LEGAL AND SECURITY

UCX Information Security Policy & HIPAA Compliance

Last updated: August, 2019

Introduction

Cloud computing, as an active evolving paradigm, including its use cases, technologies, challenges and benefits is being refined in day to day business by both public and private sectors. The definitions used in this document will evolve over time, but it will serve as a basis of understanding of the cloud computing and multi-cloud architecture used at UCX to provide top-notch services around a world of multiple cloud service providers and its customers. According to NIST (National Institute of Standards and Technology) cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources such as networks, servers, storage, applications and services that can be rapidly provisioned and released with minimal management effort or service-provider interaction for virtualized compute resources. This Information Security Policy document touches all aspects of security, company confidential information and access to sensitive information. UCX is a cloud company and before moving on to the heart of the information security policy there is a need to iterate through cloud computing, its definition and security, first couple of paragraphs establish the definitions for which the policies further protect.

Cloud Computing Definition

Cloud computing is composed in five distinct essential characteristics, on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service based on NIST (National Institute of Standards and Technology).

NIST Essential Characteristics

On-demand self-service – A consumer can provision computing resources such as virtual server, network storage and other services provided by a Cloud Service Provider as needed without requiring a human interaction.

Broad network access – Compute resources are available over the network and accessed through standard mechanisms that allow multiple client access such as personal computer, mobile phone or tablet computer.

Resource pooling – Cloud Service Provider’s compute resources are pooled to serve multiple consumers at a time using a multi-tenant model that consists of different physical and virtual software and hardware resources that are dynamically assigned and reassigned to support consumers’ needs. There is a level of location independence that the customer only has a high-level access to specify location (such as country, state or data center). Software and hardware resources include storage, processing power, memory, network bandwidth, virtual machines and operating system.

Rapid elasticity – Compute resources and capabilities can be rapidly, elastically and in some cases automatically provisioned to enable customers to quickly scale in or out. Provisioning capabilities often appear to be unlimited and that can be purchased in any quantity at any time.

Measured service – Cloud systems provide automatic resource control and optimization by leveraging metering capabilities in a level of abstraction depending on service types such as storage, processing, bandwidth or disk utilization). Compute resources can be monitored, controlled and reported by providing transparency for both the provider and consumer of the utilized service. At UCX there is a cloud-agnostic approach to measured (or metered) service that UCX offers to its customers using a licensed WAC algorithm.

Service Models

Software as a Service (SaaS)

According to ITU-T (International Telecommunications Union – Telecommunication Standardization Sector of ITU) recommendation Y.3500, SaaS is defined as a service category where customers have an application available from the cloud service provider whereas NIST has a more complete definition in SP 500-291 where SaaS is defined as an application provided to a user which is available from different clients and an application user does not manage cloud computing infrastructure. The term Software as a Service (SaaS) is associated with business applications such as Atlassian Jira, Google Drive and Dropbox, to name a few. SaaS applications are charged in a form of user fee.

From the end user’s perspective SaaS is the visible part of the Cloud Computing environment’s perspective. To control that application and environment users have access in the form of a dedicated application that, in most cases, resides on the web. There are numerous benefits of a web application, but the most prominent one is that users do not have to install a client application which reduces the maintenance costs for the provider and saves frustration from the user, it only requires a web browser that is already installed as a standard on all modern operating systems.

Another benefit of SaaS to the user is that the entire application is run by the provider, that means that the user does not have to be concerned about updating or backing up data, this is done by the application provider. This does not only benefit users, its benefits developers in the form of maintenance and updating the application, developers just apply the update in the data center environment, and it is released for all users at the same time, and not having to go through software repairs and maintenance on each users’ computer via software updates. This ensure