Terms and Conditions for Use
Your Azure DevOps Organization is to be used only for Yale University purposes by authorized persons. Unauthorized use is prohibited and may result in administrative or legal action. System activities may be monitored for administrative and security purposes. Anyone using the environment consents to such monitoring and accepts responsibility to preserve the confidentiality, integrity and availability of information accessed, created, stored, transmitted or received in your Azure DevOps Organization. Use is subject to all policies and procedures set forth by the University at https://your.yale.edu/policies-procedures/policies.
You are responsible for making sure that Yale's Minimum Security Standards are met either by Microsoft or by you.
All services and applications which handle moderate or high risk data must have a Security Planning Assessment (SPA) with Yale IT Information Security as required by the Minimum Security Standards.
For more information on Yale IT security, see https://cybersecurity.yale.edu/
About the Shared Security Responsibility Model
Cloud providers are responsible for the security of the platform that they provide, while users of those platforms are responsible for configuring the solutions they build in a secure manner. This is known as the Shared Responsibility Model for cloud services. You are responsible for security configurations beyond what Microsoft provides.
When reading the table below, please keep in mind the following definitions:
- "Azure DevOps" or "Microsoft" refers to features of Azure DevOps services as Microsoft provides them to Yale and are generally not under the control of Yale.
- "You" or "User" refers to things that you must do to protect the security and integrity of your work, either as a best practice or to comply with a Yale policy.
Yale Security Requirement | Microsoft Provides | Your Responsibility |
| Data Identification | You are responsible for identifying your data and upholding the security requirement for it. Please refer to the following site for data classification information: https://cybersecurity.yale.edu/classifyingsystems If you have an additional data use agreement, you are responsible to adhering to the contractual agreement. Yale's BAA agreement with Microsoft covers all services in Azure which are listed as "Core Services" here. If you have HIPAA data, it is your responsibility to review this list from time to time to confirm that Azure DevOps continues to be covered. Also, in order for your Azure DevOps usage to be covered by Yale's BAA with Microsoft, you must configure your Azure DevOps Organization to be billed to an Azure subscription in Yale IT's Azure tenant. You are responsible for notifying cloud.support@yale.edu and information.security@yale.edu if the classification of your data changes. | |
| Maintain Contact Information | DELETE THIS ROW | You are responsible for managing the membership of the AD group that controls access to your Azure resources. If you are the owner or administrator of a subscription, you are also responsible for keeping contact information up to date and notifying cloud.support@yale.edu of any changes to these items:
Azure will sends notices relevant to your account to the email address associated with your account. This is typically an Office 365 Distribution List of the form azure-partner-partnername@yale.edu. If you are the owner or administrator of a subscription, you are responsible for keeping this list up to date with your team's email addresses by notifying cloud.support@yale.edu of any changes or making the changes yourself to a constituent group in that Distribution List. |
| Enterprise Authentication and Multi-Factor Authentication (MFA) | Enterprise authentication to the Azure DevOps console is through Azure Active Directory (Azure AD). Yale IT has configured Azure AD to require DUO MFA for Azure DevOps console login. | You are required to implement enterprise authentication and enforce MFA on any/all resources that contain moderate or high risk data. To enable enterprise authentication including DUO MFA, you must login to the DevOps console with your Yale email address to create your Organization. In the Users pane under Organization Settings, you must add users using their Yale email address. While enterprise authentication is not required for low risk data, it is highly recommended to limit use of alternate authentication credentials. |
| User Access | Azure DevOps defines various access levels to grant or restrict access to select web portal features. | It is your responsibility to manage users and their access levels in view of Yale's Minimum Security Standards and using the principle of "least privilege". Documentation on adding and managing user access can be found here. It is your responsibility to ensure that user access continues to be appropriate over time. |
| User Permissions | Azure DevOps provides means described here to tailor users' capabilities within your DevOps Organization. | It is your responsibility to manage user permissions within your Organization in view of Yale's Minimum Security Standards and using the principle of "least privilege" via the Permissions pane under Organization Settings. It is your responsibility to ensure that user permissions continue to be appropriate over time. |
| Security Policies | Azure DevOps provides the ability to enable security policies via the Policies pane within Organization Settings. | It is your responsibility to configure DevOps security policies to provide security appropriate for your data classification. |
| Data Encryption | As described in the Azure DevOps documentation here, data in transit in or out of Azure DevOps, is encrypted via HTTPS and SSL. Also Data stored in Azure DevOps is encrypted as follows:
| You are responsible for encrypting moderate and high risk data at rest. You are responsible for ensuring that moderate and high risk data transfers in or out are encrypted using secure protocols and/or turning on and configuring the encryption option for the Azure DevOps service/resources that you manage if it is not enabled by default. SSL encryption is highly recommended even for moderate or low risk data. |
| Audit Logging | As described in the Azure DevOps documentation here, auditing is turned on by default (in Public Preview) for all Azure DevOps organizations, and audit logs are retained for 90 days. (CONFIRM) | It is your responsibility to review audit logs. Yale's Minimum Security Standards require you to review your audit logs for HIPAA data. Forwarding logs to an external log server is an upcoming requirement for moderate and high risk data. It is your responsibility to configure audit streaming. Options for enabling audit streaming are described here. |
Backups/Restores | Azure DevOps built-in features to ensure data availability are described in the DevOps documentation here. Azure Storage geo-replicates customer data between two regions in the same geography. Azure Blob Storage customer data is replicated three times within a single region, and is replicated asynchronously to a second region in the same geography. For Azure SQL Database storage, daily backups are maintained offsite if there's a regional disaster. | You are responsible for backups of your data in Azure DevOps. This includes setting up backups for resources that are not backed up automatically and verifying that backups that are made are valid and able to be restored. Please check the documentation for the DevOps service(s) that you are using to determine if they perform data backups automatically and whether those backups meet your requirements. Backup is mandatory for all resources/services and disks with moderate or high risk data and strongly recommended for all services that support it. |
| Alerts and Notices | Azure DevOps provides the ability to configure alerts and notices on certain types of activity via the Notifications pane within Organization Settings | It is your responsibility to configure alerts and notices in the Notifications pane within Organization Settings and to address notices and alerts. |
| Attestation | This document provides an overview of best-practices for Azure DevOps services and makes useful suggestions for how to increase the security of your environment. | You must periodically attest to and acknowledge that you are handling data in a manner which is compliant with the appropriate Yale policies. You are required to accept this document as Terms of Use when you begin using Azure DevOps and again annually or when there are changes to the document. You also are responsible for making sure that users of your DevOps Organization are aware of their security responsibilities. Yale IT reserves the right to disable your access to Azure DevOps for failure to abide with the guidelines in this Shared Responsibility document. |