Skip to main content

Cornell University

Security Tiers

Standard, plus, and extra tier access control is explained for managed servers. Specifics about Confidential Data and related policies are provided. 

This article applies to: Managed Servers

On This Page

Security is an important consideration for any service. When configuring a new service or server, the Service Owner should take into consideration the access requirements and the type of data involved. The Managed Servers offering provides different levels of security to allow flexibility in configuring different types of servers and services. 

Please note that the security of non-managed servers (whether co-located in the datacenter, or in the Cloud) is the responsibility of the customer.

For managed servers, there are three security tiers. There is no additional cost for any tier.

  • Standard tier: Provides an open firewall for servers that need less stringent security, for example, academic collaboration.  Note, this level is being deprecated.
  • Plus tier: Provides a more protective firewall for servers that provide university services (e-mail, web servers, etc.).
  • Extra tier: Provides a tightly controlled firewall and 2-factor authentication for infrastructure servers that control access to networks, storage, or other servers, and for servers that store confidential data as outlined in Policy 4.12, Data Stewardship and Custodianship. (HR, payroll, student data, etc.)

Choosing a Security Tier

Choosing the appropriate security tier is the responsibility of the Service Owner. There is no additional cost for any tier. When deciding which security option is best, the most important considerations are:

  • What service is offered over the network?
  • What type of data resides on the machine?
  • Who is the audience (campus, world-wide)?
  • Who needs direct access (login) to the machine?
  • What are the applicable laws and regulations, such as HIPAA (Health Insurance Portability and Accountability Act), FERPA (Family Educational Rights and Privacy Act), PCI (payment card industry)?
  •  How to comply with Policy 5.10, Information Security.

Managed Server Benefits for all Tiers

  • OS hardening during image build.
  • Centralized account provision/deprovision and SUDO command (linux) privilege.
  • Centralized host-based and firewall IP rules.
  • OS patching, firmware updates.
  • Infrastructure and System monitoring with 24X7 escalation procedures.
  • High availability through redundant network routers and switches, virtualization technology and load balancing.
  • Data recovery options with two on-premises datacenters in two different buildings as well as cloud based servers in AWS and Azure.
  • Secure application storage with easy capacity adjustments.
  • Automated security scanning and prevention. An application or system vulnerability that allows remote compromise will be addressed as quickly as possible.

Standard Tier Access Control

Due to more modern security requirements, this tier is being deprecated. New servers will not be deployed at this tier.

Plus Tier Access Control

Server is placed on a Plus tier network with a default network ACL restricting remote administrative access to the CUVPN or Hopper machine (with SSH or Windows Remote Desktop).

Extra Tier Access Control

  • Servers are placed on an Extra tier network behind a firewall on a 10-space IP address. A default firewall ACL will restrict administrative access through the firewall VPN or the hopper machines.
  • Only requested service ports are opened through the firewall.
  • Access through the SSH and RDP hopper systems will require 2-factor login (via Duo Two-Step Login). 

Additional Concerns for Confidential Data

The extra tier is built to provide an environment to meet requirements in Policy 4.12, Data Stewardship and Custodianship,  Policy 5.10 Information Security, and also to allow Service Owners to comply with applicable laws and regulations such as HIPAA (Health Insurance Portability and Accountability Act), FERPA (Family Educational Rights and Privacy Act), PCI (payment card industry). All attempts must be made to protect confidential data; however the data will leave the Extra tier and be sent to other servers and even client machines in order to be actually used. Authentication to pull data, scope of data, analysis of how the data travels across the network, local storage of data on other servers and client machines needs to be analyzed on a case by case basis by the Service Owner in conjunction with the ITSO (IT Security Office).

Guidelines for treatment of confidential data:

  • Confidential data should be encrypted when it leaves the Extra Tier network, in transport across other networks and within Backup systems or Email.
  • All actions taken against confidential data should be logged and tracked to an individual.
  • Data stores locally mounted to a server (shared or not) are considered stored on that server. (SAN LUN, iSCSI, NFS, AFS, CIFS, and RAM disk)
  • Data stores accessed remotely but not stored on a local data store need to be authenticated,  encrypted, and logged. (HTTPS,  LDAP,  SQL, SQL*Plus, JDBC,  ODBC)
  • The Security Office advises the use of a secure erasure protocol (DoD 5220 or similar) when deleting confidential data stored in the Extra Tier. ID Finder offers secure erase function. For more information, see How to Handle Scan Results in Identity Finder for Windows.

In practicality this means:

  • If the data is written to a mounted disk, the server should be in the extra tier.
  • Application servers inside the extra tier accessing data stores within the extra tier do not have to have their traffic encrypted.
  • Application servers outside the extra tier remotely accessing data stores within the extra tier should have their traffic encrypted.
  • Follow the principle of least privilege for accessing remote data stores. The credentials used should only have access to appropriate data.  
  • Special consideration should be given to applications that manage or have full access to the data in a remote data store in the extra tier.
  • A bastion host (separated protected host) should be used for external interface accounts for drop-off and pick-up of confidential data to minimize exposure to the data and remote access to the confidential data store. The data should remain on the bastion host for a short period of time before being removed.
  • A secure workstation environment should be provided for client software that has full, unfettered access to confidential data. Desktop environments are vulnerable to drive-by downloads that can compromise data.

What if technical or time constraints prevent moving confidential data stores into the extra tier?

If more time or extensive technical adjustments are needed, then an exception may be requested. Email The Managed Server group will work with you, consulting with the IT Security Office, if necessary, to accommodate your needs. Your request should include:

  • Application or service and tier placement.
  • What criteria of the tier could not be met and exception requested.
  • Mitigation plan to lessen risks posed by exception.
  • Expected duration of the exception.
  • Date for next review of exception (typically 6 months).


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.