Terms and Conditions for Use
Your Azure DevOps Organization is to be used only for Yale University purposes by authorized persons. Unauthorized use is prohibited and may result in administrative or legal action. System activities may be monitored for administrative and security purposes. Anyone using the environment consents to such monitoring and accepts responsibility to preserve the confidentiality, integrity and availability of information accessed, created, stored, transmitted or received in your Azure DevOps Organization. Use is subject to all policies and procedures set forth by the University located at https://your.yale.edu/policies-procedures/policies.
You are responsible for making sure that Yale's Minimum Security Standardsare met either by Microsoft, by Yale IT or by you.
All services and applications which handle moderate or high risk data must have a Security Planning Assessment (SPA) with Yale IT Information Security as required by the Minimum Security Standards.
For more information on Yale IT security, see https://cybersecurity.yale.edu/
About the Shared Security Responsibility Model
Cloud providers are responsible for the security of the platform that they provide, while users of those platforms are responsible for configuring the solutions they build in a secure manner. This is known as the Shared Responsibility Model for cloud services. You are responsible for security configurations beyond what Microsoft and Yale provide.
See the steps that Microsoft takes to protect your data in Azure DevOps here.
When reading the table below, please keep in mind the following definitions:
- "Azure" or "Microsoft" refers to features of Azure services as Microsoft provides them to Yale and are generally not under the control of Yale.
- "Yale" or "IT" refers to work which has been done by Yale IT to configure the service to meet Yale requirements or to align with recommendations which are Yale-specific.
- "You" or "User" refers to things that you must do to protect the security and integrity of your work, either as a best practice or to comply with a Yale policy.
Yale Security Requirement | Microsoft Provides | Yale IT ProvidesREMOVE THIS COLUMN | Your Responsibility |
| Data Identification | You are responsible for identifying your data and upholding the security requirement for it. Please refer to the following site for data classification information: https://cybersecurity.yale.edu/classifyingsystems If you have an additional data use agreement, you are responsible to adhering to the contractual agreement. Yale's BAA agreement with Microsoft covers all services in Azure which are listed as "Core Services" /wiki/spaces/YC/pages/1631518909. Please refer to the most recent Online Services Terms document to ensure that you have the latest information. You are responsible for notifying cloud.support@yale.edu and information.security@yale.edu if the classification of your data changes. | ||
| Maintain Contact Information | DELETE THIS ROW | Access control to Azure is managed using AD or Azure AD groups. | You are responsible for managing the membership of the AD group that controls access to your Azure resources. If you are the owner or administrator of a subscription, you are also responsible for keeping contact information up to date and notifying cloud.support@yale.edu of any changes to these items:
Azure will sends notices relevant to your account to the email address associated with your account. This is typically an Office 365 Distribution List of the form azure-partner-partnername@yale.edu. If you are the owner or administrator of a subscription, you are responsible for keeping this list up to date with your team's email addresses by notifying cloud.support@yale.edu of any changes or making the changes yourself to a constituent group in that Distribution List. |
| Enterprise Authentication and Multi Factor Authentication (MFA) | Authentication to the Azure DevOps console is through Azure AD. | Yale IT has configured Azure AD such DUO MFA enabled for Azure DevOps console login. | You are required to implement enterprise authentication and enforce MFA on any/all resources that contain moderate or high risk data. To enable enterprise authentication and DUO, you must login to the DevOps console with your Yale email address to create your Organization. In the Users pane under Organization Settings, assign users to roles using their Yale email address. While enterprise authentication is not required for low risk data, it is highly recommended to limit use of alternate authentication credentials. |
| Data Encryption | Encryption at rest: All data in Azure for resources created after August 2017 is encrypted at rest. Encryption in transit: All Azure services have the capability to use encrypted transport such as TLS or SSL though some require it to be turned on first. Microsoft PaaS and SaaS services, including Azure DevOps, require the use of encrypted connections for all activity. | You are responsible for encrypting moderate and high risk data at rest. You are responsible for ensuring that all high risk data transfers in or out are encrypted using secure protocols and/or turning on and configuring the encryption option for the Azure DevOps service/resources that you manage if it is not enabled by default. This applies to communication by the application(s) as well as management/maintenance connections. SSL encryption is highly recommended even for moderate or low risk data. | |
| Centralized System Logging | Microsoft provides extensive logging and auditing of interactions with Azure services including authentication and configuration changes, such as creating a new resource. For details on the types of logs which are available, see Microsoft's Azure Logging and Auditing page. Note that some of these logs are only available to IT staff and not accessible by users. | Yale IT has configured Azure Security Center to alert on suspicious activity. Email alerts are sent to anyone with the owner role in the subscription. | You are responsible responding to alerts from Azure Security Center and for capturing data on user logins for all your services/resources/applications to a centralized location, such as a storage account which is external to the application itself. |
Backups/Restores | Azure has considerable redundancy and HA capabilities but does not automatically back up data on virtual servers (VM's). Some services such as Azure SQL databases are automatically backed up using a basic snapshot mechanism. | ITS provides backups for servers and databases deployed in ITS managed Azure subscriptions. ITS does not provide backups for resources in Partner (self-managed) subscriptions. | You are responsible for backups of your data in Azure. This includes setting up backups for resources that are not backed up automatically and verifying that backups that are made are valid and able to be restored.. Please check the documentation for the Azure service(s) that you are using to determine if they perform data backups automatically and whether those backups meet your requirements. Backup is mandatory for all resources/services/applications and disks with moderate or high risk data and strongly recommended for all services that support it. Yale IT suggests using the Azure Backup service for virtual machines because it is easy to set up and relatively inexpensive. |
| Alerts and Notices | Azure sends email notices relevant to your account to your account owner. This is typically an O365 Distribution List of the form azure-partner-YourLabName@yale.edu. | Yale IT configures guardrails to help your to meet your security responsibilities. These guardrails send alerts to your account owner email list. | If you are the account owner or administrator, it is your responsibility to address notices and alerts sent to your account owner email list. |
| Attestation | This document provides an overview of best-practices for Azure DevOps services and makes useful suggestions for how to increase the security of your environment. | You must periodically attest to and acknowledge that you are handling data in a manner which is compliant with the appropriate Yale policies. You are required to accept this document as Terms of Use when you begin using Azure DevOps and again annually or when there are changes to the document. Yale IT reserves the right to disable your access to Azure DevOps or failure to abide with the guidelines set by this Shared Responsibility document. |
...