Versions Compared

Old Version 9

changes.mady.by.user Tenyo Grozev

Saved on

compared with

New Version 10

changes.mady.by.user Kraig Eisenman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Spinup has been approved for hosting certain resources that have sensitive data (e.g. HIPAA, PHI, FERPA). These resources currently include:

...

When you create a new space you fill out a questionnaire to determine the risk level and type of data that will be hosted there. If the space is tagged as moderate or high risk you will need to accept the Spinup Security Agreement and will be able to create the above listed resources.

Windows 2016 - CIS hardened

This server image is pre-configured with Windows firewall and DUO multi-factor authentication.

You can only expose web services running on port 443 (HTTPS) and you'll need to open port 443 on the Windows Firewall and in your Spinup space firewall (from the Spinup UI).

CentOS 7 - CIS hardened

This server image is pre-configured with SELinux, iptables firewall, and DUO multi-factor authentication.

...

Important: Do not disable SELinux since you will not be able to SSH into the server if SELinux is disabled! If you permanently disable SELinux and you get logged out you will be permanently locked out of your server!

Ubuntu 18.04 LTS - CIS hardened

This server image is pre-configured with AppArmor, iptables firewall, and DUO multi-factor authentication.

You can only expose web services running on port 443 (HTTPS) and you'll need to open port 443 in iptables and in your Spinup space firewall (from the Spinup UI).

Dedicated MySQL, PostgreSQL and SQL Server databases

These databases run on the Amazon RDS platform and are pre-configured to have at-rest data encryption, centralized logging, and support for SSL connections.

Access to the databases is only allowed from servers that live in the same space, i.e. you won't be able to connect the the database from your laptop or other computers on the Yale network. 


Using a Storage@Yale share on your secure server

You can request and mount a S@Y share on your Spinup secure server.

  • From the Spinup UI, request a S@Y share - this will open a ServiceNow ticket for the Storage team
    • In the Configuration section make sure you check "This share will contain High Risk Data"
    • This will force the Permissions Model to "Base"
    • You need to use CIFS protocol to mount the share on Linux (NFS is not supported for secure shares)
  • Once you submit the request it will open a ServiceNow ticket that you can track via ServiceNow
    • You should get notified via e-mail once the share is ready (takes about a day)
  • When the share is ready you can mount it on your server:
    • On Linux servers
      • Install cifs-utils
        sudo yum install -y cifs-utils
      • Mount the share using your AD credentials, e.g.
        sudo mount.cifs //storage.yale.edu/home/YXNAT-CC1000-SSPS-AHEF /mnt -v -o vers=3.0,domain=yale,username=netid
      • If you need to make it persistent and mount at boot time, you can add an entry to your /etc/fstab file
    • On Windows servers
      • Attach as you would a regular Windows share

...