XCI-783 Design and Security Review Discussions

7 posts / 0 new
Log in to post comments
Last post
Wed, 2022-02-16 13:50
#1
John-Paul Navarro
John-Paul Navarro's picture
XCI-783 Design and Security Review Discussions

Post design and security questions and feedback in this thread.

Top
Wed, 2022-03-02 14:27
Derek Simmel

Design is OK - I'd like some mention of the AWS Security Controls and service configurations to be implemented and documented.

Top
Wed, 2022-03-02 15:04
(Reply to #2)
Jim Basney

Thanks Derek. For AWS Security Controls are you referring to https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-sta... ? I'm looking at targeting the CIS AWS Foundations controls but costs of the AWS Security Hub service is a concern. I already tried enabling AWS GuardDuty and the cost was prohibitive. I know XSEDE has other services running in AWS, so I'd welcome any advice/experience/recommendations you can provide about these AWS security service options.

Top
Wed, 2022-03-02 15:41
(Reply to #3)
Derek Simmel

Happy to help in looking into the AWS policy and security configurations - I am not an expert at this, but others within our Security Ops group have done work recently on such for the XES in AWS. For the time being, I'd just like to see a line added in E.2.8 of the design doc saying that the AWS-specific policies and controls implemented to protect the services will be documented - even if, given possibly security-sensitive content, that document is maintained in a controlled, non-public place (private github?).

Top
Wed, 2022-03-02 17:21
(Reply to #4)
Jim Basney

Will do. I think it fits in our (internal) Master Information Security Policy and Procedures doc as part of our (in-progress) adoption of the Trusted CI Framework. Thanks!

Top
Fri, 2022-03-11 12:16
(Reply to #5)
Jim Basney

I've updated https://software.xsede.org/svn/xci/activities/xci-783/trunk/Deliverables... (v1.1) to include the additional documentation in Section E.2.8.

Thanks,
Jim

Top
Mon, 2022-03-14 17:34
John-Paul Navarro
John-Paul Navarro's picture

Some belated feedback:

  1. Should Figure 1 include Route 53 as explained in the text?
  2. Curious, what DB technology is currently used that is being replaced?
  3. Is the Syslog Collector and Splunk in Figure 2 already exist today and should be in Figure 1?
  4. E.2.1. Doesn't mention existing syslog and Splunk at NCSA.
  5. Is the new Aurora DB multi-instance across availability zones? If not, will regular backups be used to aid in recovery in case of an Aurora DB failure? This would be advisable not just for the unlikely case of a single instance failure, but also in the case of compromise and data destruction.
  6. E.2.12. Is Globus the only CILogon dependency that should be tested. If not, please list the rest.
Top
Log in to post comments

National Science Foundation (NSF)

© ACCESS All Rights Reserved.

ACCESS is an advanced computing and data resource supported by the National Science Foundation and made possible through these lead institutions and their partners:
Carnegie Mellon University, University of Colorado Boulder, University of Illinois at Urbana-Champaign, and State University of New York at Buffalo .


Administrative Login