Versions Compared

Old Version 11

changes.mady.by.user Kraig Eisenman

Saved on

compared with

New Version 12

changes.mady.by.user Kraig Eisenman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

Introduction

Spinup provides a secure platform for hosting certain resources that have with sensitive data (e.g. , compliant with standards like HIPAA, PHI, and FERPA). These resources currently include:

  • Servers
    • Windows 2016 - CIS hardened
    • CentOS 7 - CIS hardened
    • Ubuntu 18.04 LTS - CIS hardened
  • Databases
    • Dedicated MySQL
    • Dedicated PostgreSQL
    • Dedicated SQL Server Standard Edition
  • Storage
    • Storage@Yale

When you create a new space you fill out a questionnaire to determine the risk level and type of data that will be hosted there. If the space is tagged as moderate or high risk you will need to accept the Spinup Security Agreement and will be able to create the above listed resources.

Windows 2016 - CIS hardened

This server image is pre-configured with Windows firewall and DUO multi-factor authentication.

You can only expose web services running on port 443 (HTTPS) and you'll need to open port 443 on the Windows Firewall and in your Spinup space firewall (from the Spinup UI).

CentOS 7 - CIS hardened

This server image is pre-configured with SELinux, iptables firewall, and DUO multi-factor authentication.

You can only expose web services running on port 443 (HTTPS) and you'll need to open port 443 in iptables and in your Spinup space firewall (from the Spinup UI).

Important: Do not disable SELinux since you will not be able to SSH into the server if SELinux is disabled! If you permanently disable SELinux and you get logged out you will be permanently locked out of your server!

Ubuntu 18.04 LTS - CIS hardened

This server image is pre-configured with AppArmor, iptables firewall, and DUO multi-factor authentication.

You can only expose web services running on port 443 (HTTPS) and you'll need to open port 443 in iptables and in your Spinup space firewall (from the Spinup UI).

Dedicated MySQL, PostgreSQL and SQL Server databases

These databases run on the Amazon RDS platform and are pre-configured to have at-rest data This guide highlights the current resources available for sensitive data hosting and key security measures, adaptable to future updates in operating systems and technologies.

Spinup Resources for Sensitive Data Hosting

  1. Servers: Spinup offers a range of CIS-hardened server options, regularly updated to include the latest and most secure versions.

  2. Databases: Spinup provides dedicated database services, including MySQL, PostgreSQL, and SQL Server, all configured on the secure Amazon RDS platform.

  3. Storage: Storage@Yale is available for secure data storage needs.

Creating a Secure Space

When setting up a new space, you'll complete a risk assessment to determine the data hosting capabilities. Accepting the Spinup Security Agreement is essential for spaces classified as moderate or high risk.

Server Security Configurations

All server options are pre-configured with essential security features, including firewalls and multi-factor authentication. The specific configuration details align with the latest security best practices for each server type. Typically, web services are restricted to secure HTTPS connections, usually on port 443, necessitating corresponding firewall settings.

Databases with Enhanced Security

These databases feature at-rest encryption, centralized logging, and support for SSL connections. Access to the databases is only allowed from servers that live in is restricted to servers within the same Spinup space, i.e. you won't be able to connect the the database from your laptop or other computers on the Yale network. enhancing data security.

Using a Storage@Yale share on your secure server

You can request and mount a S@Y share on your Spinup secure server.

...

  • From the Spinup UI, request a S@Y share - this will open a ServiceNow ticket for the Storage team

    • In the Configuration section make sure you check "This share will contain High Risk Data"

    • This will force the Permissions Model to "Base"

    • You need to use CIFS protocol to mount the share on Linux (NFS is not supported for secure shares)

  • Once you submit the request it will open a ServiceNow ticket that you can track via ServiceNow

    • You should get notified via e-mail once the share is ready (takes about a day)

  • When the share is ready you can mount it on your linux server:

...

    • Install cifs-utils

      Code Block
      languagebash
      sudo yum install -y cifs-utils

    • Mount the share using your AD credentials, e.g.

      Code Block
      languagebash
      sudo mount.cifs //storage.yale.edu/home/YXNAT-CC1000-SSPS-AHEF /mnt -v -o vers=3.0,domain=yale,username=netid

...

      • To ensure the share mounts automatically at boot

...

      • ,

...

      • add an entry to your /etc/fstab file.

...

    • Windows servers:

      • Attach the share as you would

...

      • with any regular Windows network share.

Important: If you're using Docker on your Spinup server you may run into weird network problems when connecting to Storage @ Yale. This is because the storage uses IPs on the 172.18.0.0/16 subnet and docker by default tries to use that same subnet. You can check this by running ifconfig and inspecting the network interfaces that are in use - if any of them use 172.18 that's a problem. You can override the default behavior of Docker so it uses a different subnet.

...