Knowledge Base

Cloud Services Management Responsibility Layers

KB06002922 141 Views Updated 1-Aug-2024

UChicago Owner

  • Obligations: Master Services Agreement (MSA)
  • Responsibilities: Cloud Services Owners are responsible for security since IT Services doesn’t have the authority to enforce security configuration on the resources within the owner’s cloud environment (e.g., Amazon Web Services (AWS) account, Azure subscription, Google Cloud Platform (GCP) project).
  • The owner is responsible for:
    • Securing their data (e.g., encryption where feasible).
    • Following the principle of "least privilege for access."
    • Securing their resources (e.g., patching, secure configuration).
    • Managing secure access to the environment:
      • No local user accounts for University-affiliated members.
      • Any local accounts should use the principle of least privilege and must use 2FA.
      • Conform to recommendations for key rotation.
      • Manage access using Grouper groups.
      • Keys and local user accounts that are not needed should be removed.
  • Compliance:
    • What: The resources, settings, and configuration will be regularly checked against compliance standards, and non-compliant items will be addressed:
      • Any Critical or High findings should be given due attention and addressed in a timely manner.
      • Other findings should be reviewed and addressed.
    • How: Use the following native tools to view findings and remediation guides.
      • AWS: Use Security Hub and Config for some regulations like HIPAA.
      • Azure: Use Microsoft Defender for Cloud.
      • GCP: Use Security Command Center.
      • Regularly review these findings and recommendations and address them. 
    • Computer nodes must run the University's antivirus solution CrowdStrike.
    • Account resources must comply with the End-user Device Policy.
  • Monitoring:
    • View and handle Security Alerts within GuardDuty (AWS) and Microsoft Defender for Cloud (Azure).
    • Set up Azure Monitor (strongly encouraged) for resources, and regularly review and handle alerts and insights.
  • Yearly risk review topics: Open-ended conversation about the use of ePHI.

UChicago Unit IT

  • Obligations: Master Services Agreement (MSA)
  • Responsibilities:
    • Responsible for the security of the resources used by the requestors they support. While resources are in the cloud, security is no different than storage on-premises.
    • Unit IT is added to every account with security auditor permissions, minimally.
    • Unit IT is responsible to make sure they know the disposition of all accounts.  
    • Unit IT needs to make sure the requestor is diligent in their responsibilities as stated as outlined in the UChicago Owner's: Responsibility section.

UChicago IT Services

  • Obligations: Master Services Agreement (MSA)
  • Responsibilities:
    • The IT Services Cloud Enablement team will have the security auditor role, which allows for viewing the Monitoring dashboard.
    • Basic security protections at an organizational (enrollment/management group) level
    • Overall monitoring as a second set of eyes.
    • Compliance: Organization-wide policies. 
      • Set up Security policy alerts.
      • Regularly review security recommendations across cloud environments and reach out to cloud environment owners to help address items of concern.
    • Monitoring: 
      • Alerts for active concerns contact IT Security and the Cloud Enablement team; Follow up with the subscription/account owner.
  • Yearly risk review topics: Open-ended conversation about the use of ePHI.

Infrastructure as a service (IaaS) provider

  • Obligations: Business Associate Agreement
  • Responsibilities: Business Associate Agreement 
Helpful?