ITS Service Level Agreement - Virtual Server Hosting Service

Description

The Virtual Server Hosting Service provides the UH community with access to virtual servers running a Red Hat Enterprise Linux (RHEL) or a Microsoft Windows operating system. ITS utilizes a VMware cluster for the provisioning of the virtual servers. The size/configuration of the virtual servers can change over time as needs change.

 

Show Stoppers

There are some scenarios where this service will not be appropriate.  Below are some examples:

  • This service may not be used where PCI compliance is required.
     
  • Hardware requirements for peripherals such as sound cards.
    • A colocation request may have to be considered instead.
       
  • Operating systems that are not ITS-supported (i.e. Ubuntu, CentOS, etc.)
     
  • This limitation is due to our need to provide monthly auditing of OS patching.
     
  • Firewall rules that are deemed to be a security risk by the ITS TI-Security team.
    • I.e. Open MySQL to the world.

Benefits

Infrastructure Benefits

  • The environmentally hardened IT Center Data Center can reduce the risk of your equipment being damaged or unavailable due to natural disasters.
     
  • Efficient power and cooling reduces UH’s use of natural resources and overall expenses.
     
  • Highly redundant components; reliable power and cooling will increase the uptime of your hosted applications.
     
  • Continue to have full control to your system without worries about buying, installing, supporting or replacing hardware.

Hosted Virtual Server Benefits

  • New servers can be set-up within a few days so you no longer have to go through long procurement processes to get your equipment.
     
  • Can grow or shrink your virtual server over time; ensures you don’t spend too much money by over-configuring your systems.
    • Caveats include:
      • Shrinking disk on on Windows is generally not recommended.
      • While we can increase resources without a reboot; decreasing resources will require a reboot.
         
  • OS upgrade support for major releases
    • A new virtual server of similar configuration will be provided at no additional cost for a period of 1 month to facilitate migration.
    • Where possible IP addresses will be preserved upon request.
    • CNAME(s) will be updated as needed for cutover to the new virtual server.
       
  • Duo integration is supported at no additional cost
    • The catch is that only UH Usernames are supported since the Duo namespace is integrated with the UH Login username space.
    • Multi-factor is highly recommended for securing shell access.

Optional Benefits, at Additional Cost

Your server can be backed-up to a second location providing additional protecting from data loss even in the case of a major disaster.

Operating Systems

Available

Operating systems are no longer available once they reach end-of-life.  New operating systems are added as ITS fully incorporates them into its deployment scripts.

Highly recommended:

  • Multifactor authentication is highly recommended for securing remote access, such as RDP and SSH.

OS Support Resources

OS support is not included in this service, nor is there support for the applications you plan to install. There are resources available online and the UH App Dev community via their LISTSERV list may be able to help since many of them manage operating systems. ITS staff also participate on this list. Here are some resources to consider:

ITS Responsibilities

Initial

  • Review the "Production Readiness Questionnaire" and Virtual Server Intake Form.

  • Perform initial installation of the new virtual server's OS

    Note: ITS will not have access to the operating system (OS) once it is handed over to the owner.

  • Provide vCenter console access to the new virtual server
     
  • Provide for virtual server reboot, shutdown, and the viewing of resource utilization statistics.

  • Register the virtual server in the InfoSec Server Registration database.

  • Preinstall backup client if backups are included with the new virtual server request. Backups are required, but customers can use their own backup service.

Ongoing

  • Provide firewall changes as needed, upon request and pending vetting from TI-Sec.
  • Response to requests for support for using this service. 
    • Requests can be sent to itscs@hawaii.edu.
    • Support for the hosted applications is not provided.
  • Adjust virtual server resource utilization as needed, upon request.
  • Perform monthly security audit to ensure that the OS is being updated monthly.
  • Provide annual billing. Billing inquires can be made to itsdc@hawaii.edu.
     
  • Provide
    • Backups and restores, if this optional cost service is requested.
      • Support.
        • ITS can provide consulting assistance to help you plan for your use of the service.
        • ITS will provide best effort support during business hours, subject to availability of staff resources.
           
    • Power, cooling, and network services.
       
    • Physical monitoring.
      • ITS will physically monitor the data center to make sure only approved personnel enter the facility. Ensure physical security, monitoring and other services.
         
    • Network monitoring.
      • ITS will monitor the data center network, and other support services to ensure they are available and operating as expected.
         
    • Outage communications:
      • Unplanned outages.
        • An unplanned outage is a service interruption of the hardware or the supporting network infrastructure.  ITS will post information about any unexpected outages on the ITS web site at http://www.hawaii.edu/alerts.
           

      • Planned outages.
        • A planned outage is defined as a service interruption that has been arranged in advance by ITS personnel.
        • Outages will be scheduled during non-­business hours when possible.
        • ITS will give customers as much advanced notice as possible for scheduled outages.
           
    • Security vulnerability outages will follow the ITS TI-Security patching principles.

    • ITS teams use the following table to determine when patches should be applied.

      Grouping

      Description

      Time to Patch Within

      Emergency

      A very rare high profile security exposure that is specially designated by the CISO (e.g. Heartbleed).

      ASAP (ideally within 24-48 hours)

      Critical

      A vendor (or patch provider) has denoted its highest rating for the patch.  Generally this means that vulnerability that could be exploited by a remote unauthenticated attacker and could lead to system compromise without requiring user interaction.  

      14 days

      Monthly Operating System patches, such as RHEL and Windows. 30 days

      Other

      All other patches.

      90 day

End-of-Life

  • Upon request, securely decommission the virtual server and cease billing.

Virtual Server Owner Responsibilities

Preparation

  • Complete the "Production Readiness Questionnaire" as part of the Virtual Server Intake Form: http://hawaii.edu/askus/1848
  • Design for compliance with UH Executive Policies such as EP 2.210, EP 2.214, and EP 2.215. Links to policies can be found at https://www.hawaii.edu/infosec/policies/
  • Ensure that the appropriate firewall rules are specified.
  • Ensure that a backup strategy for institutional data protection is planned from the outset.

Administrative

You must:

  • Identify at least one full-time staff as the virtual server's system administrator.
    • Ensure that at least one full-time staff member is assigned system and application administration responsibilities. Students cannot be the primary system administrator.
    • Let ITS know in a timely fashion when changes to personnel are necessary, for example, when a designated system administrator leaves your department.
    • It is highly recommended that you have a backup system administrator assigned to your virtual server.
       
  • When requesting additional CPUs for example, ensure that any associated increases in application licensing costs are appropriately addressed.
    • E.G.: An increase in CPU resources might required increase Microsoft SQL Server costs.
       
  • If requesting ITS backups
    • Install the ITS backup client (see reference section at the end of this document).  
    • Ensure that you have purchased sufficient disk space for your backups.
       
  • Annually confirm the virtual server registration in the InfoSec Device Registration Program (you will receive an email reminder).
  • Make the requested annual payment to ITS for resources utilized.

Data Protection

Ensure your familiarity with and comprehension of the following:

Security

Maintaining the security of your virtual servers is the customer responsibility. The customer should make sure software is patched, malware is blocked, passwords are secure and access lists are managed. If for some reason you experience a virtual server compromise, and it becomes a threat to the greater UH community (e.g. it is being used as a host to attack other services), ITS reserves the right to block its network traffic. If this occurs, ITS will notify you immediately. 

University guidelines and general best practices for securing the hosted virtual servers according to established policies are available here: http://www.hawaii.edu/askus/1266.

  • Manage the applications, administer user access, etc.
  • Perform monthly (minimally) OS patching utilizing the UH patch servers to ensure that OS patching activities are auditable.
  • Mitigate critical application vulnerabilities in a timely fashion (within 7 calendar days is recommended).
  • Ensure continued compliance with Minimum Security Standards for Virtual Server and all Desktops and devices that may connect to the Server https://www.hawaii.edu/infosec/minimum-standards/.
  • Proactively upgrade your Operating System before it is End of Service Life (EOSL).
    • ITS will contact the server administrator on record when systems are becoming EOSL. It is the administrator's reponsiblity to respond in a timely manner and work on upgrading to server. Failure to upgrade will leave your OS vulnerable. ITS reserves the right to shut down or block from the network.

Policies

ITS will continue to ensure that security remains a priority, and will verify ongoing compliance to executive policies. Examples of such policies regarding security and data handling would be EP 2.210 (Information Technology Resources Policy), EP 2.214 (Institutional Data Classification & Information Security Guidelines) & EP 2.215 (Protected Data). 

Excerpt from EP 2.214

"3.    As stated in Executive Policy EP2.215, Information Technology Services (ITS) has the full authority to enforce technical measures to ensure the security and confidentiality of protected data that are stored or transmitted, whether intentionally or unintentionally, on University systems and networks, including but not limited to immediate disconnection of compromised systems and devices from the University network.
4.    ITS has the authority to conduct network and device scanning to identify security weaknesses in any University information system, device, or network that may compromise sensitive information or the operations and availability of institutional services.
    ITS also has the authority to require all servers operating on the University network be regularly scanned for sensitive information, vulnerabilities and be protected in accordance with appropriate data security guidelines based on data classification categories.
5.    To better protect the University’s Institutional Data, ITS may require departments/units/programs to periodically report on the data element/records that they manage. Reporting requirements administered by ITS include PII and Health Insurance Portability and Accountability Act (HIPAA) surveys and server registrations.
The PII survey is part of an HRS §487N-7 requirement where UH must annually prepare a report describing the information systems that contain personal information. ITS is responsible for submitting this report and maintains a secure online system for units to report such systems. Chancellors and Vice Presidents are responsible to ensure that units under their purview report systems containing Protected Data and update the information at least annually. "

References:

UH Policies Related to Information Security: https://www.hawaii.edu/infosec/policies/

EP 2.210: https://hawaii.edu/policy/ep2.210

EP 2.214: http://hawaii.edu/policy/ep2.214

EP 2.215: http://hawaii.edu/policy/ep2.215

Applications Support

  • Install and support the required application(s).
  • Ensure ongoing compliance with UH Executive Policies such as EP 2.210, EP 2.214, and EP 2.215.
  • Patch/upgrade application(s) as required.
  • Upgrade your backup client as needed.

Virtual Server Ownership Costs

Baseline Virtual Server Host Configuration

Baseline Configuration

Quantity Component
75 GB System disk
4 GB RAM
1 vCPU (2.2GHz or better)
1

Operating System

1

Named VPN account (requires a UH Username)

1

vCenter Console access (requires a VPN account)

1000 Mbps Network connection (non-dedicated)

Price Structure

The information in the following table is from the ITS 2023 Price List, and current as of 02/14/2023.

Instructions: Select one of the baseline configurations.  Determine which if any of the optional cost items are to be included.  

Optional cost items may be specified with the initial request or requested at a later time.  

Baseline Configurations Cost Notes
Standard virtual server $280.00

See Configuration table above. Includes SATA system disk.

High Performance virtual server $300.00 See Configuration table above. Includes SAS system disk.
Optional Cost Items Annual Cost Notes
Off-site Backup, per GB $0.30 The quantity is calculated once annually. Backup retention is 7 days.
Additional vCPU $170 2.2GHz or better
1 GB Additional Memory $11  

Additional Storage per GB (min. 25GB increments)

$0.13 SATA, 7.5k RPM
Additional High Performance Storage per GB (min. 25GB increments) $0.80 SAS, 15k RPM
Additional named VPN accounts and vCenter Console access $0.00 There will be no additional cost should an associated CAL for console access be required.  ITS plans to switch to LDAP authentication in the future.

Additional Costs May Apply

  • Additional costs, especially CALs (Client Access Licenses) for Microsoft products may also apply.

Subject to Availability of Resources

  • ITS strives to ensure that we maintain ample capacity for all requests. It is possible, in what should be rare circumstances, that more capacity will have to be purchased in order to fulfill a request. You will be advised should this happen and we will work with you to accommodate your request as well as possible, such as partial fulfillment until more resources become available.

Costs Subject to Change

  • These costs are subject to periodic reevaluation and changes. 

Minimal Configuration Recommendations

OS
vCPU
RAM
GB
Storage
GB
RHEL 8 1 4 75
RHEL 9 1 4 75
Windows 2016 2 16 75
Windows 2019 2 16 75
Windows 2022 2 16 75

Delivered Configurations

OS
Storage
Notes
RHEL (all versions)

/boot - 1GB
/fdisk - 75GB

  • Placing the OS on /boot allows for storage expansion without the need to performing partitioning or rebooting the OS.
  • Swap space is 4GB, which leaves 71GB of remaining storage. This partition includes the OS.
Windows (all versions)

C: - 75GB

F: -

  • Place the OS on C: allowing for storage expansion of the system disk without affecting the data
  • Place data on next available drive for separation from system disk.

Availability & Response Times

VM Hosting Service

  • Operational 24x7

Virtual Server Requests

  • Requests are usually processed during normal business hours.
  • Most new virtual server requests should receive a reply within 2 business days.
  • Most new virtual server support requests should receive a reply within 8 business hours.

Storage Requests

  • RHEL
    • By default all storage is allocated to "\".
    • If slow and fast disk are allocated, there will be one filesystem each.
  • Windows
    • By default the system disk is allocated to "C:".
    • By default the data disk is allocated as the next available drive.
  • Requests to expand storage are processed during normal business hours.
  • Requests should receive a reply within 2 business days.
  • On Windows removing storage is okay only if the entire disk is deleted. VMware doesn't support decreasing disk allocation size, e.g., decrease a 100GB disk to 75GB.

Firewall Requests

Firewall requests are subject to review and approval by the TI security team.

  • Requests are usually processed during normal business hours.
  • Most firewall configuration requests should receive a reply within 2 business days.
  • By default all traffic is blocked incoming to virtual servers and are behind a firewall.
  • By default all traffic is open outgoing from a virtual server.

Note: the default the firewall configuration is very restrictive.  For example, requests to register a CAS URL will result in troubleshooting to figure out why CAS is not working and it will be determined that the firewall configuration must be adjusted.

Backup/Restores

Note that file-level backups are performed when using the ITS backup solution. One implication is that only database exports are useful for backups. When requesting backups you will have the opportunity to indicate which directories are to be included.

  • Backups are provided at additional cost and based on resource use.
  • Backup strategy
    • Daily - incremental backups
    • Weekly - full backup
  • Retention policy
    • 7 calendar days
  • Restores
    • Available upon request. 
    • At this time no additional fees are applicable.
    • See section "Availability, item "New support requests" for response times.

Service Owner

  • Director of Technology Infrastructure, Information Technology Services (ITS)

Service Representative

Service Criticality

  • Business Critical

Disclaimer

  • ITS reserves the right to modify or revoke this service at any time, in response to and not limited to the following:

    • Changes in infrastructure applications and operating system licensing and/or resources and allocation.

    • Response to security breaches, in which a hosted server may be potentially shut down to avoid a breach.

References

Change Log:

  • 2024-02-01: Removed RHEL 7, added RHEL 8 & 9 and Windows Server 2022. Changed "server registration database" to "device registration program".
  • 2023-01-09: Formatting and backup terminology updated; replaced "Bacula" with "backup service/client". Pricing list updated. Disclaimer clause added.
  • 2023-02-14: Corrected pricing list for storage.
  • 2023-09-19: Added clause under "Proactively upgrade your Operating System before it is End of Service Life (EOSL)."

 

Please rate the quality of this answer: Poor Fair Okay Good Excellent
Not the answer you were looking for? Try different keyword combinations and if you still can’t find your answer, please contact us.
Article ID: 1852
Created: Fri, 25 Jun 2021 10:28am
Modified: Thu, 01 Feb 2024 9:37am