Application Hosting and Management Standards

Introduction 

This document aims to identify a set of standards that applications must meet to operate on the University at Albany's network. This document is not intended to impart all knowledge required to operate and administer an application but to identify standards and procedures that Application Administrators should be familiar with and prepared to address. 

Scope

The following standards and procedures apply to any application that is hosted on a UAlbany Server or delivered via a Software as a Service cloud model.  The standards do not apply to desktop or workstation applications.  

Standards and Procedures

Application Portfolio Management

  • All university applications must be registered in the UAlbany Application Portfolio managed by ITS. 
  • ITS Service Owners must register and deregister applications using documented portfolio maintenance procedures. 
  • Campus Application Administrators must request ITS Service Desk assistance for proper registration.
  • Regular assessment of the application portfolio should be performed to eliminate redundancy, reduce complexity, and optimize resource allocation. This involves analyzing factors such as usage, cost, performance, and strategic alignment. This activity is referred to as application rationalization.

 Exposure and Accessibility

  • UAlbany applications should not be exposed to internet traffic by default, accessible only via the campus network or VPN. 
  • If an application requires internet access: 
    • ITS Application Administrators must submit an Ad hoc consultation request to the ARB for review and approval.
    • Campus Application Administrators should submit an AskIT request to the ITS Service Desk, so it can be routed by an assigned Service Owner to the ARB for review and approval. 

Security Incident and Response 

Operational Support 

  • Where possible, all applications should have at least 2 assigned Application Administrators capable of providing operational support. 
  • Application Administrators must comply with all applicable published ITS standards. 
  • ITS Application Administrators and Service Owners should collaborate with the ITS Service Desk to ensure ITS Service Desk – Role 1 and 2 Responsibilities for their application are well defined. 
  • ITS Application Administrators and Service Owners should collaborate with the Service Desk to determine if the Service Desk is required to perform Role 2 tasks for the application to be documented here: Services with ITS Service Desk on the Service Team 
  • Application Administrators and must maintain comprehensive documentation, knowledge bases, and support resources to facilitate effective application support and troubleshooting. Document known issues, resolutions, workarounds, and best practices to enable support teams to resolve incidents efficiently. 

Patching and Vulnerability Management: 

  • Application Administrators must ensure that all assigned applications are up to date with the latest patches provided by vendors. 
  • Application patching procedures and schedules should be documented.  ITS Administrators should document all patching procedures within their assigned service team’s documentation space in the ITS Wiki. 
  • Application Administrators should automate patch management where possible to ensure timely application of security updates. 
  • Application Administrators should remain aware of emerging vulnerabilities and threats by subscribing to vendor alerts, security advisories, and industry news sources. 
  • Application Administrators should work with the ITS' CISO to configure regular vulnerability scanning and penetration testing of applications to identify and remediate security weaknesses and vulnerabilities.  
  • Application administrators and service owners should have a well-defined action plan to remediate identified vulnerabilities with clearly defined roles, responsibilities, timelines and deadlines.  

Data Security

  • Application Administrators must know and understand the procedures for managing data, which vary based on the classification of stored data. 
  • Collaborate with ITS' CISO for applications storing Category 1 data to ensure sufficient security measures. 
  • Most data, regardless of classification, should use strong encryption algorithms (e.g., AES-256) and secure key management practices to safeguard sensitive data. 
  • Access controls for application data should be enforced to restrict access to data at rest based on the principle of least privilege. Use role-based access control (RBAC) or attribute-based access control (ABAC) to ensure that only authorized users can access sensitive data.  Application Administrators should work with ITS' Disaster Recovery and Business Continuity (DR/BC) Service team to verify secure backup and recovery processes are in place for the application data relevant to their supported application in compliance with the ITS File Storage, Recovery and Backup/Retention Standard.

Authentication, Authorization and Configuration 

  • All applications must comply with the Account Authentication Standard outlined within the Identity and Access Management Policy. 
  • Application Administrators should follow the principle of least privilege and configure user roles and permissions to minimize access only to what is necessary for performing their tasks, reducing the potential impact of security incidents. 
  • Application or service owners must have an established process for privilege escalation for users to request an increase in privileges, request review and approval or denial. Application Administrators should remove or disable unnecessary features, services, and accounts that come by default with commercial of the shelf (COTS) applications. 

Change Control 

Hosting 

  • Application servers, databases, and other components should be configured securely based on industry best practices and security guidelines. Disable unnecessary services, remove default accounts, and apply security hardening measures. 
  • In most cases, applications should have at least a production and suitable test environment for testing patches and changes and validating patches for stability and functionality before deployment. To ensure each application is adequately monitored, administrators must comply with ITS monitoring and alerting standards. 

Monitoring and Alerting 

  • Application Administrators and Service Owners should clearly define the objectives of application monitoring, including performance monitoring, availability monitoring, security monitoring, and user experience monitoring. Identify key performance indicators (KPIs) and metrics to measure and track. 
  • Application Administrators and Service Owners should define and configure alerts and notifications to alert IT staff or stakeholders of abnormal or critical conditions detected during monitoring. Define thresholds for key metrics and establish notification channels (e.g., email, SMS, chat) for timely alerting. 

Password Management 

  • All application account credentials should meet ITS password complexity standards and be stored in a secure password management solution such as LastPass, which is ITS' standard solution for password management. 

Certificates, Compliance, and Auditing 

  • Customer-facing web-based applications must use valid SSL certificates issued by a recognized certificate authority. 
  • Application administrators must comply with ITS' applicable Identity and Access Management certificate management standards. 
  • Application Administrators should work with the CISO to ensure all applications comply with relevant laws, regulations, and standards (e.g., FERPA, HIPAA, GDPR). 
  • Application Administrators must perform regular security audits and risk assessments to identify and mitigate potential vulnerabilities.Â