Security: Difference between revisions

From ADA Public Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
== Levels of Security for Different Data, Metadata & Environments ==   
== Security Levels ==   
The 4 primary Dataverse installations [49] are deployed on NCI VMWare servers and are secured and monitored by NCI [7], ANU ITS and CIO services [52]:
The four primary ADA Dataverse installations are deployed on NCI VMware servers and are secured and monitored by NCI [7], and ANU ITS and CIO services [52]. Access to the VMs is controlled by NCI – the ADA Technical Manager requests when specific users should be given SSH access, with what privileges, and when they should be removed.
* Access to the vm’s is controlled by NCI – the ADA Technical Manager requests when specific users should be given ssh access, and with what privileges, and when they should be removed.  
 
* Access to ADA’s NCI-hosted RDS is through an NCI-managed GlobalProtect VPN ADA-specific group. The ADA Technical Manager communicates with NCI to request ADA employees be added to and removed from that group as needed (onboarding new employee, offboarding departing employee).
Access to ADA’s NCI-hosted remote desktop service (RDS) is through an NCI-managed GlobalProtect VPN ADA-specific group. The ADA Technical Manager communicates with NCI to request ADA employees be added to and removed from that group as needed when onboarding and offboarding employees.  
* The Dataverse backend PostgreSQL database ports are locked down to restrict who can access them. NCI and the ADA DevOps manage access to these ports.  
 
The Dataverse backend PostgreSQL database ports are locked down to restrict access. NCI and the ADA DevOps manage access to these ports.
 
The ADA Dataverse installations are protected as much as possible by a conservative f5 WAF [55] that is tuned as needed.  Suspicious activity that the WAF catches is blocked, monitored and reported to the ADA technical team.  NCI implements an automated weekly scan of ADA services including Dataverse installations and sends a report to the ADA team highlighting potential and real security issues. The ADA DevOps is responsible for addressing those security issues and reporting any that remain unresolved.   
   
   
The four primary Dataverse installations are protected as much as possible by a conservative f5 WAF [55] that is tuned as needed.  Suspicious activity that the WAF can catch is blocked, monitored and reported to the ADA technical team.  NCI implements an automated weekly scan of ADA’s services including Dataverse installations and sends a report to the ADA team, plus others, highlighting potential, and real, security issues. The ADA DevOps is responsible for addressing those that are possible to address and reporting back on those that are not.  The SIP/AIP/DIP files reside on NCI storage (server). This is protected by NCI standard protocols.  
The four primary Dataverse installations are protected as much as possible by a conservative f5 WAF [55] that is tuned as needed.  Suspicious activity that the WAF can catch is blocked, monitored and reported to the ADA technical team.  NCI implements an automated weekly scan of ADA’s services including Dataverse installations and sends a report to the ADA team, plus others, highlighting potential, and real, security issues. The ADA DevOps is responsible for addressing those that are possible to address and reporting back on those that are not.  The SIP/AIP/DIP files reside on NCI storage (server). This is protected by NCI standard protocols.  


== IT Security System, Employees & Risk Analysis ==   
== Security Measures ==   
* IT security is implemented by NCI and ANU Information Technology Services (ITS) [52].  
* IT security is implemented by NCI and ANU Information Technology Services (ITS) [52].  
* Risk analysis lies with NCI and ITS.  
* Risk analysis lies with NCI and ITS.  
Line 15: Line 18:


== Security for the Facility & Digital Objects Premises ==   
== Security for the Facility & Digital Objects Premises ==   
The ADA office is secured and accessible by ANU staff card access for ADA staff only.  The access card is an ANU centrally controlled photo identity security system.  All secure physical data objects are stored in a locked safe in a locked storeroom, or locked cupboard in a second locked office within ADA.  Computer screens are locked while staff are absent from their desks,  
IT security and risk analysis is implemented by NCI and ANU Information Technology Services (ITS) [52]. 
 
Risk analysis relative to level of data sensitivity is undertaken by the ADA Archivist team. Any data that is deemed too high risk to be made available for download through Dataverse is requested through Dataverse, but the data transfer is completed through an external service – AARNET File Sender [57]. 
 
The ADA office is secured and accessible by ANU-issues staff card access for ADA staff only.  The access card is an ANU centrally controlled photo identity security system.  All secure physical data objects are stored in a locked safe in a locked storeroom, or locked cupboard in a second locked office within ADA.  Computer screens are locked while staff are absent from their desks.
 
NCI servers are protected according to NCI standards. NCI is based in a secure building on ANU campus accessible to authorised NCI staff only. Approved visitors must be signed in, wear visitor identification, and be accompanied by NCI staff. 
 
The ADA complies with ANU policy for Information technology security [58] and Code of Conduct [59].


NCI servers are protected according to NCI standards:
== Authentication & Authorisation==  
* NCI is based in a secure building on ANU campus. 
Dataverse maintains CoreTrustSeal appropriate application-level security and user authentication [60].  
* All NCI staff offices, including the computer centre are secure and accessible to NCI staff only.  
* Access is available only for approved visitors who must be signed in, wear visitor identification and be accompanied by NCI staff.  


== Security Specific Standards == 
Access to ANU infrastructure is restricted to students or staff members of the ANU. Roles and corresponding system privileges are managed by the ANU ITS team [58].
* ANU Policy: Information technology security [58]
 
* ANU Policy: Code of Conduct [59]
Access to the NCI infrastructure requires a NCI user account. Users who wish access to NCI infrastructure must apply for an NCI Project to be created. That request is approved or rejected by NCI administrators. The Project owner/manager must grant access to specific NCI user accounts to allow those user accounts access. NCI user accounts are forced to be reasserted and a new password created every 6 months.
 
== Authentication & Authorisation to Manage Access to Systems== 
Access to data for the ADA archiving team is through the secure NCI RDS set up specifically for ADA. The ADA RDS is behind the NCI f5 firewall where it has direct access to the ADA data storage also managed by NCI. The ADA RDS requires GlobalProtect [61] VPN to login, and to be a member of a specific GlobalProtect group. The ADA Technical Manager requests a new ADA archivist to be added to the group when they begin employment and requests removal when an employee leaves.  
* Dataverse security [60].
* Access to ANU infrastructure requires being a student or staff member of the ANU
** Roles and corresponding privileges to ANU/ITS systems is managed by the ANU ITS team.  
* Access to the NCI infrastructure requires obtaining an NCI user account that is separate to a user’s ANU account:
** Users who wish access to NCI infrastructure must apply for an NCI Project to be created. That request is approved or rejected by NCI administrators.  
** The Project owner/manager must grant access to specific NCI user accounts to allow those user accounts access.  
** NCI user accounts are forced to be reasserted, and a new password created every 6 months.  
* Access to data for the ADA archiving team is through the secure NCI RDS set up specifically for ADA.  
** The ADA RDS is behind the NCI f5 firewall, where it has direct access to the ADA data storage also managed by NCI.  
** Requires GlobalProtect [61] to login, and to be a member of a specific GlobalProtect group.  
*** The ADA Technical Manager requests a new ADA archivist to be added to the group when they begin employment and requests removal when an employee leaves.


== References ==
== References ==
[58] ANU Policy: Information technology security – (https://policies.anu.edu.au/ppl/document/ANUP_000421)
[59] ANU Policy: Code of Conduct – (https://policies.anu.edu.au/ppl/document/ANUP_000388)
[60] Dataverse Security – (https://dataverse.org/book/security)
[61] Global Protect – (https://www.paloaltonetworks.com.au/sase/globalprotect)[7] National Computational Infrastructure – (https://nci.org.au/)
[52] ANU ITS – (https://services.anu.edu.au/business-units/information-technology-services)
[55] F5 – (https://www.f5.com/)

Revision as of 01:18, 14 September 2024

Security Levels

The four primary ADA Dataverse installations are deployed on NCI VMware servers and are secured and monitored by NCI [7], and ANU ITS and CIO services [52]. Access to the VMs is controlled by NCI – the ADA Technical Manager requests when specific users should be given SSH access, with what privileges, and when they should be removed.

Access to ADA’s NCI-hosted remote desktop service (RDS) is through an NCI-managed GlobalProtect VPN ADA-specific group. The ADA Technical Manager communicates with NCI to request ADA employees be added to and removed from that group as needed when onboarding and offboarding employees.

The Dataverse backend PostgreSQL database ports are locked down to restrict access. NCI and the ADA DevOps manage access to these ports.

The ADA Dataverse installations are protected as much as possible by a conservative f5 WAF [55] that is tuned as needed. Suspicious activity that the WAF catches is blocked, monitored and reported to the ADA technical team. NCI implements an automated weekly scan of ADA services including Dataverse installations and sends a report to the ADA team highlighting potential and real security issues. The ADA DevOps is responsible for addressing those security issues and reporting any that remain unresolved.

The four primary Dataverse installations are protected as much as possible by a conservative f5 WAF [55] that is tuned as needed. Suspicious activity that the WAF can catch is blocked, monitored and reported to the ADA technical team. NCI implements an automated weekly scan of ADA’s services including Dataverse installations and sends a report to the ADA team, plus others, highlighting potential, and real, security issues. The ADA DevOps is responsible for addressing those that are possible to address and reporting back on those that are not. The SIP/AIP/DIP files reside on NCI storage (server). This is protected by NCI standard protocols.

Security Measures

  • IT security is implemented by NCI and ANU Information Technology Services (ITS) [52].
  • Risk analysis lies with NCI and ITS.
  • Risk analysis relative to level of data sensitivity is undertaken by the ADA Archivist team.

According to the Australian Government Security Classification System, data archived at ADA is deemed as UNCLASSIFIED - DLM (dissemination limiting marker). The DLM would be 'Sensitive' or Sensitive-Personal'. - Protective Security Policy Framework [56]. Any data that is deemed too high risk to be made available for download through Dataverse is requested through Dataverse, but the data transfer is completed through an external service AARNET File Sender [57].

Security for the Facility & Digital Objects Premises

IT security and risk analysis is implemented by NCI and ANU Information Technology Services (ITS) [52].

Risk analysis relative to level of data sensitivity is undertaken by the ADA Archivist team. Any data that is deemed too high risk to be made available for download through Dataverse is requested through Dataverse, but the data transfer is completed through an external service – AARNET File Sender [57].

The ADA office is secured and accessible by ANU-issues staff card access for ADA staff only. The access card is an ANU centrally controlled photo identity security system. All secure physical data objects are stored in a locked safe in a locked storeroom, or locked cupboard in a second locked office within ADA. Computer screens are locked while staff are absent from their desks.

NCI servers are protected according to NCI standards. NCI is based in a secure building on ANU campus accessible to authorised NCI staff only. Approved visitors must be signed in, wear visitor identification, and be accompanied by NCI staff.

The ADA complies with ANU policy for Information technology security [58] and Code of Conduct [59].

Authentication & Authorisation

Dataverse maintains CoreTrustSeal appropriate application-level security and user authentication [60].

Access to ANU infrastructure is restricted to students or staff members of the ANU. Roles and corresponding system privileges are managed by the ANU ITS team [58].

Access to the NCI infrastructure requires a NCI user account. Users who wish access to NCI infrastructure must apply for an NCI Project to be created. That request is approved or rejected by NCI administrators. The Project owner/manager must grant access to specific NCI user accounts to allow those user accounts access. NCI user accounts are forced to be reasserted and a new password created every 6 months.

Access to data for the ADA archiving team is through the secure NCI RDS set up specifically for ADA. The ADA RDS is behind the NCI f5 firewall where it has direct access to the ADA data storage also managed by NCI. The ADA RDS requires GlobalProtect [61] VPN to login, and to be a member of a specific GlobalProtect group. The ADA Technical Manager requests a new ADA archivist to be added to the group when they begin employment and requests removal when an employee leaves.

References

[58] ANU Policy: Information technology security – (https://policies.anu.edu.au/ppl/document/ANUP_000421)

[59] ANU Policy: Code of Conduct – (https://policies.anu.edu.au/ppl/document/ANUP_000388)

[60] Dataverse Security – (https://dataverse.org/book/security)

[61] Global Protect – (https://www.paloaltonetworks.com.au/sase/globalprotect)[7] National Computational Infrastructure – (https://nci.org.au/)

[52] ANU ITS – (https://services.anu.edu.au/business-units/information-technology-services)

[55] F5 – (https://www.f5.com/)