Skip to main content

Cornell University

Security Tiers

Standard, plus, and extra tier access control explained for managed servers. Specifics about Confidential Data and related policies. 

This article applies to: Managed Servers

In This Article

Security is an important consideration for any service. When configuring a new service or server, the Service Owner should take into consideration the access requirements and the type of data involved. Systems Support provides different levels of security to allow flexibility in configuring different types of servers and services. 

Please note that the security of non-managed servers (co-location) is the responsibility of the customer.

For managed servers, there are three security tiers. There is no additional cost for any tier.

  • Standard tier: Provides no default Network ACL for servers that need less stringent security, for example, academic collaboration.
  • Plus tier: Provides a protective Network ACL for servers that handle university business (Blackboard, e-mail, web servers, etc.).
  • Extra tier: Provides a stateful firewall and 2-factor authentication for infrastructure servers that control access to networks, storage, or other servers, and for servers that store confidential data as outlined in Policy 4.12, Data Stewardship and Custodianship. (HR, payroll, student data, etc.)

Choosing a Security Tier

Choosing the appropriate security tier is the responsibility of the Service Owner. There is no additional cost for any tier. When deciding which security option is best, the most important considerations are:

  • What service is offered over the network?
  • What type of data resides on the machine?
  • Who is the audience (campus, world-wide)?
  • Who needs direct access (login) to the machine?
  • What are the applicable laws and regulations such as HIPAA (Health Insurance Portability and Accountability Act), FERPA (Family Educational Rights and Privacy Act), PCI (payment card industry).
  •  How to comply with Policy 5.10, Information Security.

Managed Server Benefits for all Tiers

  • OS hardening during image build.
  • Centralized account provision/deprovision and SUDO command privilege.
  • Centralized host-based and firewall IP rules.
  • OS patching, firmware updates.
  • Infrastructure and System monitoring with 24X7 escalation procedures.
  • High availability through redundant network routers and switches, VMware technology and load balancing.
  • Data recovery options with two datacenters in two different buildings.
  • Secure SAN disk array for application storage with easy capacity adjustments.
  • External security scanning every 3 months. An application or system vulnerability that allows remote compromise will be addressed as quickly as possible.

Standard Tier Access Control

Default, host-based firewall, additional network ACLs available upon request. 

Plus Tier Access Control

Server is placed on a Plus tier network with a default network ACL restricting remote administrative access to the CUVPN or SSH Hopper machine.

Extra Tier Access Control

  • Servers are placed on an Extra tier network behind the Server Farm firewall on a 10-space IP address. A default firewall ACL will restrict administrative access through the Server Farm firewall VPN or the hopper machines.
  • Access to the Server Farm firewall VPN and the SSH and RDP hopper machines will be 2-factor (via Duo Two-Step Login). 
  • External security scan will be every month. Both level 20 and level 30 vulnerabilities will be addressed.

Additional Concerns for Confidential Data

The extra tier is built to provide an environment to meet requirements in Policy 4.12, Data Stewardship and Custodianship,  Policy 5.10 Information Security, and also to allow Service Owners to comply with applicable laws and regulations such as HIPAA (Health Insurance Portability and Accountability Act), FERPA (Family Educational Rights and Privacy Act), PCI (payment card industry). All attempts must be made to protect confidential data; however the data will leave the Extra tier and be sent to other servers and even client machines in order to be actually used. Authentication to pull data, scope of data, analysis of how the data travels across the network, local storage of data on other servers and client machines needs to be analyzed on a case by case basis by the Service Owner in conjunction with the ITSO (IT Security Office).

Guidelines for treatment of confidential data:

  • Confidential data should be encrypted when it leaves the Extra Tier network, in transport across other networks and within Backup systems (TSM) or Email.
  • All actions taken against confidential data should be logged and tracked to an individual.
  • Data stores locally mounted to a server (shared or not) are considered stored on that server. (SAN LUN, iSCSI, NFS, AFS, CIFS, and RAM disk)
  • Data stores accessed remotely but not stored on a local data store needs to be authenticated,  encrypted, and logged.  (HTTPS,  LDAP,  SQL, SQL*Plus, JDBC,  ODBC)
  • The Security Office advises the use of a secure erasure protocol (DoD 5220 or similar) when deleting confidential data stored in the Extra Tier. ID Finder offers secure erase function. For more information, see How to Handle Scan Results in Identity Finder for Windows.

In practicality this means:

  • If the data is written to a mounted disk, the server should be in the extra tier.
  • Application servers inside the extra tier accessing data stores within the extra tier do not have to have their traffic encrypted.
  • Application servers outside the extra tier remotely accessing data stores within the extra tier should have their traffic encrypted.
  • Follow the principle of least privilege for accessing remote data stores. The credentials used should only have access to appropriate data.  
  • Special consideration should be given to applications that manage or have full access to the data in a remote data store in the extra tier.
  • A bastion host (separated protected host) should be used for external interface accounts for drop-off and pick-up of confidential data to minimize exposure to the data and remote access to the confidential data store. The data should remain on the bastion host for a short period of time before being removed.
  • A secure workstation environment should be provided for client software that has full, unfettered access to confidential data. Desktop environments are vulnerable to drive-by downloads that can compromise data.

What if technical or time constraints prevent moving confidential data stores into the extra tier?

If more time or extensive technical adjustments are needed, then an exception may be requested. Email The systems support group will work with you, consulting with the IT Security Office if necessary, to accommodate your needs. Your request should include:

  • Application or service and tier placement.
  • What criteria of the tier could not be met and exception requested.
  • Mitigation plan to lessen risks posed by exception.
  • Expected duration of the exception.
  • Date for next review of exception (typically 6 months).


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.