Computer Security: Store your data right

What chaos! A cacophony of data everywhere you look! Today, if asked where you store your professional documents and data at CERN, you might give any number of answers: AFS, CDS, Ceph, CERNBox, DFS, EDMS, eFiles (“Alfresco”), EOS, GitLab, Indico, your personal computer, a dedicated webpage, an external hard disk, somewhere else… You can imagine how hard it is to control all this data and to properly secure and protect it against unauthorised access, abuse or theft. Particularly if you are dealing with confidential data that must not be disclosed to any third party. 

So, let us help you. Based on the Data Classification Policy, the Legal Service, the Computer Security team and stakeholders from the FAP and IT departments have produced a Data Handling Policy (DHP) setting out how all CERN professional data must be handled. The ultimate responsibility for handling any kind of (digital) institutional data is shared: CERN IT services (the “data processors”) will explicitly declare which type of data they can process, handle and store. You – as the “data controller” introducing data to CERN – can consult their declaration, tag your data according to the classification policy, and enter your data only into IT services that are aligned with that particular level of classification.

How does this work in detail? All CERN IT services have been asked to assess their compatibility with this new Data Handling Policy. Are they physically protecting data? Do they have access-control measures in place in order to guarantee the principle of least privilege? Is data encrypted in rest and in transit? Do they have procedures for properly destroying any media that have held data (in line with CERN’s Data Destruction Rules)? What about other services they rely on? Based on their assessment, and as per the minimum requirements set for each classification level, they must declare that classification level. In addition, AFS, CDS, Ceph, CERNBox, DFS, EDMS, eFiles (“Alfresco”), EOS, GitLab, Indico and all the others must clearly inform you what kind of data they can handle for you, whether it complies with the most restrictive classification level they support, i.e. “classified data” including personal sensitive data, financial data, etc., “restricted data” visible only on a need-to-know basis, data which is internal to CERN, or just public data. You need to be sure that their declaration matches your expectations before you introduce data into their service*. Just check the corresponding service description in the CERN Service Catalogue (to come).

The IT storage group and the Computer Security team have already performed a very first assessment of CERNBox and its underlying storage system based on EOS. Data stored on CERNBox/EOS, like any other data handled by the central IT services, is physically protected by the premises of the CERN Data Centre and subject to tight access controls. Individual data stored on CERNBox/EOS is access-protected using e-groups and individual CERN computing accounts, meaning that your password is required to grant access (or not). Any transfer between CERNBox and a remote client is encrypted using the most recent, up-to-date encryption standard, i.e. TLS-over-HTTP. And, finally, the physical media storing CERNBox/EOS data, i.e. the SSDs and hard disks, have for years been subject to CERN’s Data Destruction Policy, and all such media are properly wiped before leaving the CERN Data Centre for donation, sale or destruction. Hence, following this assessment and in line with the rules set out by the Data Handling Policy, CERNBox has been declared to be capable of storing any type of data, including that labelled as “classified”. In addition, CERNBox provides all necessary means to receive sensitive data from external third parties in a secure, protected and confidential manner (see our dedicated Bulletin article “A “file drop” for confidential data”).

While further assessments of the IT services are under way, and while more and more declarations will appear in the Service Catalogue during the year, you can already make a start. Think about where you store all your data. Consolidate your data if possible. And remember that you are a “data processor”, too: your PC and laptop also store data. If they happen to store data labelled as “classified” – which they usually do (think of your passwords or mailbox!) – then make sure that you are compliant with the Data Handling Policy:

• Don’t leave your computer unattended unless it is located in a trusted environment (your office, at home) or properly locked away;
• Encrypt your local hard disk (see here for instructions for Windows, MacOS, Linux and, e.g., Ubuntu or call the ServiceDesk for assistance);
• Protect access to your computer using a good password (some recommendations can be found here;
• Protection should also include locking your screen when you leave your computer unattended; and
• Once you need to get rid of your computer, ensure that your local data is destroyed. Instructions are given in CERN’s Data Destruction Policy.  

While we will try to help you, we also appreciate your help to properly protect CERN’s professional data!

* In fact, given the cacophony mentioned earlier, quite some work will be needed to relocate all the data that has in the past been put into the “wrong” service. We are counting on you to help clean up that mess!

_________

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.