From 3a77ed498b915b1e93fbace86bed904775e08aad Mon Sep 17 00:00:00 2001 From: Brus Date: Mon, 17 Jul 2023 08:23:18 +0000 Subject: [PATCH] Delete page 'C16 Security' --- C16-Security.md | 59 ------------------------------------------------- 1 file changed, 59 deletions(-) delete mode 100644 C16-Security.md diff --git a/C16-Security.md b/C16-Security.md deleted file mode 100644 index 74bf713..0000000 --- a/C16-Security.md +++ /dev/null @@ -1,59 +0,0 @@ -# C16.1. The levels of security required for different data and metadata and environments, and how these are supported - -For supporting the levels of the required security for data, metadata and environments, we have implemented a multi-layered approach to security, which includes physical, technical and administrative controls. - -**Physical controls** involve securing access points, restricting visitor access, and monitoring who enters the premises. - -By implementing the following **technical controls**, the Tethys system ensures the security and protection of data, metadata, and the overall environment: -- **Network Firewall**: The Tethys backend system is protected by a network firewall that effectively manages the VLAN segmented network, adding an additional layer of defense. -- **Local Firewalls**: Each Tethys backend server is equipped with its own local firewall, which provides individual protection and enhances the security of the system. -- **Malware Scanning**: All file uploads to the Tethys backend system undergo scanning by a malware scanner. This scanning process helps identify and mitigate any potential security threats posed by uploaded files. -- **DMZ**: The Tethys frontend systems, which include the website and REST services, have relatively more permissive access from external sources. However, they are still shielded by the network firewall situated in the DMZ. This firewall acts as a barrier, protecting the frontend systems from unauthorized access and potential security breaches. -- **Data Replicas (SOLR)**: Access to the Tethys frontend systems from public frontend sources, such as the website and REST API, is facilitated through data replicas hosted with SOLR. This approach ensures efficient access to data while maintaining security measures. -- **Read-Only Remote File System Access**: In addition to data replicas hosted with SOLR, public frontend sources can download files through read-only remote file system access. This method allows for secure file downloads while preventing unauthorized modifications or access to sensitive information. - - -**Administrative controls** involve developing security policies and procedures, training employees, and conducting regular security audits. - - -# C16.2. The IT security system, employees with roles related to security and any risk analysis approach in use. - -In order to ensure prompt restoration of the research data repository in case of errors, designated roles are defined. This notification is crucial for all systems involved. The process entails following specific instructions outlined in our [Disaster Management guidelines](https://gitea.geologie.ac.at/geolba/tethys.backend/wiki/DisasterManagement). These instructions encompass steps to recover from database failures, and from data file backups via "IBM Spectrum Protect". The workflow for restarting frontend services, including the website and the REST API, is prioritized and executed using Docker. This prioritization ensures the provision of basic services after incidents. - - -The Tethys Repository's technical infrastructure is equipped with robust security measures to safeguard its integrity. These measures include: - -- The professional **architecture and design of software, virtualized hardware and network systems** contribute to ensuring overall security. -- **Short-term security patches** are regularly applied on both Tethys software and hardware components. This includes keeping the operating systems up to date with the latest releases and patches. By promptly addressing known vulnerabilities, the repository remains resilient against potential security threats. -- **Monitoring tools** are employed to oversee various aspects of the infrastructure, including hardware, firewall, software, services, performance and potential attacks. This proactive approach allows for the timely detection and mitigation of security issues, ensuring prompt response to potential threats. -- **Continuous training programs** are conducted for the technical staff to stay updated on the latest security practices and protocols. This ensures that the team remains well-informed and equipped to handle emerging security challenges effectively. -- Additionally, **security programs** such as virus scanners, local and network firewalls, encryption programs, spam filters and network segmentation are professionally utilized to enhance the overall security of the system. - - -# C16.3 Measures in place to protect the facility. How the premises where digital objects are held area secured. - -To protect the facility where digital objects are held, GeoSphere Austria has implemented various security measures: - -1. **Entrance Control**: The server rooms at GeoSphere Austria are secured with an electronic physical access control system for the relevant entrances. This system ensures that only authorized personnel can access the server rooms, adding an extra layer of protection. -2. **Key Distribution**: Key distribution to employees is meticulously documented, enabling effective control and accountability over access to the premises. This documentation ensures that access to sensitive areas like the server room is only granted to authorize individuals. -3. **Guest Policies**: Policies have been established to govern the presence of guests within the building. These policies outline guidelines for accompanying and designating guests, ensuring that their activities are appropriately supervised and monitored. By implementing these policies, GeoSphere Austria ensures that guests do not compromise the security of the facility. -4. **Backup Power Supply**: The computer center at GeoSphere Austria is equipped with several Uninterruptible Power Supply (UPS) units. These backup power sources allow the TETHYS-relevant hardware to continue operating for extended periods, even in the event of a power outage. This ensures the availability and integrity of digital objects even during unforeseen power disruptions. -5. **Surveillance Cameras**: The facility utilizes surveillance cameras strategically placed throughout the premises. -6. **Fire**: Fire suppression systems are installed, there are fire and smoke detectors on all floors -7. **Flood**: All critical equipment is located on 2nd floor. - - -# C16.4 any security-specific standards the repository references or compiles with. - -Our supervisory organization follows the ISO/IEC 27001 standard, showing our dedication to strong information security practices. Also for Tethys, we have implemented a comprehensive strategy to protect the privacy, accuracy, and accessibility of our research data, user data, and other information resources. This structured approach ensures that sensitive data is kept confidential, information remains reliable and precise, and authorized users can conveniently access the resources they need. - -# C16.5 Any authentication and authorization protectures employed to securely manage access to system use. - -**User Authentication**: Tethys typically supports multiple authentication methods, such as DB authentication with email/password and LDAP (Lightweight Directory Access Protocol). In the future, there are plans to integrate Single Sign-On (SSO) solutions into the Tethys repository. All of these methods verify the identity of users before granting access to the repository system. - -**Role-based Access Control (RBAC)**: The Tethys Repository utilizes roles (stored in the database) to manage authorization. RBAC assigns specific roles to users based on their responsibilities and grants corresponding permissions accordingly. This ensures that users have appropriate access rights based on their roles within the Tethys research repository system. - -**Access Control Lists (ACLs)**: ACLs are employed in Tethys to provide fine-grained access control at the dataset or collection level. They allow administrators to define specific permissions for individual users or groups, granting or restricting access to certain resources within the repository system. - -**Audit Logs and Monitoring**: Tethys repository has audit logging and monitoring capabilities to track user activities, access attempts, and changes made to the repository system. This helps in identifying and investigating any suspicious or unauthorized actions and provides a means for maintaining accountability and detecting potential security breaches. -