without a complete risk-analysis and approval from Cyber Security (security@lbl.gov) and Data Owner.
- Create a cyber security plan approved by Cyber Security.
- Require that external audits and assessments are routinely conducted.
- Ensure contractual data protections and penalties are addressed.
- Require that the cloud service has a cyber security plan.
- All of the Yellow and Green controls.
Recommended Controls: Yellow
Controls for Yellow must be appropriately tailored for the risks. We strongly advise you to contact Cyber Security (security@lbl.gov).
- Create, and regularly review, a written cyber security plan.
- Obtain a static IP address so that your appearance to Berkeley Lab systems is persistent.
- If you obtain a DNS mapping from lbl.gov domain space to your static IP at cloud service, set the local cloud instance hostname to match lbl.gov hostnames. This makes syslog forensics much easier.
- Increase the verbosity of logging (both local and syslog).
- Enable process accounting.
- Conduct regular vulnerability scanning (including application vulnerability testing), if permitted by the cloud service.
- Adopt a restrictive default-deny posture and implement it for both inbound and outbound network traffic.
- Block all inbound Internet traffic to back-end (for example, database) systems in a multi-tiered architecture.
- Install applications that monitor system file changes (e.g. Tripwire and OSsec) and configure them to log to or alert non-cloud service systems.
- Continuously monitor the content and availability of your site.
- Ensure that information is backed up appropriately.
- Consider backing up information to a different cloud service.
- Regularly review accounts and ensure least privileges.
- Remove unnecessary user accounts on systems.
Consult with Cyber Security (security@lbl.gov) if your application utilizes federated authentication. - Require multifactor authentication or restrict logins from only Berkeley Lab systems that require multifactor authentication (this service is available free from Cyber Security).
- Don't use your Berkeley Lab passwords to access the cloud service unless you use Berkeley Lab's Federated Authentication service.
- Don't copy SSH private keys to the cloud service systems.
Recommended Controls: Green
- Implement or require the implementation of (e.g. via contract terms) the Minimum Security Requirements to the extent possible.
- Understand the cyber security characteristics of the cloud service and follow best practices for configuring available cyber security options.
- Regularly monitor the cloud service for changes in cyber security procedures, privacy policies, etc.
Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Server (SaaS) Controls
- Controls for IaaS and PaaS are similar to the recommended and required controls.
- For PaaS, ignore or restructure controls related to operating systems to reflect the platform approach.
- SaaS controls are much more difficult to generalize about because of the wide array of SaaS cloud services. The following controls apply to SaaS cloud services:
- Understand the cyber security functionality exposed by the cloud service and make judicious use of it
- Understand where the cloud service's cyber security responsibility ends and yours or Berkeley Lab's begins.
- Have a plan for getting your information out of the cloud service.
- Use the Data Security Appendices to negotiate additional protections where appropriate.
- Don't use your Berkeley Lab passwords to access the service unless you use Berkeley Lab's Federated Authentication service.
Step 3. Submit the Cloud Hosting Request Form
This form contains several questions that will help Cyber Security track cloud resources and understand what controls are needed for them. Please submit this form before requesting DNS records or making your cloud resources public:
https://go.lbl.gov/cloud-hosting-form