Content Comparison

Yale Minimum Security Requirement

AWS Provides

Yale IT Provides 

Your Responsibility

General Requirements

Scanning/Auditing

ITS Information Security may scan/audit Yale resources.

You are responsible for for allowing ITS to scan/audit your resources.

Data Identification

You are responsible for identifying your data and upholding the security requirement for it. Please refer to the following site for data classification information: https://cybersecurity.yale.edu/classifyingsystemsRisk Classification Guideline

If you have additional data use agreements, you are responsible to adhering to the contractual agreement.

If your account contains HIPAA data, you are required to notify cloud.support@yale.edu so that the ITS Cloud Support team will add your account to Yale's BAA with AWS.

You are responsible for notifying cloud.support@yale.edu and information.security@yale.edu if the data classification of your data changes.

Maintain Contact Information

If you are the owner or administrator of an AWS account, you are responsible for keeping contact information up to date by notifying cloud.support@yale.edu of any changes:.If you are the owner or administrator of an AWS account, you are responsible for keeping contact information up to date by notifying cloud.support@yale.edu of any changes:

• Owner Department,

• Owner Department Contact,

• Support Department,

• Support Department Contact and

• COA (charging instructions).

AWS sends notices relevant to your account to the email address associated with your account.  This is typically an O365 Distribution List of the form aws-partner-YourLabName@yale.edu.  If you are the owner or administrator of an account, you are responsible for keeping this list up to date with your team's email addresses by notifying cloud.support@yale.edu of any changes.

Application Software Inventory

You are responsible hold the responsibility for continuously tracking and monitoring the software that you install in within your AWS environment in order to detect account. This is crucial both for detecting any unauthorized activity and for diagnostic purposes related to system performance and security.

Enterprise Authentication and Multi-Factor Authentication (MFA)

AWS provides several options for enterprise authentication and MFA for AWS console login.

ITS has configured set up the AWS SSO ( Single Sign-On (SSO) service to provide facilitate access to the AWS console using your netid credentials.  AWS SSO requires Duo multi-factor authentication.

(NOTE:  AWS SSO is configured for ITS Partner accounts, and is targetted to be available in ITS managed AWS accounts in Summer 2020.)

NetID credentials using Duo Multi-Factor Authentication (MFA) for added security.

Enterprise-level authentication is mandatory for accessing moderate and high-risk data, with Multi-Factor Authentication (MFA) being a requisite for high-risk data specifically.

Creating local accounts is strongly discouraged, especially for low-risk data, as they do not have Multi-Factor Authentication (MFA) enabled by default and are disabled for console access..

As the owner or administrator of an AWS account, you are responsible for emailing it falls under your responsibility to communicate with cloud.support@yale.edu to add/remove for adding or removing an individual's console access.

You are responsible for implementing and enforcing Furthermore, you are obligated to implement and enforce both enterprise authentication and MFA on  any/all resources such as logins to the servers and applications that you are usingacross all resources you manage. This includes, but is not limited to, server logins and application accesses.

Data Encryption

Encryption at rest:  AWS offers optional encryption at rest, for example; EC2 EBS volumes, EFS file systems and S3 buckets; these resources can be encrypted but are not encrypted by default.

Encryption in transit: AWS permits you to optionally mount an EFS file system using TLS to enable encryption in transit. You  You can optionally protect S3 data in transit using Secure Sockets Layer (SSL) or client-side encryption. You can optionally use SSL from your application to encrypt a connection to a RDS DB instance running MySQL, MariaDB, SQL Server, Oracle, or PostgreSQL.

You are responsible for encrypting moderate and high risk data at rest.

You are responsible for ensuring that all high risk data transfers in or out are encrypted using secure protocols and/or turning on and configuring the encryption option for the AWS service/resource.  This applies to communication by the application(s) as well as management/maintenance connections.  SSL encryption is highly recommended even for moderate or low risk data.

Centralized System Logging

AWS makes AWS Cloudtrail, Cloudwatch, and GuardDuty services available for logging/auditing of AWS environments.

Yale IT has enabled Cloudtrail, Cloudwatch, SecurityHub, Wiz and GuardDuty on all AWS partner accounts.  Cloudtrail logs are stored in a separate AWS account. 

You are responsible for responding to alerts from Cloudwatch and GuardDuty.  If you are working with high risk data, you are responsible for capturing authentication activity for all your services/resources/applications to a centralized location.

Users are responsible for remediating any vulnerabilities reported by Wiz.

Backups/Restores

AWS has considerable redundancy and HA capabilities but does not automatically back up virtual servers or data. 

Some services such as RDS provide backups by default.

ITS provides backups for servers and databases deployed in ITS managed AWS accounts.  ITS does not provide backups for Partner AWS accounts.

You are responsible for backups of ensuring that your data in AWS is adequately backed up. This includes involves not only setting up backups for resources that are not aren't automatically backed up automatically and verifying that backups that are made are valid and able to be restored.Please check but also verifying the integrity of those backups to ensure they can be successfully restored.

We strongly recommend consulting the documentation for the specific AWS service(s) that you are using to determine if they perform data backups automatically and whether . This will help you determine whether automatic data backups are performed and if those backups meet your particular requirements.

Backup is procedures are mandatory for all resources/, services/, applications, and disks with containing moderate or high-risk data and . They are also strongly recommended for all any services that support itoffer backup capabilities.

The AWS Backup service is one option you can use for backing up your resources.

High Availability and Disaster Recovery

AWS has services in many geographical regions.  Each region has multiple availability zones (distinct data centers that do not share infrastructure).   PaaS and SaaS services are typically highly resilient, but IaaS services need to be architected/setup with availability in mind.

Yale maintains redundant private connections to the AWS cloud network.

It is your responsibility to understand if the AWS services you are using are resilient across availability zones within a region or across regions and to design a high availability architecture and/or disaster recovery plan to meet your target recovery time and recovery point objectives.

If you Should your application requires demand high availability and/ or special have specific disaster recovery considerations, contact you are encouraged to reach out to cloud.support@yale.edu for assistance.

Service and Application Monitoring

AWS posts service health information for the AWS platform at https://status.aws.amazon.com.  AWS sends (to the email address associated with your account) notifications of AWS incidents directly related to your account.

Yale IT monitors the status of the AWS platform as a whole and AWS services.  Issues with AWS which impact Yale are posted on the #aws channel at https://yale.slack.com and on the ITS System Status Page.

If you would like your application to be monitored by ITS staff or to receive notifications if a service issue may impact your work, submit a ticket using ServiceNow through the Enterprise Monitoring service page: https://yale.service-now.com/it?id=service_offering&sys_id=9b9132291b829c90ae6997d58d4bcb0b or contact helpdesk@yale.edu (203-432-9000) for assistance.

Alerts and Notices

 AWS AWS sends email notices relevant to your account to your account owner.  This is typically an O365 Distribution List of the form Emails are sent to an Office 365 Distribution List, typically formatted as aws-partner-YourLabName@awsYourLabName@aws.yale.edu. 

Yale IT configures guardrails to help you to meet your security responsibilities.  These guardrails send alerts to your account owner email list.

If you are the account owner or administrator, it is your responsibility to address alerts and notices sent to your account owner email list.

Attestation

AWS offers security related services such as Trusted Advisor (to provide proactive recommendations on best practices for your AWS environmentaccount) and GuardDuty (to monitor your environment account for unauthorized activity).

You must periodically attest to and acknowledge that you are handling data in a manner which is compliant with the appropriate Yale policies. 

You are required to accept this document as Terms of Use upon your first login to the AWS console and again annually or when there are changes to the document.

Yale IT reserves the right to disable your account for failure to abide with the guidelines set by this Shared Responsibility document.

Virtual machines (VMs) and Databases

Harden OS Image

Hardened OS images from the Center for Internet Security (CIS) are available within AWS.  CIS images are modified versions of the base operating system to align with secure configuration standards that are collaboratively developed and used by thousands worldwide.

These hardened images help mitigate many common threats of denial of service, insufficient authorization, and overlapping trust boundaries.

To see the complete list of CIS hardened OS images available in AWS, see this link 

Servers are required to should be configured using following CIS security standards.Use of CIS hardened images is recommended for all uses and required for systems working with high risk data. The CIS images are available through the AWS Marketplace and carry an additional cost, especially when managing high-risk data. It's advisable to use CIS-hardened images from the AWS Marketplace, though note that they are not required and come with additional costs.

If you do opt not to use one of the available CIS images, be sure to review it's crucial to consult the security guidelines for specific to the operating system you are using and 're employing. Make sure to implement as many of them these guidelines as are feasiblepractical for your setup. 

The We suggest visiting the CIS web site is a very good place to start as a valuable starting point for information.

Use a Supported Operating System

AWS provides images of all supported operating systems in the AWS Marketplace.

If you deploy a virtual machine, you must use a supported version of the operating system as described on the ITS Operating System Recommendations page and maintain the operating system at a supported version.

OS Patching

Operating system images in AWS which are provided by vendors typically do not have automatic updating enabled.

If you have own a virtual machine, you are responsible for making sure it's your responsibility to ensure that the operating system is kept remains up-to-date by . This involves verifying that updates, including security patches, are installed on at least a monthly basis. 

Application Patching

If you are running a virtual machine, you are responsible for keeping the application(s) installed on it up to date with it's your responsibility to keep all installed applications up-to-date with the latest security-related patches /and updates. This includes extends to all libraries and non-OS components on which the application is dependent.You should work that your application relies on.

To ensure compliance, you should actively collaborate with your application vendor(s) to be aware of . Familiarize yourself with the update procedure procedures for your application specific applications and stay informed with respect to about any new security updates /new releases for those applicationsor releases that become available.

The Security Design Review Planning Assessment (SDRSPA) process must be completed for all applications which handle moderate or high risk data.

Network Protection

AWS includes built in network protections for the AWS platform.

Yale IT manages firewalls for the private Yale data center networks extended into AWS (10.5.x.x and 10.9.x.x addresses) for logging traffic between campus and AWS.

Beginning in FY21, Yale IT is configuring Network ACLs allowing has taken additional measures by configuring Network Access Control Lists (ACLs). These ACLs are set to permit only HTTPS, SSH, and RDP traffic to flow to your 10.5.x.x and 10.9.x.x subnets.

You are responsible for protecting safeguarding your network from against malicious external access using by utilizing AWS Network Access Control Lists (ACLs).   You may have the flexibility to modify the ACLs provided by Yale IT provided ACL to meet better suit your specific requirements.

Host-For systems handling moderate and high-risk data, the use of host-based firewalls or AWS Security Groups are required for moderate and high risk data and recommended for all systems.  Firewall is mandatory. For all other systems, it's strongly recommended. Available firewall options include Windows Firewall, iptables, or ufw/firewalld.Resources

When deploying resources, they should be deployed onto allocated to private subnets in within the account.   Resources on the It's important to note that resources on these private subnets may are not permitted to use public IP 'saddresses. If you need external access to a resource to be accessible from outside of Yale, you must do the following:
For moderate and high risk data:
1. Complete a Security Design Review (SDR) and receive is required, the following steps must be taken:

First, complete a Security Planning Assessment (SPA) and obtain approval for external access to the application from the ITS Information Security Office.

2. Request For moderate and high-risk data:

Contact the Yale IT load balancing team to open facilitate opening the application to the Internet through via a Yale-managed F5 endpoint.   This will include setting up a routable IP, DNS entry, and SSL certificate for to ensure secure communications.3. Work

Collaborate with Yale ITS to define establish any necessary Web Application Firewall (WAF) requirements /or solutions if needed.

For low risk data:An

You may use AWS Application and Network Load Balancers may be used for public access and . These should be configured on the public DMZ subnets in the within your AWS account. For an ALB If you're using an Application Load Balancer (ALB), it's essential to enable the Web Application Firewall (WAF) should be enabled and for both . For both types of cloud-based load balancers access logs must be captured to a , you are required to capture access logs and store them in an S3 bucket within the your AWS account. An For a comprehensive overview of AWS Managed Rules for WAFs can be found here https://aws.amazon.com/blogs/aws/announcing-aws-managed-rules-for-aws-waf/. For additional questions or assistance configuring load balancers please contact , you can refer to this link: AWS Managed Rules for WAFs.

For any further questions or if you require assistance in configuring your load balancers, please reach out to cloud.support@yale.edu.

Hosting websites

Web Sites

AWS provides a variety of different resources/services for web hosting/management.

Websites are governed by the following university policies, as well as any additional school- or department-specific policies, regulations and guidelines that apply to your use:

• 1604 Data Classification Policy

• 1605 Web Accessibility Policy

• 1607 Information Technology Appropriate Use Policy

• Yale Identity Web Guidelines

You must agree to follow these guidelines and all other applicable policies, regulations and guidelines before creating a website.

School of Medicine departments and units (with the exception of MB&B), including faculty lab websites, are not eligible and must contact the YSM Web Group at ysm.editor@yale.edu for more information about the School of Medicine’s web services offerings.

The university expects all Yale community members to comply with applicable privacy and intellectual property laws. Websites are only authorized for the handling of low-risk data and must not be used in connection with medium- or high-risk data. For more information on data classification, visit the Protect Your Data page on the IT at Yale Cybersecurity website.

Site owners are expected to respect copyright and are responsible for evaluating whether the use of any information or content made available on their website requires copyright permission. Please review the Office of the General Counsel’s Copyright Resources and Rights Clearance Guide for Digital Projects for information regarding copyright issues that may arise in digital contexts.

“Yale” and “Yale University” are trademarks of the university and its logos and colors may only be used for official functions of the university and must adhere to the guidelines of the Office of the University Printer to ensure appropriate alignment with Yale’s visual identity standards. Please review the Yale Identity Web Guidelines. University trademarks may not be used to state or suggest institutional endorsement or sponsorship of non-official functions.

Websites are required to include a link to the Accessibility Statement Page, and websites used in connection with personal information must include a link to the Yale Privacy Policy or, if applicable, a site-specific privacy statement.

Content published without password protection or other access restrictions is publicly available. You may choose to restrict public site access.

If the yale.edu domain or subdomain is being requested, open a ServiceNow ticket assigned to YaleSites.

• The domain name will be verified by the Yale webmaster.

• YaleSites will verify that the website is not a commercial endorsement of third party software or endeavor. 

• Appropriateness of content will be reviewed to support Yale's reputation.

med.yale.edu domain names have special attention as noted above.Users of Yale data are responsible for securing that data. To secure data, you must use a Yale IT System that matches your risk classification. For example, if you need to store high risk data, you must use a Yale IT System for storing data classified as high risk. The risk classification of a Yale IT System cannot be lower than the data classification.

Data Classification is one element of the risk classification of a Yale IT System. See the Risk Classification Guideline to learn about all three elements. This will help you determine the overall risk associated with the work you do on behalf of Yale’s mission.

The Service Classification page indicates the risk classifications allowed on commonly used Yale IT Services. See the Service Classification Table for services that secure your data classification.

Site owners are expected to respect copyright and are responsible for evaluating whether the use of any information or content made available on their website requires copyright permission. Please review the Office of the General Counsel’s Copyright Resources and Rights Clearance Guide for Digital Projects for information regarding copyright issues that may arise in digital contexts.

“Yale” and “Yale University” are trademarks of the university and its logos and colors may only be used for official functions of the university and must adhere to the guidelines of the Office of the University Printer to ensure appropriate alignment with Yale’s visual identity standards. Please review the Yale Identity Web Guidelines. University trademarks may not be used to state or suggest institutional endorsement or sponsorship of non-official functions.

Websites are required to include a link to the Accessibility Statement Page, and websites used in connection with personal information must include a link to the Yale Privacy Policy or, if applicable, a site-specific privacy statement.

Content published without password protection or other access restrictions is publicly available. You may choose to restrict public site access.

If the http://yale.edu or subdomain is being requested, open a ServiceNow ticket assigned to YaleSites.

• The domain name will be verified by the Yale webmaster.

• YaleSites will verify that the website is not a commercial endorsement of third party software or endeavor. 

• Appropriateness of content will be reviewed to support Yale's reputation.

http://med.yale.edu domain names have special attention as noted above.

AI Services

Artificial Intelligence

AWS ensures adherence to GDPR and HIPAA standards, safeguarding data integrity. Data remains private, not utilized for model enhancement nor shared with third parties. AWS facilitates encryption both in-transit and at-rest via AWS Key Management Service. Governance and audit requirements are supported through Amazon CloudWatch and AWS CloudTrail, while automated abuse detection mechanisms are in place to prevent potential misuse of AI services.

Yale IT provides individual IP range for each account which secures AWS Cognitive Services for each subscription to their own IP subnets.

You are responsible for adhering to current university policies on academic integrity and ensuring that AI application complies with the Yale University Policy Against Discrimination and Harassment and University Sexual Misconduct Policies

Protect confidential data: You should not enter data classified as confidential (moderate, high-risk), including non-public research data, into publicly available generative AI tools, in accordance with Yale’s Minimum Security Standards. Information shared with generative AI tools using default settings is not private and could expose proprietary or sensitive information to unauthorized parties.

You are responsible for maintaining security and confidentiality of the training data and access to the data models.

You are responsible for any content that you produce or publish that includes AI-generated material: AI-generated content can be inaccurate, misleading, or entirely fabricated (sometimes called “hallucinations”) or may contain copyrighted material. Review your AI-generated content before publication. You are responsible for helping to prevent AI hallucinations and the accuracies of responses.

Be alert for AI-enabled phishing: Generative AI has made it easier for malicious actors to create sophisticated scams at a far greater scale. Continue to follow security best practices and report suspicious messages to helpdesk@yale.edu

Other services

AWS Trusted Advisor provides security best practice checks and recommendations both for your AWS environment in general and for specific AWS services.

AWS provides a whitepaper with recommendations for architecting HIPAA compliant solutions on AWS.

AWS provides AWS Secrets Manager to help you protect secrets needed to access your applications, services, and IT resources.

You are responsible for securing all AWS services used in your account to meet Yale's Minimum Security Standards. 

A good place to start is to review AWS Trusted Advisor security best practice checks for your AWS account and addressing any security recommendations necessary to meet Yale's standards.

If your account contains PHI, you are responsible for reviewing the AWS whitepaper Architecting for HIPAA Security and Compliance on Amazon Web Services and applying security recommendations to services used in your account. 

Even if your account does not contain PHI, you should be aware if the HIPAA security recommendations for services you are using are required to meet Yale's standards.

You are responsible for protecting secrets needed to access your applications, services or resources by storing them in a private location and encrypting them at rest and in transit.