The Northwestern Cloud Planning Group has developed a set of minimum security requirements and management recommendations for all cloud hosted systems.
All IT @ Northwestern organizations are encouraged to leverage these recommendations.
To discuss these recommendations or for advice and guidance on implementation please visit the Resources section of this site.
Account Creation and University Contract Agreements
| Recommendation | AWS Suggested Implementation | Azure Suggested Implementation |
|---|---|---|
| All use of AWS or Azure for storing Northwestern data or hosting Northwestern services should occur in accounts provisioned under or migrated to the Northwestern contracts with AWS and Azure. | Leveraging the Northwestern AWS contract provides the following benefits-
Northwestern has a Business Associate Agreement in place with Amazon, which is a requirement for running regulated workloads or storing regulated data with Amazon (e.g. HIPAA). The Business Associate Agreement can only be utilized through an AWS account under the Northwestern contract. To request a new or to transfer an existing AWS account under the Northwestern contract visit – |
Leveraging the Northwestern Azure contract provides the following benefits-
Northwestern has a Business Associate Agreement in place with Microsoft, which is a requirement for running regulated workloads or storing regulated data with Azure (e.g. HIPAA). The Business Associate Agreement can only be utilized through an Azure account under the Northwestern contract. To request a new or to transfer an existing Azure account under the Northwestern contract visit- |
Cost Optimization
| Recommendation | AWS Suggested Implementation | Azure Suggested Implementation |
|---|---|---|
| Account owners should review account charges regularly to mitigate the risk of unauthorized or unintended use of cloud resources. Additionally, account holders should regularly review available cost management tools for insight on recommended resource sizing and available purchasing options to optimize total cost. |
Account owners should regularly review CloudCheckr’s Cost and Savings reports. Additionally account holders should regularly review the AWS Trusted Advisor dashboard available within the AWS management portal for additional cost optimization recommendations. Information about AWS Trusted Advisor is available @ |
Account owners should regularly review CloudCheckr’s Cost and Savings reports. Additionally account owners should review the Azure Advisor service, available within the Azure portal, for cost optimization recommendations. Information about Azure Advisor is available @ Leverage Hybrid use benefit for reduced cost on Windows server instances. Information about Azure Hybrid use benefit is available @ |
Credentials and Access Control
| Recommendation | AWS Suggested Implementation | Azure Suggested Implementation |
|---|---|---|
|
All faculty, staff, and students should use NetID-based federated authentication for access to a cloud provider’s administrative console. For API or service account access, create identifiable user accounts with appropriate role-based access control. Rotate all access keys periodically. |
NetID-based federated authentication is enabled by default for administrative access to the AWS console for all AWS accounts created or transferred to the Northwestern contract. All IAM user accounts created for programmatic access should use a clearly identifiable user name (use of the creator’s NetID is highly recommended) and granted the least level of privilege required. IAM Access Keys and EC2 Key Pairs should be rotated on at least an annual basis. Additional best practices for AWS IAM are available @ |
NetID-based federated authentication is enabled by default for administrative access to the Azure console for all Azure accounts created or transferred to the Northwestern contract. Programmatic access to Azure is available through NetID-based federated authentication and does not require the creation and management of separate user accounts. Information for the use of Azure Role-Based Access Control to support the practice of least privilege is available @ |
Two-Factor Authentication
| Recommendation | AWS Suggested Implementation | Azure Suggested Implementation |
|---|---|---|
| Enable multi-factor authentication for administrative access to cloud platforms. | Duo Two Factor authentication is enabled for AWS console access for all AWS accounts provisioned under Northwestern contract. | Duo Two Factor authentication is enabled for Azure Portal access for all Azure accounts provisioned under the Northwestern contract. |
Firewall
| Recommendation | AWS Suggested Implementation | Azure Suggested Implementation |
|---|---|---|
| Enable host-based or network based firewall in default deny mode and permit the minimum necessary services. |
Use of AWS Security Groups configured in a default deny mode that only permit the minimum necessary services is strongly recommended. Documentation on AWS Security Group is available @ |
Use of Azure Network Security Groups configured in a default deny mode that only permit the minimum necessary services is strongly recommended. Documentation on Azure Network Security Groups is available @ |
Patching
| Recommendation | AWS Suggested Implementation | Azure Suggested Implementation |
|---|---|---|
| Establish a patching strategy appropriate for your environment. A recommend strategy is to apply critical security patches within seven days of publish and all other security patches within 90 days. Use of an automated patch management package is strongly advised. |
Confer with your local IT organization if an existing automated patching solution is recommended for your AWS environment. In the absence of an existing standard solution, use of AWS EC2 Systems Manager is strongly recommended for all AWS EC2 instances. Information about AWS EC2 Systems Manager is available @ |
Confer with your local IT organization if an existing automated patching solution is recommended for your Azure environment. In the absence of an existing standard solution, use of Azure Automation Update Management is strongly recommended for all Azure virtual servers. Information about Azure Automation Update Management is available @ |
Centralized Logging
| Recommendation | AWS Suggested Implementation | Azure Suggested Implementation |
|---|---|---|
| Forward all logs to a dedicated log repository. |
Enable AWS Cloudtrail to log all account activity to a dedicated S3 bucket. (This is configured by default on all AWS accounts provisioned under the Northwestern contract.) Information about AWS Cloudtrail is available @ Confer with your local IT organization if an existing centralized logging solution is recommended for your EC2 instances. In the absence of an existing standard solution, use of Amazon Cloudwatch Logs is strongly recommended to store and monitor logs from all AWS EC2 instances. Information about Amazon Cloudwatch Logs is available @ |
Confer with your local IT organization if an existing centralized logging solution is recommended for your Azure environment. In the absence of an existing standard solution, use of Azure Log Analytics service is strongly recommended for all Azure workloads. Information about Azure Log Analytics is available @ |
Server Vulnerability Management
| Recommendation | AWS Suggested Implementation | Azure Suggested Implementation |
|---|---|---|
| Utilize a vulnerability management solution to continuously assess cloud hosted servers. |
Confer with your local IT organization if an existing server vulnerability management solution is recommended for your EC2 instances. In the absence of an existing standard solution, use of AWS Inspector is strongly recommended for all EC2 instances. Information about AWS Inspector is available @ |
Confer with your local IT organization if an existing server vulnerability management solution is recommended for your Azure virtual servers. In the absence of an existing standard solution, use of Azure Operations Management Suite to perform Baseline Assessments of all Azure virtual servers is strongly recommended. Information about Azure Operations Management Suite is available @ |
Continuous Security Monitoring
| Recommendation | AWS Suggested Implementation | Azure Suggested Implementation |
|---|---|---|
| Utilize a continuous security monitoring solution. |
Use of AWS GuardDuty is strongly recommended for continuous security monitoring of AWS resources. Information about AWS GuardDuty is available @
|
Use of Azure Security Center is strongly recommended for continuous security monitoring of Azure resources. Information about Azure Security Center is available @ |
Data Protection
| Recommendation | AWS Suggested Implementation | Azure Suggested Implementation |
|---|---|---|
| All data should be encrypted and backed up. |
Confer with your local IT organization if an existing data protection solution is recommended for your AWS environment. In the absence of an existing standard solution, utilize scheduled CloudWatch events to automate snapshots of EBS volumes. Information about EBS snapshots is available @ Enable encryption on all EBS volumes and S3 bucket. Information about encryption options for EBS volumes is available @ Information about encryption options for S3 buckets is available @ |
Confer with your local IT organization if an existing data protection solution is recommended for your Azure environment. In the absence of an existing standard solution, utilize Azure Backup and enable encryption on all disks and storage accounts. Information about Azure Backup is available @ Information about encryption for Azure storage accounts is @ |
Operating Systems
| Recommendation | AWS Suggested Implementation | Azure Suggested Implementation |
|---|---|---|
| Utilize an Operating System distribution provided and maintained by either the cloud platform or the OS vendor. |
Use of either official AWS AMIs or a community AMI provided by the OS vendor is strongly recommended. Information about AWS AMIs is available @ |
Use of either official Azure virtual machine images or images provided by the OS or application vendor is strongly recommended. Information about Azure machine images is available @ |
Version Control, Orchestration, Automation
| Recommendation | AWS Suggested Implementation | Azure Suggested Implementation |
|---|---|---|
|
The practices and tools for version control, orchestration, and automation should be utilized to the greatest extent possible for all clouded hosted workloads. Additional information regarding these practices and tools is available @ |
Confer with your local IT organization if a existing version control, orchestration, and automation tools are recommended for your AWS environment. In the absence of an existing standard solution for version control, use of Github is recommended as a version control solution for your AWS environment. Information about Github is available @ In the absence of an existing standard solution for orchestration use of AWS Cloud Formation is recommend. Information about AWS Cloud Formation is available @ |
Confer with your local IT organization if a existing version control, orchestration, and automation tools are recommended for your AWS environment. In the absence of an existing standard solution for version control, use of Github is recommended as a version control solution for your AWS environment. Information about Github is available @ In the absence of an existing standard solution for orchestration use of Azure Resource Manager is recommend. Information about Azure Resource Manager is available @ |