Spinup Shared Security Responsibility Model
Terms and Conditions for Use
Spinup environments are intended solely for Yale University ITS business purposes and may only be accessed by authorized individuals. Unauthorized use is prohibited and may result in administrative or legal action.
System activity is monitored for security and operational purposes. By using this system, users consent to such monitoring and accept responsibility for maintaining the confidentiality, integrity, and availability of all data accessed, created, stored, transmitted, or received within their Spinup environment.
Use of this system is subject to all applicable Yale University policies and procedures:
Based on user questionnaire responses, this Spinup environment has been approved to handle moderate or high-risk data as defined by Yale’s Data Classification Policy:
Use of these data types is permitted only if users agree to and comply with the shared security responsibility model described below.
About the Shared Security Responsibility Model
Cloud computing security is a shared responsibility:
Cloud hosting providers are responsible for the security of the cloud
Spinup users are responsible for the security in the cloud
Spinup supports users by providing secure defaults, automation, documentation, and tooling
While Spinup reduces the operational burden of many security controls, it does not remove user accountability. Users are responsible for understanding the services they deploy, how those services are configured, and any applicable regulatory or contractual obligations.
Spinup continues to collaborate with Yale ITS and the Information Security Office (ISO) to improve platform security and ease of compliance. Updates to this model will be communicated to users.
High-Level Responsibility Breakdown
Entity | Responsibility | Examples |
|---|---|---|
Spinup User | Security in the cloud | User-generated content, application configuration, access control |
Spinup Platform | Secure defaults and automation | OS hardening, encryption, patching, platform networking |
Cloud Hosting Provider | Security of the cloud | Physical infrastructure, regions, availability zones, core services |
Security Control Responsibilities Matrix
Minimum Security Standards
Yale Minimum Security Requirement | Spinup Provides | Spinup User Responsibilities |
|---|---|---|
OS Image and Patching | CIS-hardened Linux and Windows images; automated OS patching via AWS SSM | Migrate to supported OS versions before end-of-life; maintain secure container base images |
Application Updates | N/A | Apply application and library updates promptly; remediate vulnerabilities per ISO guidance |
Data Encryption | Encryption at rest by default; enforced policies for encryption in transit | Use secure protocols (HTTPS, SSL, SFTP) for all data in transit |
Network Restrictions | Default VPC with firewall UI; no public IPs by default | Manage firewall rules; complete SPA and request approval for external/public access |
S3 Usage | Public unauthenticated access disabled by default | Protect and rotate access keys; manage sharing; enable versioning if needed |
Multi-Factor Authentication (MFA) | DUO MFA for SSH, RDP, and Spinup Console | Enable MFA within applications where supported |
Logging and Retention | System logs stored in S3 (365 days); container logs via CloudWatch | Retain application logs ≥ 30 days; log to stdout/stderr for containers |
Backups and Restores | 14-day daily snapshots; optional 35-day NFS backups; S3 versioning support | Enable backups/versioning as needed; store container data externally |
Monitoring | API access for ISO/ITS auditing | Request advanced monitoring (e.g., Dynatrace) if required |
Tagging | ISO-required tags automatically supported | No action required |
Maintain Contact Information | N/A | Keep owner/contact information accurate; transfer ownership before leaving Yale |
Vulnerability & Incident Response | N/A | Remediate ISO-reported vulnerabilities within 30 days; report incidents immediately |
Acceptable Use & Training | N/A | Complete required security training; comply with acceptable use and data protection policies |
Attestation | Usage terms and disclaimers published | Review and acknowledge terms as required |
Continuous Improvement | Ongoing collaboration with ISO and users | Provide feedback to the Spinup team |
Other Controls | Security guardrails and consultation | Do not disable platform security controls; secure all additional services deployed |
User Acknowledgement
By continuing to use Spinup, users acknowledge that they:
Understand and accept their responsibilities under this shared security model
Will comply with Yale University security, data protection, and acceptable use policies
Accept accountability for the security of applications, data, and configurations deployed within their Spinup environment
Failure to comply with these requirements may result in remediation actions, restricted access, or suspension of services.