Shared Security Responsibility Model for GCP Access
Terms and Conditions for Use
Yale's GCP (Google Cloud Platform) environment is to be used only for Yale University purposes by authorized persons. Unauthorized use is prohibited and may result in administrative or legal action. System activities are monitored for administrative and security purposes. Anyone using the environment consents to such monitoring and accepts responsibility to preserve the confidentiality, integrity and availability of information accessed, created, stored, transmitted or received in your GCP space. Use is subject to all policies and procedures set forth by the University located at https://your.yale.edu/policies-procedures/policies.
You are responsible for making sure that Yale's Minimum Security Standards are met either by Google, by Yale IT or by you.
Yale’s Minimum Security Standards require a Security Planning Assessment for new applications.
Using moderate or high risk data in Yale’s GCP organization is currently prohibited. If, at a future date, moderate or high risk data is allowed, all services and applications which handle moderate or high risk data must have a Security Planning Assessment as required by the Minimum Security Standards.
For more information on Yale IT security, see https://cybersecurity.yale.edu/
About the Shared Security Responsibility Model
Cloud providers like Google’s GCP are responsible for the security of the platform that they provide, while users of those platforms are responsible for configuring the solutions they build in a secure manner. This is known as the Shared Responsibility Model for cloud services.
If you have your own GCP partner project(s) via the Cloud Support service, you are responsible for security configurations beyond what Google and Yale provide. If you are unable to meet your responsibilities, consider using the Spinup Self-Service portal or our Managed Servers - Linux or Managed Servers - Windows services.
When reading the table below, please keep in mind the following definitions:
"GCP" refers to features of GCP services as Google provides them to Yale and are generally not under the control of Yale.
"Yale" or "IT" refers to work which has been done by Yale IT to configure the service to meet Yale requirements or to align with recommendations which are Yale-specific.
"You" or "User" refers to things that you must do to protect the security and integrity of your work, either as a best practice or to comply with a Yale policy.
Yale Minimum Security Requirement | GCP Provides | Yale IT Provides | Your Responsibility |
General Requirements | |||
|---|---|---|---|
Scanning/Auditing | ITS Information Security may scan/audit Yale resources. | You are responsible for for allowing ITS to scan/audit your resources. | |
Data Identification | GCP is currently approved only for low risk data. You are responsible for identifying your data and upholding the security requirement for it. Please refer to the following site for data classification information: https://cybersecurity.yale.edu/classifyingsystems If you have additional data use agreements, you are responsible to adhering to the contractual agreement. GCP is currently NOT approved for moderate or high risk data. You are responsible for making sure that your data is low risk and continues to be low risk throughout the life of your project. | ||
Maintain Contact Information | Yale IT creates a Gsuite Group (EliList) for your department or lab. This group has administrative rights in your department’s/lab’s folder and can create projects in that folder. | If you are the owner or administrator of a GCP project, you are responsible for keeping contact information up to date by notifying cloud.support@yale.edu of any changes:
You are responsible for contacting cloud.support@yale.edu with changes to your department’s/lab’s administrative Gsuite Group. You are responsible for keeping up to date who has access to projects in your folder. If you create multiple projects, you are responsible for providing a COA for each project. If you do not provide a new COA(s), your second and subsequent projects will be billed to the same COA as your first project.
| |
Application Software Inventory | You are responsible for tracking and monitoring the software you install in your GCP environment in order to detect unauthorized activity and for diagnostic purposes. In the event of an audit, you are responsible for providing a list of your installed software. | ||
Enterprise Authentication and Multi-Factor Authentication (MFA) | ITS has configured the yale.edu GCP organization to use Enterprise authentication (Yale email address and Netid) including Duo multi-factor authentication to access to the GCP console. | You are responsible for implementing and enforcing enterprise authentication and MFA on logins to resources that you are using such as servers and applications.
| |
Data Encryption | Encryption at rest: GCP encrypts data stored at rest by default and offers several encryption key management options. Encryption in transit: Google encrypts and authenticates data in transit at one or more network layers when data moves outside physical boundaries controlled by Google. Data in transit inside a physical boundary controlled by Google is generally authenticated but not necessarily encrypted. See tables in this whitepaper to understand where data is/isn’t encrypted by default. | If you are required to encrypt your data at rest and/or in transit, you are responsible for this encryption, where it is not provided by Google. | |
Centralized System Logging | Google provides Operations Suite (formerly Stackdriver) to monitor, troubleshoot, and improve application performance. Google provides the Cloud Logging service within Operations Suite which can be used for log management and analysis. | Yale IT has enabled Forseti and Security Command Center for the yale.edu Organization. Yale IT has enabled VPC flow logs for all VPCs associated with Yale IT 10.8.0.0/16 subnets. The VPC flow logs for each VPC associated with a project are stored in that project. | You are responsible for enabling Cloud Logging to log activity in your project as desired. In the event of an audit, you are responsible for providing these logs.
|
Backups/Restores | GCP has considerable redundancy and HA capabilities but does not automatically back up virtual servers or data. Some services such as CloudSQL provide backups by default. |
| You are responsible for backups of your data in GCP and are strongly encouraged to implement backups. This includes setting up backups for resources that are not backed up automatically and verifying that backups that are made are valid and able to be restored. Please check the documentation for the GCP service(s) that you are using to determine if they perform data backups automatically and whether those backups meet your requirements.
|
High Availability and Disaster Recovery | GCP has services in many geographical regions. Each region has multiple zones (distinct data centers that do not share infrastructure). PaaS and SaaS services are typically highly resilient, but IaaS services need to be architected/setup with availability in mind. | Yale maintains redundant private connections to the private 10.8.0.0/16 Yale subnets in the GCP cloud. | It is your responsibility to understand if the GCP services you are using are resilient across zones within a region or across regions and to design a high availability architecture and/or disaster recovery plan to meet your target recovery time and recovery point objectives. If you application requires high availability and/or special disaster recovery considerations, contact cloud.support@yale.edu for assistance. |
Service and Application Monitoring | Google posts service health information for the GCP platform at https://status.cloud.google.com/. Google sends email notices things that impact your project to the email addresses of people or groups with the owner role for your project. | Issues with GCP which are discovered to impact Yale are posted on the #gcp channel at https://yale.slack.com and on the ITS System Status Page. | If you would like your application to be monitored by ITS staff or to receive notifications if a service issue may impact your work, submit a ticket using ServiceNow or contact helpdesk@yale.edu (203-432-9000) for assistance. |
Alerts and Notices | Google posts service health information for the GCP platform at https://status.cloud.google.com/. Google sends email notices things that impact your project to the email addresses of people or groups with the owner role for your project. | Google email notices sent to the yale.edu organization owners are posted on the #gcp channel at https://yale.slack.com and on the ITS System Status Page. | If you are the project owner, it is your responsibility to assess how notifications from Google impact your project. Also you can configure custom alerts in the Monitoring section of the GCP console. |
Attestation | Google offers security related services such as Google Security Command Center to provide proactive recommendations on best practices and to monitor your environment for unauthorized activity. | Yale IT has enabled Security Command Center for the yale.edu organization. The Security Command Center dashboard is accessible by Yale IT people with a Security Command Center role. | You must periodically attest to and acknowledge that you are handling data in a manner which is compliant with the appropriate Yale policies. Members of the Gsuite Group (EliList) that has administrative rights in your department’s/lab’s folder are required to accept this document as Terms of Use before using GCP and again annually or when there are changes to the document. If a project owner grants access to someone outside of the folder administrator group, the project owner is responsible for making sure that the new person abide by these guidelines. If you would like to review a report of Security Command Center findings for your project, contact cloud.support@yale.edu. Yale IT reserves the right to disable your project for failure to abide with the guidelines set by this Shared Responsibility document. |
Virtual machines (VMs) and Databases | |||
Harden OS Image | Hardened OS images from the Center for Internet Security (CIS) are available within GCP in the Marketplace. CIS images are modified versions of the base operating system to align with secure configuration standards that are collaboratively developed and used by thousands worldwide. These hardened images help mitigate many common threats of denial of service, insufficient authorization, and overlapping trust boundaries.
| Servers are required to be configured using CIS security standards. Use of CIS hardened images is recommended for all uses. The CIS images are available through the GCP Marketplace and carry an additional cost. If you do not use one of the CIS images, be sure to review the security guidelines for the operating system you are using and implement as many of them as are feasible. The CIS web site is a very good place to start. | |
Use a Supported Operating System | GCP provides images of supported operating systems in the GCP Marketplace. | If you deploy a virtual machine, you must use a supported version of the operating system as described on the ITS Operating System Recommendations page and maintain the operating system at a supported version. | |
OS Patching | Operating system images in GCP which are provided by vendors typically do not have automatic updating enabled. | If you have a virtual machine, you are responsible for making sure that the operating system is kept up to date by verifying that updates are installed at least a monthly. | |
Application Patching | If you are running a virtual machine, you are responsible for keeping the application(s) installed on it up to date with security-related patches/updates. This includes all libraries and non-OS components on which the application is dependent. You should work with your application vendor(s) to be aware of the update procedure for your application and stay informed with respect to security updates/new releases for those applications. The Security Planning Assessment (SPA) process must be completed for all applications, especially those which handle moderate or high risk data. (Note: moderate or high risk data is not currently allowed in Yale’s GCP Organization.) | ||
Network Protection | GCP includes built in network protections for the GCP platform. | Yale IT manages firewalls for the private Yale data center networks extended into GCP (10.8.0.0/16 addresses) for logging traffic between campus and GCP.
| You are responsible for protecting your network from malicious external access. Host based firewalls are recommended for all systems. Firewall options include Windows Firewall, iptables or ufw/firewalld. |
Hosting websites | |||
Web Sites | Google provides a variety of different resources/services for web hosting/management. | Websites are governed by the following university policies, as well as any additional school- or department-specific policies, regulations and guidelines that apply to your use: You must agree to follow these guidelines and all other applicable policies, regulations and guidelines before creating a website. School of Medicine departments and units (with the exception of MB&B), including faculty lab websites, are not eligible and must contact the YSM Web Group at ysm.editor@yale.edu for more information about the School of Medicine’s web services offerings. The university expects all Yale community members to comply with applicable privacy and intellectual property laws. Websites are only authorized for the handling of low-risk data and must not be used in connection with medium- or high-risk data. For more information on data classification, visit the Protect Your Data page on the IT at Yale Cybersecurity website. Site owners are expected to respect copyright and are responsible for evaluating whether the use of any information or content made available on their website requires copyright permission. Please review the Office of the General Counsel’s Copyright Resources and Rights Clearance Guide for Digital Projects for information regarding copyright issues that may arise in digital contexts. “Yale” and “Yale University” are trademarks of the university and its logos and colors may only be used for official functions of the university and must adhere to the guidelines of the Office of the University Printer to ensure appropriate alignment with Yale’s visual identity standards. Please review the Yale Identity Web Guidelines. University trademarks may not be used to state or suggest institutional endorsement or sponsorship of non-official functions. Websites are required to include a link to the Accessibility Statement Page, and websites used in connection with personal information must include a link to the Yale Privacy Policy or, if applicable, a site-specific privacy statement. Content published without password protection or other access restrictions is publicly available. You may choose to restrict public site access. If the yale.edu domain or subdomain is being requested, open a ServiceNow ticket assigned to YaleSites.
med.yale.edu domain names have special attention as noted above. | |
Other services | |||
Security Command Center provides security best practice checks and recommendations. GCP provides Secret Manager to help you protect secrets needed to access your applications, services, and IT resources. | Yale IT has enabled Security Command Center for the yale.edu GCP organization. | You are responsible for securing all GCP services used in your projects to meet Yale's Minimum Security Standards. You can email cloud.support.yale.edu to request a report of Security Command Center recommendations for your projects. You are responsible for protecting secrets needed to access your applications, services or resources by storing them in a private location and encrypting them at rest and in transit. | |