What is Cloud Assessment?
In accordance with NUS Cloud Policy, cloud assessment is required before an off-campus computing service is used. Off-campus computing service, also referred to as cloud service or solution, includes but is not limited to software, applications, application programming interface, development platforms, and IT infrastructure such as databases, storage, servers etc.
Cloud assessment comprises both Cloud Service Provider (CSP) and department readiness assessments. The Cloud Service Provider (CSP) readiness will be assessed by both NUS IT and ORMC on its technical and security capabilities, and personal data/privacy compliance respectively. The Department’s readiness will be assessed by themselves with ORMC on its business & legal risks, internal personal data management process as well as personal data protection impact assessment respectively. Department should consult the NUS Office of Legal Affairs (OLA) on matters related to contractual agreement.
An Assessed Cloud is a cloud solution when the CSP readiness has already been evaluated by both NUS IT and ORMC’s PDP unit and is commonly used by the University community. The Cloud Service Provider readiness assessment will generally take up to 2 months on average. With the assessed cloud, the overall assessment duration will be reduced as users of a department can just focus on the department readiness assessment. However, not all the clouds assessed for CSP readiness will be accorded “Assessed Cloud”, as these include conditional approved clouds and clouds that are specific to department use.
When is Cloud Assessment Required?
A cloud solution must be evaluated and approved prior to procurement.
How to Submit Cloud Assessment?
Cloud assessment should be submitted via the NUS Cloud Assessment app, nCloudAssess, available at https://nusit.nus.edu.sg/cloud-assessment/nCloudAssess. If a cloud solution has already been assessed, i.e. deemed “Assessed Cloud”, and is centrally supported by Centre of Instructional Technology (CIT) or NUS Information Technology (IT), then users do not need to submit cloud assessment for this solution. If the Assessed Cloud is not centrally supported by CIT or NUS IT, users will have to submit a department readiness assessment for the intended cloud solution.
For a cloud solution that has not been assessed or is not considered as Assessed Cloud, a full cloud assessment will be required.
Why and When is Cloud Re-assessment Required?
Cloud solution that has been evaluated may need re-assessment to ensure that the use of the cloud solution is kept up-to-date and conforms to the current IT, personal data and data management practices, policies, regulations and legislations.
Some Cloud re-assessment requirements include:
- Data Classification of data hosted on cloud has been changed to that of higher sensitivity. For example, from NUS Restricted to NUS Confidential.
- There are significant changes in the scope of the cloud used. For example, changing cloud platform, significant changes to the personal data handling workflow processes, the volume of personal data handled or stored in the cloud platform, capturing personal data that are not in the original scope, or additional artificial intelligence or other functionalities added to the system or platform.
- The cloud that is providing mission-critical services to the University, i.e., enterprise service, should be re-assessed every 2 years.
- Clouds that were assessed under Enterprise-subscribed cloud assessment.
Cloud Security Responsibilities and Guidance
The System Owner should ensure the secure running of the Cloud during the duration of its use in accordance with the NUS IT Security Policy, the NUS Data Management Policy, and NUS Personal Data Protection Policy and Procedures.
The System Owner should ensure all the users who access the Cloud are properly authenticated and authorised in accordance with NUS IT Security: Chapter 4 Access Control Security.
Cloud security is a shared responsibility between the University ( i.e. System Owner) and the CSP. The following table shows the responsibilities for different cloud models (Please refer to Cloud Security Alliance – https://cloudsecurityalliance.org/artifacts/guideline-on-effectively-managing-security-service-in-the-cloud/ for more information). Please refer to the NUS Cloud Policy Appendix 4 for the definition of common cloud models.
Table: The Responsibilities of the System Owner and CSP for Different Cloud Models
The System Owner should ensure that the Department has the capability to manage and administer the security of the Cloud. For example, for cloud model PaaS or IaaS, the Department needs a system administrator to manage the host security such as patching the vulnerabilities of an operating system or application.
The System Owner should maintain and review periodically a cloud administration guide describing the roles and responsibilities of the Department and CSP. The guide is optional if the Cloud model is SaaS and is not supporting any of the Department’s critical business functions.
The guide should include the following:
- The roles and responsibilities of the CSP;
- The roles and responsibilities of the Department for IaaS or PaaS cloud model such as identifying an application administrator and/or a system administrator;
- The process of granting, modifying, or revoking users;
- The process of granting or revoking administrative privileges.
- The process of modifying configuration, vulnerability scanning, patching vulnerabilities, and other cloud settings;
- The application security requirements for PaaS model such as:
- Vulnerability scanning;
- Identity and access management;
- Application firewall; and
- Other application security measures.
- The security requirements for IaaS model such as:
- Antivirus, server hardening, patch management;
- Database, API security;
- Application security requirements (refer to item 6 above); and
- Other infrastructure security measures.
The System Owner may consult with NUS IT if further assistance is required.
For enquiry on Cloud Assessment and NUS Cloud Policy, please contact the Cloud Team @ NUSCloudPolicy@nus.edu.sg
