Skip to main content

Recommendations

The Northwestern Cloud Planning Group has developed a set of minimum security requirements and management recommendations for all cloud hosted systems.

All IT @ Northwestern organizations are encouraged to leverage these recommendations.

To discuss these recommendations or for advice and guidance on implementation please visit the Resources section of this site.

Account Creation and University Contract Agreements
Recommendation AWS Suggested Implementation Azure Suggested Implementation
 All use of AWS or Azure for storing Northwestern data or hosting Northwestern services should occur in accounts provisioned under or migrated to the Northwestern contracts with AWS and Azure. Leveraging the Northwestern AWS contract provides the following benefits-

  • A negotiated rate on AWS services with up to a 4% discount.
  • Directly bill a chart string rather than a credit card, removing the need for a monthly expense approval process.
  • Access to CloudCheckr, a cost and security management tool.
  • In-house support and consultation from AWS-certified Northwestern IT staff.

Northwestern has a Business Associate Agreement in place with Amazon, which is a requirement for running regulated workloads or storing regulated data with Amazon (e.g. HIPAA). The Business Associate Agreement can only be utilized through an AWS account under the Northwestern contract.

To request a new or to transfer an existing AWS account under the Northwestern contract visit –

https://www.cloud.northwestern.edu/aws/

Leveraging the Northwestern Azure contract provides the following benefits-

  • A negotiated rate on Azure services with up to a 10% discount
  • Directly bill a chart string rather than a credit card, removing the need for a monthly expense approval process
  • Access to CloudCheckr, a cost and security management tool for cloud services, at no extra cost
  • In-house support and consultation from Northwestern IT staff

Northwestern has a Business Associate Agreement in place with Microsoft, which is a requirement for running regulated workloads or storing regulated data with Azure (e.g. HIPAA). The Business Associate Agreement can only be utilized through an Azure account under the Northwestern contract.

To request a new or to transfer an existing Azure account under the Northwestern contract visit-

https://www.cloud.northwestern.edu/azure

Cost Optimization
 Recommendation  AWS Suggested Implementation  Azure Suggested Implementation
Account owners should review account charges regularly to mitigate the risk of unauthorized or unintended use of cloud resources.  Additionally, account holders should regularly review available cost management tools for insight on recommended resource sizing and available purchasing options to optimize total cost.

Account owners should regularly review CloudCheckr’s Cost and Savings reports.

Additionally account holders should regularly review the AWS Trusted Advisor dashboard available within the AWS management portal for additional cost optimization recommendations.

Information about AWS Trusted Advisor is available @

AWS Trusted Advisor

Account owners should regularly review CloudCheckr’s Cost and Savings reports.

Additionally account owners should review the Azure Advisor service, available within the Azure portal, for cost optimization recommendations.

Information about Azure Advisor is available @

Azure Advisor

Leverage Hybrid use benefit for reduced cost on Windows server instances.

Information about Azure Hybrid use benefit is available @

Azure Hybrid Use Benefit

Credentials and Access Control
Recommendation AWS Suggested Implementation Azure Suggested Implementation

All faculty, staff, and students should use NetID-based federated authentication for access to a cloud provider’s administrative console.

For API or service account access, create identifiable user accounts with appropriate role-based access control.

Rotate all access keys periodically.

NetID-based federated authentication is enabled by default for administrative access to the AWS console for all AWS accounts created or transferred to the Northwestern contract.

All IAM user accounts created for programmatic access should use a clearly identifiable user name (use of the creator’s NetID is highly recommended) and granted the least level of privilege required.

IAM Access Keys and EC2 Key Pairs should be rotated on at least an annual basis.

Additional best practices for AWS IAM are available @

AWS IAM

NetID-based federated authentication is enabled by default for administrative access to the Azure console for all Azure accounts created or transferred to the Northwestern contract.

Programmatic access to Azure is available through NetID-based federated authentication and does not require the creation and management of separate user accounts.

Information for the use of Azure Role-Based Access Control to support the practice of least privilege is available @

Azure Role-Based Access Control

Two-Factor Authentication
Recommendation AWS Suggested Implementation Azure Suggested Implementation
Enable multi-factor authentication for administrative access to cloud platforms. Duo Two Factor authentication is enabled for AWS console access for all AWS accounts provisioned under Northwestern contract. Duo Two Factor authentication  is enabled for Azure Portal access for all Azure accounts provisioned under the Northwestern contract.
Firewall
Recommendation AWS Suggested Implementation Azure Suggested Implementation
Enable host-based or network based firewall in default deny mode and permit the minimum necessary services.

Use of AWS Security Groups configured in a default deny mode that only permit the minimum necessary services is strongly recommended.

Documentation on AWS Security Group is available @

Amazon VPC

Use of Azure Network Security Groups configured in a default deny mode that only permit the minimum necessary services is strongly recommended.

Documentation on Azure Network Security Groups is available @

Azure Network Security Groups

Patching
Recommendation AWS Suggested Implementation Azure Suggested Implementation
Establish a patching strategy appropriate for your environment.  A recommend strategy is to apply critical security patches within seven days of publish and all other security patches within 90 days. Use of an automated patch management package is strongly advised.

Confer with your local IT organization if an existing automated patching solution is recommended for your AWS environment.

In the absence of an existing standard solution, use of AWS EC2 Systems Manager is strongly recommended for all AWS EC2 instances.

Information about AWS EC2 Systems Manager is available @

AWS EC2 Systems Manager

Confer with your local IT organization if an existing automated patching solution is recommended for your Azure environment.

In the absence of an existing standard solution, use of Azure Automation Update Management is strongly recommended for all Azure virtual servers.

Information about Azure Automation Update Management is available @

Azure Automation Update Management

Centralized Logging
Recommendation AWS Suggested Implementation Azure Suggested Implementation
Forward all logs to a dedicated log repository.

Enable AWS Cloudtrail to log all account activity to a dedicated S3 bucket.  (This is configured by default on all AWS accounts provisioned under the Northwestern contract.)

Information about AWS Cloudtrail is available @

AWS Cloudtrail

Confer with your local IT organization if an existing centralized logging solution is recommended for your EC2 instances.

In the absence of an existing standard solution, use of Amazon Cloudwatch Logs is strongly recommended to store and monitor logs from all AWS EC2 instances.

Information about Amazon Cloudwatch Logs is available @

Amazon CloudWatch Logs

Confer with your local IT organization if an existing centralized logging solution is recommended for your Azure environment.

In the absence of an existing standard solution, use of Azure Log Analytics service is strongly recommended for all Azure workloads.

Information about Azure Log Analytics is available @

Azure Log Analytics

Server Vulnerability Management
Recommendation AWS Suggested Implementation Azure Suggested Implementation
Utilize a vulnerability management solution to continuously assess cloud hosted servers.

Confer with your local IT organization if an existing server vulnerability management solution is recommended for your EC2 instances.

In the absence of an existing standard solution, use of AWS Inspector is strongly recommended for all EC2 instances.

Information about AWS Inspector is available @

AWS Inspector

Confer with your local IT organization if an existing server vulnerability management solution is recommended for your Azure virtual servers.

In the absence of an existing standard solution, use of Azure Operations Management Suite to perform Baseline Assessments of all Azure virtual servers is strongly recommended.

Information about Azure Operations Management Suite is available @

Azure Operations Management Suite

 Continuous Security Monitoring
Recommendation AWS Suggested Implementation Azure Suggested Implementation
Utilize a continuous security monitoring solution.

Use of AWS GuardDuty is strongly recommended for continuous security monitoring of AWS resources.

Information about AWS GuardDuty is available @

AWS GuardDuty

 

Use of Azure Security Center is strongly recommended for continuous security monitoring of Azure resources.

Information about Azure Security Center is available @

Azure Security Center

 Data Protection
Recommendation AWS Suggested Implementation Azure Suggested Implementation
All data should be encrypted and backed up.

Confer with your local IT organization if an existing data protection solution is recommended for your AWS environment.

In the absence of an existing standard solution, utilize scheduled CloudWatch events to automate snapshots of EBS volumes.

Information about EBS snapshots is available @

AWS EBS

Enable encryption on all EBS volumes and S3 bucket.

Information about encryption options for EBS volumes is available @

AWS EBS Encryption

Information about encryption options for S3 buckets is available @

AWS S3 Encryption

Confer with your local IT organization if an existing data protection solution is recommended for your Azure environment.

In the absence of an existing standard solution, utilize Azure Backup and enable encryption on all disks and storage accounts.

Information about Azure Backup is available @

Azure Backup

Information about encryption for Azure storage accounts is @

Azure Storage Account Encryption

 Operating Systems
Recommendation AWS Suggested Implementation Azure Suggested Implementation
Utilize an Operating System distribution provided and maintained by either the cloud platform or the OS vendor.

Use of either official AWS AMIs or a community AMI provided by the OS vendor is strongly recommended.

Information about AWS AMIs is available @

AWS AMI

Use of either official Azure virtual machine images or images provided by the OS or application vendor is strongly recommended.

Information about Azure machine images is available @

Azure Machine Images

Version Control, Orchestration, Automation
Recommendation AWS Suggested Implementation Azure Suggested Implementation

The practices and tools for version control, orchestration, and automation should be utilized to the greatest extent possible for all clouded hosted workloads.

Additional information regarding these practices and tools is available @

Cloud Practices

Confer with your local IT organization if a existing version control, orchestration, and automation tools are recommended for your AWS environment.

In the absence of an existing standard solution for version control, use of Github is recommended as a version control solution for your AWS environment.

Information about Github is available @

Github

In the absence of an existing standard solution for orchestration use of AWS Cloud Formation is recommend.

Information about AWS Cloud Formation is available @

AWS CloudFormation

In the absence of an existing standard solution for automation, use of Jenkins is strongly recommended.

Information about the Northwestern IT supported Jenkins service is available @

Cloud Practices

Confer with your local IT organization if a existing version control, orchestration, and automation tools are recommended for your AWS environment.

In the absence of an existing standard solution for version control, use of Github is recommended as a version control solution for your AWS environment.

Information about Github is available @

Github

In the absence of an existing standard solution for orchestration use of Azure Resource Manager is recommend.

Information about Azure Resource Manager is available @

Azure Resource Manager

In the absence of an existing standard solution for automation, use of Jenkins is strongly recommended.

Information about the Northwestern IT supported Jenkins service is available @

Cloud Practices