Educause Security Discussion mailing list archives

Re: SaaS responsibilities

From: Nick Lewis <nlewis () INTERNET2 EDU>
Date: Mon, 31 Aug 2015 17:52:16 +0000

Hi Thomas,

For the enterprise scale cloud apps, we're trying to address some of your questions through the Internet2 NET+ 
initiative:

http://www.internet2.edu/vision-initiatives/initiatives/internet2-netplus/

We have requirements around identity management, security, accessibility, etc. We have fairly rigorous security 
requirements in the contracts and engage with the campus information security staff during the NET+ service validation 
for the service validation campuses to sign-off on the security on the service provider.

On your question about identifying unknown cloud services, there are some vendors in this space that can help with this 
and a couple are engaging in the NET+ security and identity portfolio.

Thanks,

Nick

Nick Lewis
NET+ Program Manager, Security and Identity
Internet2
nlewis () internet2 edu<mailto:nlewis () internet2 edu>


From: Tomo <tomo () LONDON EDU<mailto:tomo () LONDON EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Friday, August 28, 2015 at 2:28 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] SaaS responsibilities

If a view from the other side of the pond would help, you could look at

https://www.jisc.ac.uk/guides/cloud-computing-in-detail

There are several sections worth taking a look at.
Some of our laws in Europe have a difference emphasis, but the intent is similar.

HTH

_________________________________

Tomo | Senior Infrastructure Engineer - Networks, Telecoms & Security.
Direct line +44 (0)20 7000 7777

www.london.edu<http://www.london.edu/> | London experience. World impact.
Connect with us: [Description: twitter.jpg] <https://twitter.com/LondonBSchool>  Follow us on 
Twitter<https://twitter.com/LondonBSchool>  [Description: facebook.jpg] 
<http://www.facebook.com/pages/London-United-Kingdom/London-Business-School/14027365105>  Become a fan on 
Facebook<http://www.facebook.com/pages/London-United-Kingdom/London-Business-School/14027365105>

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Steve 
Terry
Sent: 28 August 2015 19:19
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] SaaS responsibilities

Thomas:

Might I recommend looking at ECAR's Cloud Working Group: http://www.educause.edu/ecar/ecar-working-groups/cloud

The Cloud Working Group is actively engaged in publishing a seven part series called "PREPARING YOUR IT ORGANIZATION 
FOR THE CLOUD". (part 3 of the series is due to be published within days)  This paper is attempting to address some of 
the problems and questions you have raised.

For your consideration.

Steve

Steve Terry
Director of Enterprise Applications
ITS
Denison University
Fellows Hall - 102B
Granville, OH 43023
740-587-8685 | www.denison.edu<http://www.denison.edu/>

On Fri, Aug 28, 2015 at 1:32 PM, Thomas Carter <tcarter () austincollege edu<mailto:tcarter () austincollege edu>> 
wrote:
Here, as I'm sure is happening everywhere, SaaS usage is exploding across campus. We in IT are struggling with forming 
policies around such usage and our responsibilities around those services. I would appreciate input in how others are 
handling this SaaS hydra. Does IT track all external services used? Does IT have the rights and/or information and/or 
responsibility for administration of these services? Does IT have any right of refusal for possibly insecure or 
unvetted services? Does IT have any other applicable policies such as SSO requirements, etc?

We're struggling with issues like when an employee leaves, how can we make sure they no longer have access to any 
school resources when some of those only reside in the cloud? Or when we don't even know about the service? How do we 
make sure a chosen solution integrates well into the rest of our environment when we may not be involved in the 
selection process?

I appreciate any answers, advice, or suggestions you can offer.

Thomas Carter
Network & Operations Manager
Austin College

Current thread:

SaaS responsibilities Thomas Carter (Aug 28)
- Re: SaaS responsibilities Todd Britton (Aug 28)
- Re: SaaS responsibilities Ruth Ginzberg (Aug 28)
  - Re: SaaS responsibilities Tracy Beth Mitrano (Aug 28)
- Re: SaaS responsibilities Steve Terry (Aug 28)
  - Re: SaaS responsibilities Tomo (Aug 28)
    - Re: SaaS responsibilities Nick Lewis (Aug 31)
  - Re: SaaS responsibilities Joanna Grama (Aug 28)