What's the Spinup agreement for sensitive data?

Owned by Tenyo Grozev (Unlicensed)
Nov 17, 2020
5 min read

When you create a space containing moderate or high-risk data you need to accept the Spinup agreement regarding sensitive data and the shared security responsibility model. The agreement may be periodically updated and when that happens you will be prompted to accept the new version when you open the space in Spinup. Below you can see the content of the agreement.

Spinup Terms and Conditions for Sensitive Data

This system is to be used only for Yale University ITS business purposes by authorized persons. Unauthorized use is prohibited and may result in administrative or legal action. System activities are monitored for administrative and security purposes. Anyone using this system consents to such monitoring and accepts responsibility to preserve the confidentiality, integrity and availability of information accessed, created, stored, transmitted or received in your Spinup space. Use of this system is subject to all policies and procedures set forth by the University located at https://your.yale.edu/policies-procedures/policies

The user questionnaire results have determined that this system is using high or moderate risk data, as defined in Yale's Data Classification Policy. This system is approved for the use of the data types explicitly identified in the user questionnaire results, provided that the user agrees and adheres to the following shared security responsibility model.

 

Spinup Shared Security Responsibility Model

The Cloud Host Providers are responsible for "Security OF the Cloud". Spinup Users are responsible for "Security IN the Cloud". Spinup reduces some of the responsibilities for "Security IN the Cloud". The diagram and matrix below is a summary of Yale's minimum security requirements, what Spinup provides and the Spinup User's responsibilities. As outlined in the matrix below, Spinup will continue to collaborate with the Information Security Office, as well as Spinup users to improve security and the ease of meeting the security requirements. This may result in different versions of the matrix provided below. Users will be notified of any changes made to this agreement. Spinup does not absolve the Spinup Users' responsibilities but helps assists in meeting information security standards by providing pre-defined setups, automation, sample scripts and best practices/how-to documents. The Spinup Users should carefully consider the services and applications they choose as their responsibilities vary depending on the services and applications used, the integration of those services and applications into their IT environment, and any applicable regulatory and contractual agreements.

The diagram below demonstrates who is responsible for what aspects of security within the Spinup environment:

Spinup User

Responsible for security IN the cloud

  • Spinup User Content

  • Application, Identity & Access Management

Spinup Platform

Helps make the Spinup User responsibility and compliance IN the cloud easier

  • Platform, Databases, Containers, Storage

  • Operating system, Network and Firewall configuration

  • Client/Server-side data encryption

  • Regular OS updates

  • Network traffic protection

Cloud hosting provider

Responsible for security OF the cloud

  • Foundational services, such as Compute, Storage, Networking

  • Global infrastructure, such as Regions, Availability zones, Edge locations



Below is an outline of the security standards that Spinup assists with. As displayed by the diagram, all elements of application, Identity & Access management falls under the “Security In the Cloud” category, and is a responsibility of the Spinup User.

Yale Minimum Security Requirement

Spinup Provides

Spinup User Required Actions

Yale Minimum Security Requirement

Spinup Provides

Spinup User Required Actions

Harden OS image

Spinup offers CIS CentOS 7 and CIS Windows 2016 images. CIS (Center for Internet Security) images are hardened to secure configuration standards that are collaboratively developed and used by thousands worldwide.
Hardened images help mitigate the common threats of denial of service, insufficient authorization, and overlapping trust boundaries threats.

Spinup User no immediate action. Long term is to keep up with supported image.

OS updates

Spinup uses AWS SSM agent to automatically install system updates for CentOS and Windows 2016

Spinup User no further action

Application updates

N/A

Spinup User to follow Application documentation for applying updates

Data encryption

Spinup has encryption turned on for disk at rest

Spinup User to use encryption for data in transit, i.e. use SFTP, HTTPS. All database connections must use SSL.

Restricted network 

Spinup sets up the default restricted network. Spinup provides a UI for port management (AWS firewall).

Spinup User can turn on/off ports in the UI: HTTPS(443), SSH(22), RDP(3389). Spinup User can further customize their host-based firewall. For example, the CIS CentOS image comes with a base iptables set up.
For external access, Spinup User must do the following:

  • Complete SDR and receive approval for external access from the Information Security Office

  • Request F5 set up with ITS load balancing team to obtain routable IP, DNS and SSL certificate

  • Consultation with the Spinup team for Web Application Firewall, (WAF) requirements

Restricted network for S3

Unauthenticated access to S3 buckets with moderate or high-risk data is not allowed.

Spinup User can share an S3 bucket by providing the access key

Account control for S3

N/A

Spinup User to reset access key periodically

Spinup User to purge data that is no longer required

Multi Factor Authentication

DUO for SSH and RDP

Spinup User no further action

Centralized system logging

CloudWatch agent copies system logs to an S3 bucket (365 days retention).

Spinup User no further action

Centralized application logging

N/A

Spinup User to follow application documentation to retain application logs for 30 days

Centralized access logging

Access logs for S3 and RDS are archived in a centrally managed S3 bucket

Spinup User no further action

OS software inventory

AWS SSM agent pushes OS list and patch level to syslog

Spinup User no further action

Application software inventory

N/A

Spinup User will need to have an inventory of applications installed

Tagging

Tagging for identification as defined by ISO; data type, owner, contact info, etc.

Spinup User no further action

Attestation

Publish regular usage agreement and disclaimer

Spinup User sign off

Backups/restores

14 days of daily AWS snapshots. Manual restore by Spinup team

Spinup User will need to submit a request to the Spinup team for restores.
For optional additional file level on demand backups and restores, ITS offers Netbackup for a fee (based on how much data and how long need to keep). Customers may request by opening a Service Now ticket to the ITS Storage team.
For dedicated databases the Spinup User needs to set up regular database backups (using mysqldump, pg_dump, or a similar tool).

Backups for S3

N/A

Spinup User can turn on S3 bucket versioning

Monitoring

API access for ITS/ISO to audit security compliance issues

For optional application level monitoring, ITS offers Opsview. This will require consultation with ITS DC Ops team for setup and pricing. Customer may request by opening Service Now ticket to ITS DC Ops team

Continuous Improvement

Ongoing collaboration with customer/ISO/Spinup team to improve security and improve the ease of completing customer compliance tasks

Spinup User can provide feed back to the Spinup team

Other

Spinup team is available for free customer consultation

Spinup User must not tamper with the prebuilt security precautions, such as patching, system logging, SSH config.
Spinup Users are responsible for their content and anything they add within the Spinup environment.