Terms and Conditions for Use
Yale's Azure environment is to be used only for Yale University purposes by authorized persons. Unauthorized use is prohibited and may result in administrative or legal action. System activities are monitored for administrative and security purposes. Anyone using the environment consents to such monitoring and accepts responsibility to preserve the confidentiality, integrity and availability of information accessed, created, stored, transmitted or received in your Azure space. Use is subject to all policies and procedures set forth by the University located at https://your.yale.edu/policies-procedures/policies.
You are responsible for making sure that Yale's Minimum Security Standards are met either by Microsoft, by Yale IT or by you.
All services and applications which handle moderate or high risk data must have a Security Design Review on record with Yale IT Information Security as required by the Minimum Security Standards.
For more information on Yale IT security, see https://cybersecurity.yale.edu/
About the Shared Security Responsibility Model
Cloud providers like Amazon AWS, Microsoft Azure and Google Cloud Platforom are responsible for the security of the platform that they provide, while users of those platforms are responsible for configuring the solutions they build in a secure manner. This is known as the Shared Responsibility Model for cloud services.
If you have direct access to Azure either through an IT partner or via the Cloud Support service, you are responsible for security configurations beyond what Microsoft and Yale provide. If you are unable to implement your responsibilities, consider using the Spinup Self-Service portal or our Managed Servers - Linux or Managed Servers - Windows services.
When reading the table below, please keep in mind the following definitions:
- "Azure" or "Microsoft" refers to features of Azure services as Microsoft provides them to Yale and are generally not under the control of Yale.
- "Yale" or "IT" refers to work which has been done by Yale IT to configure the service to meet Yale requirements or to align with recommendations which are Yale-specific.
- "You" or "User" refers to things that you must do to protect the security and integrity of your work, either as a best practice or to comply with a Yale policy.
Yale Security Requirement | Microsoft Azure Provides | Yale IT Provides | Your Responsibility |
| General Requirements | |||
|---|---|---|---|
| Data Identification | You are responsible for identifying your data and upholding the security requirement for it. Please refer to the following site for data classification information: https://cybersecurity.yale.edu/classifyingsystems If you have an additional data use agreement, you are responsible to adhering to the contractual agreement. Yale's BAA agreement with Microsoft covers all services in Azure which are listed as "Core Services" on the /wiki/spaces/YC/pages/521699391page. The services which are excluded are primarily consumer-oriented services like Bing. Please refer to the most recent Online Services Terms document to ensure that you have the latest information. You are responsible for notifying cloud.support@yale.edu and information.security@yale.edu if the data classification of your data changes. | ||
| Maintain Contact Information | Access control to Azure is managed using AD or Azure AD groups. | You are responsible for managing the membership of the AD group that controls access to your Azure resources. If you are the owner or administrator of a subscription, you are also responsible for keeping contact information up to date and notifying cloud.support@yale.edu of any changes to these items:
Azure will sends notices relevant to your account to the email address associated with your account. This is typically an Office 365 Distribution List of the form azure-partner-partnername@yale.edu. If you are the owner or administrator of a subscription, you are responsible for keeping this list up to date with your team's email addresses by notifying cloud.support@yale.edu of any changes or making the changes yourself to a constituent group in that Distribution List. | |
| Application Software Inventory | You are responsible for tracking and monitoring the software you install in your Azure environment in order to detect unauthorized activity and for diagnostic purposes. | ||
| Enterprise Authentication and Multi Factor Authentication (MFA) | Authentication to Azure is through Azure AD. Microsoft has multiple options to enforce MFA on access to Azure. | Yale IT has configured Azure AD such that all users with access to the Azure console have DUO MFA enabled for console login. | If you are the owner or administrator of a subscription, you are responsible for adding/removing Azure console access either by updating AD groups you own or by contacting cloud.support@yale.edu to update AD group or Azure AD group membership. You are required to implement enterprise authentication and enforce MFA on any/all resources that contain moderate or high risk data, such as logins to the servers and applications that you are using. |
| Data Encryption | Encryption at rest: All data in Azure for resources created after August 2017 is encrypted at rest. If you have Azure resources that were created before this time, contact IT for assistance. Encryption in transit: All Azure services have the capability to use encrypted transport such as TLS or SSL though some require it to be turned on first. Microsoft PaaS and SaaS services, such as Azure SQL, require the use of encrypted connections for all activity. Check the specifics of the service for details. | You are responsible for encrypting moderate and high risk data at rest. You are responsible for ensuring that all high risk data transfers in or out are encrypted using secure protocols and/or turning on and configuring the encryption option for the Azure service/resources that you manage if it is not enabled by default. This applies to communication by the application(s) as well as management/maintenance connections. SSL encryption is highly recommended even for moderate or low risk data. | |
| Centralized System Logging | Microsoft provides extensive logging and auditing of interactions with Azure services including authentication and configuration changes, such as creating a new resource. For details on the types of logs which are available, see Microsoft's Azure Logging and Auditing page. Note that some of these logs are only available to IT staff and not accessible by users. | Yale IT has configured Azure Security Center to alert on suspicious activity. Email alerts are sent to anyone with the owner role in the subscription. | You are responsible responding to alerts from Azure Security Center and for capturing data on user logins for all your services/resources/applications to a centralized location, such as a storage account which is external to the application itself. |
Backups/Restores | Azure has considerable redundancy and HA capabilities but does not automatically back up data on virtual servers (VM's). Some services such as Azure SQL databases are automatically backed up using a basic snapshot mechanism. | ITS provides backups for servers and databases deployed in ITS managed Azure subscriptions. ITS does not provide backups for resources in Partner (self-managed) subscriptions. | You are responsible for backups of your data in Azure. This includes setting up backups for resources that are not backed up automatically and verifying that backups that are made are valid and able to be restored.. Please check the documentation for the Azure service(s) that you are using to determine if they perform data backups automatically and whether those backups meet your requirements. Backup is mandatory for all resources/services/applications and disks with moderate or high risk data and strongly recommended for all services that support it. Yale IT suggests using the Azure Backup service for virtual machines because it is easy to set up and relatively inexpensive. |
| High Availability and Disaster Recovery | Azure has a number of internal protections against failures in Microsoft's infrastructure. PaaS and SaaS services are typically highly resilient but IaaS-based services need to be architected with high availability and resilience in mind. | Yale maintains redundant private connections to the Azure cloud network. | It is your responsibility to understand if the Azure services you are using are sufficiently resilient. If you are using IaaS services then your implementation must be designed to meet your requirements for resiliency. Microsoft has good documentation on how to build solutions in Azure with HA/DR considerations in mind. If your application requires high availability and/or special disaster recovery considerations, contact cloud.support@yale.edu for assistance. |
| Service and Application Monitoring | Microsoft posts status information for Azure on the Azure Service Status Page. Subscription owners will also receive email notifications of posted incidents directly from Microsoft. | Yale IT monitors the status of the Azure environment as a whole. Any service status issues that are or may be impacting Yale services will be posted (1) to the Office365 Team named "Yale Azure Community" in the "General" channel, (2) to the #azure channel at https://yale.slack.com, and (3) to the ITS Service Status page. Notifications of Azure service health alerts are posted as they are received to the "Yale Azure Community" Office365 Team in the "Microsoft Alerts and Announcements" channel. | If you would like your application to be monitored by ITS staff or to receive notifications if a service issue may impact your work, submit a ticket using ServiceNow or contact helpdesk@yale.edu (203-432-9000) for assistance. |
| Alerts and Notices | Azure sends email notices relevant to your account to your account owner. This is typically an O365 Distribution List of the form azure-partner-YourLabName@yale.edu. | Yale IT configures guardrails to help your to meet your security responsibilities. These guardrails send alerts to your account owner email list. | If you are the account owner or administrator, it is your responsibility to address notices and alerts sent to your account owner email list. |
| Attestation | The Azure Security Center provides an overview of best-practices compliance for Azure resources and makes useful suggestions for how to increase the security of your environment. Not all of its recommendations are practical or usable in Yale's environment, however. | You must periodically attest to and acknowledge that you are handling data in a manner which is compliance with the appropriate Yale policies. You are required to accept this document as Terms of Use upon your first login to the AWS console and again annually or when there are changes to the document. Yale IT reserves the right to disable your access to Azure for failure to abide with the guidelines set by this Shared Responsibility document. | |
Virtual machines (VMs) | |||
Harden OS Image | Hardened OS images from the Center for Internet Security (CIS) are available within Azure. CIS images are modified versions of the base operating system to align with secure configuration standards that are collaboratively developed and used by thousands worldwide. These hardened images help mitigate many common threats of denial of service, insufficient authorization, and overlapping trust boundaries. To see the complete list of CIS hardened OS images available in Azure, see this link. | Servers are required to be configured using CIS security standards. Use of CIS hardened images is recommended for all uses and required for systems working with high risk data. Note that CIS images in the Azure Marketplace carry an additional cost. If you do not use one of the CIS images, be sure to review the security guidelines for the operating system you are using and implement as many of them as are feasible. The CIS web site is a very good place to start. | |
| Use a Supported Operating System | Microsoft provides images of all supported operating systems in the Azure Marketplace. | If you deploy a virtual machine, you must use a supported version of the operating system as described on the ITS Operating System Recommendations page and maintain the operating system at a supported version. | |
| OS Patching | Operating system images in Azure which are provided by vendors typically do not have automatic updating enabled. | If you have a virtual machine, you are responsible for making sure that the operating system is kept up to date by verifying that updates are installed at least a monthly. | |
| Application Patching | If you are running a virtual machine, you are responsible for keeping the application(s) installed on it up to date with security-related patches/updates. This includes all libraries and non-OS components that the application is dependent on as well. You should work with your application vendor(s) to be aware of the update procedure for your application and stay informed with respect to security updates/new releases for those applications. The Security Design Review (SDR) process must be completed for all applications which handle moderate or high risk data. | ||
| Network Protection | Microsoft continuously monitors the Azure environment for some network-based risks and threats including DDoS attacks. | Yale IT manages firewalls within the Azure network which monitor traffic both within Azure and traffic entering/exiting the Azure space. Beginning in FY21, Yale IT is configuring new virtual networks with a Network Security Group to allow only HTTPS, SSH and RDP traffic to your Azure subnets. | You are responsible for protecting your network from malicious external access using Azure Network Security Groups. You may modify the Yale IT provided Network Security Group to meet your requirements. Host-based firewalls or Network Security Groups are required for moderate and high risk data and recommended for all systems. Firewall options include Windows Firewall, iptables or ufw/firewalld. If you need a resource to be accessible from outside of Yale, you must do the following: For moderate and high risk data: 1. Complete a Security Design Review (SDR) and receive approval for external access to the application from the ITS Information Security Office. 2. Request the Yale IT load balancing team to open the application to the Internet through a Yale-managed F5 endpoint. This will include a routable IP, DNS entry and SSL certificate for secure communications. 3. Work with Yale ITS to define Web Application Firewall (WAF) requirements/solutions if needed. For low risk data: An Azure Web Application Firewall must be used for public access: https://azure.microsoft.com/en-us/services/web-application-firewall/. Logging for the WAF must be configured with the data stored in your subscription. For additional questions or assistance configuring load balancers please contact cloud.support@yale.edu |
Hosting websites | |||
| Web Sites | Microsoft Azure provides a variety of different resources/services for web hosting/management. | Websites are governed by the following university policies, as well as any additional school- or department-specific policies, regulations and guidelines that apply to your use:
You must agree to follow these guidelines and all other applicable policies, regulations and guidelines before creating a website. School of Medicine departments and units (with the exception of MB&B), including faculty lab websites, are not eligible and must contact the YSM Web Group at ysm.editor@yale.edu for more information about the School of Medicine’s web services offerings. The university expects all Yale community members to comply with applicable privacy and intellectual property laws. Websites are only authorized for the handling of low-risk data and must not be used in connection with medium- or high-risk data. For more information on data classification, visit the Protect Your Data page on the IT at Yale Cybersecurity website. Site owners are expected to respect copyright and are responsible for evaluating whether the use of any information or content made available on their website requires copyright permission. Please review the Office of the General Counsel’s Copyright Resources and Rights Clearance Guide for Digital Projects for information regarding copyright issues that may arise in digital contexts. “Yale” and “Yale University” are trademarks of the university and its logos and colors may only be used for official functions of the university and must adhere to the guidelines of the Office of the University Printer to ensure appropriate alignment with Yale’s visual identity standards. Please review the Yale Identity Web Guidelines. University trademarks may not be used to state or suggest institutional endorsement or sponsorship of non-official functions. Websites are required to include a link to the Accessibility Statement Page, and websites used in connection with personal information must include a link to the Yale Privacy Policy or, if applicable, a site-specific privacy statement. Content published without password protection or other access restrictions is publicly available. You may choose to restrict public site access. If the yale.edu domain or subdomain is being requested, open a ServiceNow ticket assigned to YaleSites.
med.yale.edu domain names have special attention as noted above. | |
| Other services | |||
The Azure Security Center provides security best practice checks and recommendations both for your Azure environment in general and for specific Azure services. Microsoft provides a whitepaper (PDF) with recommendations for architecting HIPAA compliant solutions on Azure. To store secrets used by your Azure services such as passwords or certificates, use of the Azure Key Vault service is recommended. | You are responsible for securing all of your Azure services in order to meet Yale's Minimum Security Standards. A good place to start is to review recommendations from the Azure Security Center for your Azure resources and addressing any security recommendations necessary to meet Yale's standards. If your Azure environment contains HIPAA-protected data, you are responsible for reviewing the Microsoft whitepaper on building secure solutions in Azure. You are responsible for protecting secrets needed to access your applications, services or resources by storing them in a private location such as Azure Key Vault and making sure they are encrypted at rest and in transit if you use another method. | ||