User Tools
sensitive_data
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
sensitive_data [2020/12/02 18:34] root |
sensitive_data [2022/01/26 09:40] (current) root [Encrypted Disk Volumes] |
||
|---|---|---|---|
| Line 7: | Line 7: | ||
| * The cluster is housed in a server room with card-controlled access. Accesses to the room are logged. | * The cluster is housed in a server room with card-controlled access. Accesses to the room are logged. | ||
| * The cluster backup machines are housed in server rooms with card-controlled, | * The cluster backup machines are housed in server rooms with card-controlled, | ||
| - | * The cluster can be accessed only over SSH. No other services are active on the cluster, and no other ports are open to the world. | + | * The cluster can be accessed only over SSH. No other services are active on the cluster, and no other ports are open to the internet. |
| * The cluster is kept up to date with operating system security patches. | * The cluster is kept up to date with operating system security patches. | ||
| - | * The cluster provides | + | * The cluster provides encrypted disk volumes |
| The cluster may not conform to some best practices... | The cluster may not conform to some best practices... | ||
| * The cluster generally uses Unity Ids and passwords for user accounts. Unity passwords do not have very strong security requirements (e.g. they do not have to be very long). | * The cluster generally uses Unity Ids and passwords for user accounts. Unity passwords do not have very strong security requirements (e.g. they do not have to be very long). | ||
| - | * The cluster does not expire passwords (although unused accounts are locked after 6 months). Newer best practices do not consider complexity requirements and expiration of passwords to be worthwhile. | + | * The cluster does not expire passwords (although unused accounts are locked after 6 months). Newer best practices do not consider complexity requirements and expiration of passwords to be worthwhile |
| - | * The cluster does not yet have 2-factor authentication | + | * The cluster does not limit copying of data which you have permission to read. |
| + | * The cluster does not yet have 2-factor authentication. | ||
| - | One way in which this type of data can be protected | + | **It is your responsibility to ensure that your sensitive |
| - | If you have a project that includes the use of sensitive data please talk to the system administrators to see whether you should store that data on /home6, or have your entire home directory moved to /home6. | + | ==== Encrypted Disk Volumes ==== |
| + | |||
| + | One way in which sensitive data can be protected is by only storing it on encrypted disk volumes. Currently, of the cluster disk volumes, only /home1, /home6, and /scratch are encrypted (i.e. all the data is encrypted before being written to disk and decrypted when read). (This is also known as encryption "at rest" | ||
| + | |||
| + | If you have a project that includes the use of sensitive data please talk to the system administrators to see whether you should store that data on / | ||
| + | |||
| + | The /scratch volume is not backed up, but is encrypted. | ||
| + | |||
| + | If you have sensitive data you should ensure that your home directory, or the directories containing the sensitive data, or the data files themselves are not world readable. | ||
| + | |||
| + | For example: | ||
| + | |||
| + | < | ||
| + | chmod o-rwx sensitive_directory | ||
| + | </ | ||
| + | |||
| + | will stop general users of the cluster accessing files in " | ||
| - | If you have sensitive data you should ensure that your home directory, or the directories containing the sensitive data are not world readable. | ||
sensitive_data.1606952050.txt.gz · Last modified: 2020/12/02 18:34 by root
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
