IMPACT-MH

Menu

Data Portal Security

Portal Infrastructure

The Data Coordinating Center at Yale will be hosting a submission platform for all IMPACT-MH U01s to easily and securely submit data. The portal will be restricted to Yale’s servers and will require a Yale account for access.

This web portal based submission platform is structured to have multiple layers of access and security restrictions:

  • Platform is hosted on Yale’s private network, meaning the site can only be reached while connected directly to the network or via VPN.
  • Yale uses Cisco Anyconnect Secure Mobility Client for VPN connections to Yale’s network.
  • Login for the data portal is performed via Yale’s Central Authentication Service (Yale CAS), meaning all users must have a Yale account setup for access.
  • Yale’s single sign-on also requires multi-factor authentication via DUO.
  • The site also uses HTTPS to securely encrypt network traffic.
  • Within Yale’s network, the portal is hosted on a secure server within Yale’s cloud resources service called Spinup.
  • The server within Spinup is created within a “High Risk Space”, meaning the configuration within the space follow strict firewall and monitoring rules, making it equipped for data collection and storage.
  • All data submitted to the platform is stored on a database within the server. Only admin users with SSH access to the server can directly interact with the database.

Yale Spinup

Yale offers a self-service cloud resources platform for all Yale users called Spinup. Similar to AWS, this platform allows Yale users to create applications using a variety of internal resources such as virtual machines, containers, storages and databases. All resources are consistently monitored by Yale’s Spinup team to ensure proper security and compliance.

Spinup Data Portal Configuration

As shown in the figure above, the data portal for submission includes a specific configuration based in Spinup.

  1. All applications built in Spinup are confined to Yale’s network, meaning you must be connected Yale wifi either directly or using a VPN to access them.
  2. Within Yale’s network is the Spinup “Space”. The IMPACT-MH uses a high-risk space meaning all servers and applications built within them follow stricter firewall rules, heavier user access restrictions, and heavy monitoring for security compliance and updates.
  3. The server hosting the data portal and database use Spinup’s pre-hardened Linux machine image which is automatically updated to secure standards by Yale’s Spinup Infrastructure team.
  4. Once users are connected to Yale’s network, Yale CAS is used to login. This is a SSO service for Yale users only, and includes multi-factor authentication.
More information related to Spinup can be found on the Spinup Website

Security Planning Assessment (SPA)

All applications developed in Spinup must undergo a Security Planning Assessment.

During the security planning assessment, the cybersecurity team at Yale will run through a comprehensive checklist to make sure the application fulfills the designated security standards. Within the process of these checks, the developers work together with Yale’s cybersecurity team to establish which minimum security standards the application must abide by. The minimum security standards include categories like proper activity logging, clear firewall and access configurations, authentication implementation, encryption checks for data and storage, and proper security updates. 

After the minimum security standards are verified, the cybersecurity team will run scans on both the server and website to ensure it meets the security requirements. These scans will ensure that the system is not vulnerable to security breaches or other malicious threats.

Confirmation of this assessment’s completion will be available to anyone interested. If you would like to learn more about Yale’s security planning assessments, please visit cybersecurity.yale.edu/spa.