Hosting Sensitive Data on Spinup: Guidelines and Best Practices

Owned by Tenyo Grozev (Unlicensed)
Last updated: Nov 30, 2023 by Kraig Eisenman
2 min read

Introduction

Spinup provides a secure platform for hosting resources with sensitive data, compliant with standards like HIPAA, PHI, and FERPA. This guide highlights the current resources available for sensitive data hosting and key security measures, adaptable to future updates in operating systems and technologies.

Servers

Spinup offers a range of CIS-hardened server options, regularly updated to include the latest and most secure versions. All server options are pre-configured with essential security features, including firewalls and multi-factor authentication. The specific configuration details align with the latest security best practices for each server type. Typically, web services are restricted to secure HTTPS connections, usually on port 443, necessitating corresponding firewall settings.

Databases

Spinup provides dedicated database services, including MySQL, PostgreSQL, and SQL Server, all configured on the secure Amazon RDS platform. These databases feature at-rest encryption, centralized logging, and support for SSL connections. Access is restricted to servers within the same Spinup space, enhancing data security.

Storage

Storage@Yale is available for secure data storage needs.

Creating a Secure Space

When setting up a new space, you'll complete a risk assessment to determine the data hosting capabilities. You must agree to the Shared Responsibility Agreement for Moderate to High-Risk.

Using a Storage@Yale share on your secure server

You can request and mount a S@Y share on your Spinup secure server through the Spinup UI. This will open a Service-Now ticket for the Storage team. Once you submit the request it will open a ServiceNow ticket that you can track via Service-Now. You should get notified via e-mail once the share is ready (takes about a day).

When the share is ready you can mount it on your server:

Linux:

  • Install cifs-utils

    sudo yum install -y cifs-utils

  • Mount the share using your AD credentials, e.g.

    sudo mount.cifs //storage.yale.edu/home/YXNAT-CC1000-SSPS-AHEF /mnt -v -o vers=3.0,domain=yale,username=netid

To automatically mount the share at boot, add an entry to your /etc/fstab file.

Windows:

  • Attach the share as you would with any regular Windows network share.

If using Docker on your Spinup server, you might face network issues connecting to Storage@Yale due to IP conflicts in the 172.18.0.0/16 subnet. Check active subnets with ifconfig. To resolve, configure Docker to use a different subnet.