Cloud Standards & Considerations

Standards for Cloud-based Systems

When considering cloud services (SaaS) and trying to determine if it is a suitable option for your project, there are several things to consider. Among the most critical requirements:

  • The data must be encrypted as it moves between Baylor and the host servers.
  • The data must be encrypted while it resides on the host servers.
  • The data hosted by the cloud service must reside on servers housed in the continental United States.
  • If more than just a few departmental staff will need to access the system, authentication for Baylor users must be by BearID via Shibboleth and the InCommon Federation.
  • The data in the system can only be in the Public, Non-Public, or Protected categories, as defined in the Baylor University Data Classification Guide.
  • If you are considering a system that will be processing credit card or ACH transactions, the system must be PCI-DSS compliant, as verified by a Report on Compliance, a QSA endorsed Attestation of Compliance, or a listing on the VISA Global Registry of Service Providers. Depending on when and how these transactions occur, special considerations may need to be made. The system must adhere, and users must follow, Baylor’s PCI policies.
  • In addition to the PCI standards, any credit card transactions on a mobile device must be using PCI P2PE (Point-to-Point Encryption).
  • Depending on the data being stored, additional compliance requirements (HIPAA or NIST 800, for example) may be necessary.

Other Considerations

In additions to the standards listed above, there are some other important factors to consider that may impact the decision-making process for the department and the ITS review of the product:

  • Is there a need to have data transferred between the cloud service and systems housed on the Baylor campus (i.e., Student, HR, or alumni data from Banner or financial data from Trax)? This will require additional ITS personnel resources and will need to be coordinated into regular work schedules, so this will need to be included in planning the project implementation.
  • ITS personnel time will also be required for integration into Baylor authentication systems, and this will need to be considered and scheduled as part of the project timeline.
  • If data must be integrated with other systems, how current must those integrations be? Weekly? Daily? Real time?
  • Does the contract allow for a “test” instance of the system for testing configuration and process changes?
  • Have adequate consulting services from the vendor been included in the implementation project?
  • Have you considered who will be the Baylor administrator for the cloud system or service? Plan for backup in case of turnover.
  • What are the support policies provided by the agreement and are they sufficient to meet your needs? For example, do you require 24x7 access to support?
  • While cloud services usually have configuration options, they are generally not customizable by ITS. Generally, you must accept the look and feel of the interface as well as the system processes as delivered.
  • In cloud systems, ITS does not have the ability to make mass changes to data in cases such as department name changes. You will be dependent on vendor response for support in these cases.
  • ITS will not generally have access to logs or monitoring tools to help diagnose performance or other issues that might occur with cloud systems.
  • What are the policies for data retention for any data that is stored in this cloud service?
  • Is there a clear “exit strategy” to recover the necessary data in the case of termination of the contract? There should be a clear and concise path to recovery of the data.
  • What is the long-term viability of the vendor? A great deal of work may go in to integrating a cloud service into your operations. You’ll want to ensure that the vendor will be around for the duration of the contract, and that the stored data will be secured.
  • Is there a cap on the year to year cost increase on the service?
  • Is there a fee tied to levels of usage, i.e., for bandwidth, storage, processor?
  • Is cloud service accessible, in accordance with ADA standards for web site design?