Versions Compared

Old Version 1

changes.mady.by.user Tenyo Grozev (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Tristen Lawrence

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The diagram below demonstrates who is responsible for what aspects of security within the Spinup environment:

Spinup User

Responsible for security IN the cloud

  • Spinup User Content

  • Application, Identity & Access Management

Spinup Platform

Helps make the Spinup User responsibility and compliance IN the cloud easier

  • Platform, Databases, Containers, Storage

  • Operating system, Network and Firewall configuration

  • Client/Server-side data encryption

  • Regular OS updates

  • Network traffic protection

Cloud hosting provider

Responsible for security OF the cloud

  • Foundational services, such as Compute, Storage, Networking

  • Global infrastructure, such as Regions, Availability zones, Edge locations


Below is an outline of the security standards that Spinup assists with. As displayed by the diagram, all elements of application, Identity & Access management falls under the “Security In the Cloud” category, and is a responsibility of the Spinup User.

Yale Minimum Security Requirement

Spinup Provides

Spinup User Required Actions

Harden OS image

Spinup offers CIS

CentOS 7

Linux and

CIS

Windows

2016

images. CIS (Center for Internet Security) images are hardened to secure configuration standards that are collaboratively developed and used

by thousands

worldwide.
Hardened images help mitigate the common threats of denial of service (DDoS), insufficient authorization, and overlapping trust boundaries threats.

Spinup User no immediate action. Long term is to keep up with supported image. This means the Spinup User will be responsible for migrating to a supported offering when it is no longer supported.

OS updates

Harden OS image for containers

N/A

Spinup User must select known secure or official images.

OS Patching

Spinup uses AWS SSM agent to automatically install system patches (a.k.a updates) for

CentOS

Linux and Windows

2016

systems.

Spinup User no further action. When the Operating System (OS) is no longer supported by the vendor, the Spinup User will be responsible to migrate to a supported offering as soon as possible.

OS updates for containers

N/A

Spinup User must periodically update their container services to stay current with OS updates. When the Operating System (OS) is no longer supported by the vendor, the Spinup User will be responsible to update the OS as soon as possible.

Application updates

N/A

Spinup User to follow Application documentation for applying updates

Data encryption

Spinup has disk encryption turned on for

disk

data-at-rest.
Spinup provides policy to enforce encrypted transport for services that support it (NFS, etc).

Spinup User to use encryption for data-in-transit, i.e. use SFTP, HTTPS

. All

, SSL database connections

must use SSL.Restricted network 

.
NFS File Systems should have the "Enforce Encrypted Transport" option enabled and must be mounted using TLS (-o tls or tls tunnel).
NFS File Systems must have the "Allow Anonymous Access" option disabled and must leverage user authentication in addition to the network/firewall based security.
Exceptions for unencrypted connections or anonymous access must be granted by the Information Security Office, please see Request an Exception

Restricted network

Spinup sets up the default restricted network. Spinup provides a UI for

port

firewall management (AWS

firewall

security group).

Spinup User can

turn on/off ports in the UI: HTTPS(443), SSH(22), RDP(3389). Spinup User can further

open or close firewall ports and specify source networks in the UI. Allowing unencrypted data requires a policy exception, please see Request an Exception
Additionally, Spinup User can customize their host-based firewall

. For example, the CIS CentOS image comes with a base iptables set up

(iptables, Windows firewall) on individual servers.
For external access, Spinup User must do the following:

  • Complete

SDR
F5

  • load balancing set up with

ITS load balancing

  • the Spinup team to obtain routable IP, DNS and SSL certificate

  • Consultation with the Spinup team for Web Application Firewall, (WAF) requirements

Spinup users shall not allow NFS File System ports through the firewall without volume authentication enabled.

Restricted network for S3

Unauthenticated access to S3 buckets with moderate or high-risk data is not allowed.

Spinup User can share an S3 bucket by providing the access key and are responsible for maintaining the security of that key.

Account control for S3

N/A

Spinup User to reset access key periodically.
Spinup User to purge data that is no longer required.

Multi Factor Authentication

DUO for SSH

and RDP

, RDP, and Spinup console access

Spinup User

no further action

to enable application level MFA where applicable

Centralized system logging

For servers CloudWatch agent copies system logs to an S3 bucket (365 days retention).
For containers stdout/stderr sent to CloudWatch and retained for 365 days.

Spinup User no further action.

Centralized application logging

N/A

Spinup User to follow application documentation to retain application logs for 30 days.
For containers, Spinup User to send application logs to stdout/stderr for achiving in CloudWatch.

Centralized access logging

Access logs for S3 and RDS are archived in a centrally managed S3 bucket

Spinup User no further action

OS software inventory

AWS SSM agent pushes OS list and patch level to

syslog

SSM system inventory.

Spinup User no further action

Application software inventory

N/A

Spinup User will need to have an inventory of applications installed

Tagging

Tagging for identification as defined by ISO; data type, owner, contact info, etc.

Spinup User no further action

Attestation

Publish regular usage agreement and disclaimer

Spinup User sign off

Backups/restores

14 days of automatic daily AWS snapshots.

Manual restore by Spinup team

Spinup User

will need to submit a request to the Spinup team for restores

can create snapshots and restore disks individually via the UI.
For optional additional file level on demand backups and restores, ITS offers Netbackup for a fee (based on how much data and how long need to keep). Customers may request by opening a Service Now ticket to the ITS Storage team.
For dedicated databases the Spinup User needs to set up regular database backups (using mysqldump, pg_dump, or a similar tool).

Backups for NFS File Systems

Spinup provides the option to enable automatic daily backups with a 35 day retention period.

Spinup User to enable backups.

Backups for S3

N/A

Spinup User can turn on S3 bucket versioning.

Backups for containers

N/A

Containers are ephemeral, Spinup User to backup/store data outside of the container service.

Monitoring

API access for ITS/ISO to audit security compliance issues

For optional application level monitoring, ITS offers

Opsview

Dynatrace. This will require consultation

with ITS DC Ops team

for setup and pricing. Customer may request this by opening Service Now ticket to

ITS DC Ops team

the ITS Enterprise Monitoring Team

Continuous Improvement

Ongoing collaboration with customer/ISO/Spinup team to improve security and improve the ease of completing customer compliance tasks

Spinup User can provide

feed back

feedback to the Spinup team

Other

Spinup team is available for free customer consultation

Spinup User must not tamper with the prebuilt security

precautions

controls, such as patching, system logging, SSH config.
Spinup Users are responsible for their content and anything they add within the Spinup environment.