What's the Spinup agreement for sensitive data?
- Tenyo Grozev (Unlicensed)
- Tristen Lawrence
When you create a space containing moderate or high-risk data you need to accept the Spinup agreement regarding sensitive data and the shared security responsibility model. The agreement may be periodically updated and when that happens you will be prompted to accept the new version when you open the space in Spinup. Below you can see the content of the agreement.
Spinup Terms and Conditions for Sensitive Data
This system is to be used only for Yale University ITS business purposes by authorized persons. Unauthorized use is prohibited and may result in administrative or legal action. System activities are monitored for administrative and security purposes. Anyone using this system consents to such monitoring and accepts responsibility to preserve the confidentiality, integrity and availability of information accessed, created, stored, transmitted or received in your Spinup space. Use of this system is subject to all policies and procedures set forth by the University located at https://your.yale.edu/policies-procedures/policies
The user questionnaire results have determined that this system is using high or moderate risk data, as defined in Yale's Data Classification Policy. This system is approved for the use of the data types explicitly identified in the user questionnaire results, provided that the user agrees and adheres to the following shared security responsibility model.
Spinup Shared Security Responsibility Model
The Cloud Host Providers are responsible for "Security OF the Cloud". Spinup Users are responsible for "Security IN the Cloud". Spinup reduces some of the responsibilities for "Security IN the Cloud". The diagram and matrix below is a summary of Yale's minimum security requirements, what Spinup provides and the Spinup User's responsibilities. As outlined in the matrix below, Spinup will continue to collaborate with the Information Security Office, as well as Spinup users to improve security and the ease of meeting the security requirements. This may result in different versions of the matrix provided below. Users will be notified of any changes made to this agreement. Spinup does not absolve the Spinup Users' responsibilities but helps assists in meeting information security standards by providing pre-defined setups, automation, sample scripts and best practices/how-to documents. The Spinup Users should carefully consider the services and applications they choose as their responsibilities vary depending on the services and applications used, the integration of those services and applications into their IT environment, and any applicable regulatory and contractual agreements.
The diagram below demonstrates who is responsible for what aspects of security within the Spinup environment:
Spinup User | Responsible for security IN the cloud |
|
Spinup Platform | Helps make the Spinup User responsibility and compliance IN the cloud easier |
|
Cloud hosting provider | Responsible for security OF the cloud |
|
Below is an outline of the security standards that Spinup assists with. As displayed by the diagram, all elements of application, Identity & Access management falls under the “Security In the Cloud” category, and is a responsibility of the Spinup User.
Yale Minimum Security Requirement | Spinup Provides | Spinup User Required Actions |
|---|---|---|
Harden OS image | Spinup offers CIS Linux and Windows images. CIS (Center for Internet Security) images are hardened to secure configuration standards that are collaboratively developed and used worldwide. | Spinup User no immediate action. Long term is to keep up with supported image. This means the Spinup User will be responsible for migrating to a supported offering when it is no longer supported. |
Harden OS image for containers | N/A | Spinup User must select known secure or official images. |
OS Patching | Spinup uses AWS SSM agent to automatically install system patches (a.k.a updates) for Linux and Windows systems. | Spinup User no further action. When the Operating System (OS) is no longer supported by the vendor, the Spinup User will be responsible to migrate to a supported offering as soon as possible. |
OS updates for containers | N/A | Spinup User must periodically update their container services to stay current with OS updates. When the Operating System (OS) is no longer supported by the vendor, the Spinup User will be responsible to update the OS as soon as possible. |
Application updates | N/A | Spinup User to follow Application documentation for applying updates |
Data encryption | Spinup has disk encryption turned on for data-at-rest. | Spinup User to use encryption for data-in-transit, i.e. use SFTP, HTTPS, SSL database connections. |
Restricted network | Spinup sets up the default restricted network. Spinup provides a UI for firewall management (AWS security group). | Spinup User can open or close firewall ports and specify source networks in the UI. Allowing unencrypted data requires a policy exception, please see Request an Exception
Spinup users shall not allow NFS File System ports through the firewall without volume authentication enabled. |
Restricted network for S3 | Unauthenticated access to S3 buckets with moderate or high-risk data is not allowed. | Spinup User can share an S3 bucket by providing the access key and are responsible for maintaining the security of that key. |
Account control for S3 | N/A | Spinup User to reset access key periodically. |
Multi Factor Authentication | DUO for SSH, RDP, and Spinup console access | Spinup User to enable application level MFA where applicable |
Centralized system logging | For servers CloudWatch agent copies system logs to an S3 bucket (365 days retention). | Spinup User no further action. |
Centralized application logging | N/A | Spinup User to follow application documentation to retain application logs for 30 days. |
Centralized access logging | Access logs for S3 and RDS are archived in a centrally managed S3 bucket | Spinup User no further action |
OS software inventory | AWS SSM agent pushes OS list and patch level to SSM system inventory. | Spinup User no further action |
Application software inventory | N/A | Spinup User will need to have an inventory of applications installed |
Tagging | Tagging for identification as defined by ISO; data type, owner, contact info, etc. | Spinup User no further action |
Attestation | Publish regular usage agreement and disclaimer | Spinup User sign off |
Backups/restores | 14 days of automatic daily AWS snapshots. | Spinup User can create snapshots and restore disks individually via the UI. |
Backups for NFS File Systems | Spinup provides the option to enable automatic daily backups with a 35 day retention period. | Spinup User to enable backups. |
Backups for S3 | N/A | Spinup User can turn on S3 bucket versioning. |
Backups for containers | N/A | Containers are ephemeral, Spinup User to backup/store data outside of the container service. |
Monitoring | API access for ITS/ISO to audit security compliance issues | For optional application level monitoring, ITS offers Dynatrace. This will require consultation for setup and pricing. Customer may request this by opening Service Now ticket to the ITS Enterprise Monitoring Team |
Continuous Improvement | Ongoing collaboration with customer/ISO/Spinup team to improve security and improve the ease of completing customer compliance tasks | Spinup User can provide feedback to the Spinup team |
Other | Spinup team is available for free customer consultation | Spinup User must not tamper with the prebuilt security controls, such as patching, system logging, SSH config. |