CIP Portals Policy DRAFT DRAFT DRAFT DRAFT DRAFT Science Gateways, or Portals, provide access to HPC resources for a particular community of users. This purpose of this policy is for Portals to provide assurance to Resource Providers and users that the portals will provide appropriate access to, and use of the resources provided, and maintain accountability for the access and use. Since these portals will manage credentials used to access resources on behalf of the portal users, it is critical that portals be able to securely manage credentials and access to resources. Portals must be designed, implemented, and managed according to minimum security standards which address requirements for authentication, authorization, accounting, and auditing. In addition to the minimum requirements, individual sites may have their own additional requirements which exceed that of the minimum standards. Portals must be able to meet those higher requirements in addition to the minimum standards. The CIP security officers will document the minimum standards for portals. Each site's security officer will document any site-specific standards not addressed in the minimum standards. Portal developers will be responsible for design and implementation according to the provided standards, and will document the design and implementation, plus document how the design and implementation meet the security requirements cited above, and make those documents available for review to the Resource Providers and users. Site security officers where portals are hosted will be responsible for verifying that the deployment and management of the portals meet security standards, and for taking appropriate measures in response to problems detected or complaints from Resource Providers or end users. If portals do not meet the minimum security requirements for a particular site, Resource Providers will reserve the right to refuse or discontinue access to their resources for a particular portal. |
CIP Portal Minimum Security Standards
DRAFT DRAFT DRAFT DRAFT DRAFT
1. The portal project must provide contact information of the
individual or group who is responsible for the security aspects
of the portal. The contact information must include
- a name, title or group
- telephone number
- email address
This contact must be prominently displayed on the portal site
under "Security Issues Contact" either on the top level or
under a "Contacts" link.
2. If the portal supports its own DNS namespace then the portal
service providers are to adhere to RFC2142 which specifies
the mailboxes that should exist for a service. See
http://www.ietf.org/
-> RFC Pages
-> Enter 2142 in provided the form to view the RFC
3. The system on which the portal resides will be required to
have a risk and vulnerability assessment (RVA) performed by the
appropriate security staff as assigned by the information security
officer (ISO) of the Portal site. Upon completion of the RVA a
written RVA document will be provided to the site ISO and either the
security officer or project manager of the portal project. The RVA
will document the facts found and recommendations related to security
of the portal. An RVA is to be performed a minimum of every two years.
4. System logging (syslog) will be enabled on the host that the
portal project resides. All syslog data will be sent (duplicated)
to the site centralized log server. All authentication successes
and failures to the host and to the web portal application(s) will
be recorded by syslog.
5. The audit trail information to be recorded by all of the portal
applications and sent to syslog will be the following:
a. the application name (generally already provided by syslog)
b. success or failure of the authentication
c. remote host making the connection
d. remote user, if possible, by way of RFC931
e. the user being authenticated to
f. the type of credential being authenticated
1. password
2. PKI user certificate
3. kerberos
4. any other type of credential
The ISOs will provide guidelines for the implementation of this
important logging capability.
6. Last login and accounting data is to be recorded and preserved on
a portal host for a minimum of 90 days. The ISO shall issue
Accounting system guidelines, as necessary, to describe how to
implement this requirement.
7. [The CIP ISOs realize that portal development is in its infancy
and many different ways of implementing portals and gaining access
to Resource Providers is available. Therefore, the following
minimum standard is to be implemented by portal developers by
February 2006. The site security groups will make every effort
to support the portal developers in defining the requirements and
providing support for the following minimum standard.
Exceptions to the deadline can be approved by the Portal sites
ISO on a case-by-case basis.]
Portal application developers are required to work with Resource
Providers to develop the ability to appropriately document and provide
audit trails for the initiation of service requests by remote users
to resources. Unauthorized access to the web portal could potentially
result in the submission of an unauthorized request for services to
a Resource Provider. An audit trail of a service request must be
provided by the portal in the case where an unauthorized or suspicious
request is identified by the Resource Provider. If Resource Providers
do not have access to end user information (name, organization, contact
number, etc.), which may be the case in Community Account Portals,
then a portal administrator will need to provide that information if
a Resource Provider requests it. If Resource Providers can not get
that information in a timely enough fashion then they reserve the
right to disable the account (and in the case of a Community Account
it will affect multiple users).
|