Document

Security Baseline for File Hosting CERN Div./Group or Supplier/Contractor Document No.

Computer Security Officer EDMS Document No.

1062503

SEPTEMBER 6TH, 2010

CERN CH-1211 Geneva 23 Switzerland

SECURITY BASELINE FOR FILE HOSTING

ABSTRACT A “Security Baseline” defines a set of basic security objectives which must be met by any given service or system. The objectives are chosen to be pragmatic and complete, and do not impose technical means. Therefore, details on how these security objectives are fulfilled by a particular service/system must be documented in a separate “Security Implementation Document” [1]. These details depend on the operational environment a service/system is deployed into, and might, thus, creatively use and apply any relevant security measure. Derogations from the baseline are possible and expected, and must be explicitly marked. At CERN, for each service/system used in production, such a Security Implementation Document must be produced by its system/service owner, and be accepted and approved by the Computer Security Officer. All systems/services must be implemented and deployed in compliance with their corresponding Security Implementation Document. Non-compliance will ultimately lead to reduced network connectivity for the affected services and systems (i.e. closure of CERN firewall openings, access blocked to other network domains, and/or disconnection from the CERN network). This document describes the Security Baseline for File Hosting services laptops used in a CERN production environment. Prepared by:

Computer Security Team

Checked by: IT Security Contacts

Department Security Contacts Experiment Security Contacts

Approved by: Computer Security Officer

IT Group Leaders IT SRM Members

Distribution: Unrestricted

Document

Security Baseline for File Hosting

Page 2 of 4

History of Changes

Rev. No. Date Reference Description of Changes

0.5 2010/02/02 Draft 0.6 2010/02/24 Several Comments from the Security Team 0.9 2010/05/20 Several Comments from IT Security Contacts, Department

Security Contacts, and Experiment Security Contacts 1.0 2010/05/20 Approved version 1.1 2010/09/06 FILE-AC-1/2

FILE-AC-7 Added the category of “restricted” data. Removed the timescale (“in weeks”).

Document

Security Baseline for File Hosting

Page 3 of 4

1. SECURITY BASELINE REQUIREMENTS

The objectives of the Security Baselines below apply to any server, PC, laptop (commonly denoted within this document as “server”). If a service/system consists of multiple servers, the baseline applies to each of them. The terminology follows RFC2119 [2]. The words “least”, “minimize”, “restrict” and “small” refer to the operative minimum before rendering the service/system useless.

1.1 ACCESS CONTROL

Ref.  Requirement  Comment 

FILE‐AC‐1  Define the concrete meaning of “Private”, “Restricted”, and “Public” with regards to the file system (following the definition in [3]). 

“Private” data is usually confidential to one individual, e.g. private correspondence or authentication credentials. “Public” data is not confidential and can be shared with a very large group of people, e.g. “Domain Users”.  All other data must be “restricted” in access, e.g. information confidential to a (small) group of individuals like meeting minutes, MARS assessments.  

FILE‐AC‐2  Classify all standard files and folders into the data classes “Private”, “Restricted” and “Public” (as defined in [3]). “Standard files and folders” in this context are those created by default or created during the normal usage of that file service. 

FILE‐AC‐3  Restrict default access to the corresponding data owner for all files and folders classified as “Private”. 

Applying the “Rule of least privilege” reduces the likelihood of data disclosure. 

FILE‐AC‐4  Define default access to all files and folders classified as “Public”. 

FILE‐AC‐5  Disable public write access to any folder. Drop‐boxes with restricted read access are permitted. 

FILE‐AC‐6  Define how access rights are inherited by sub‐folders.

FILE‐AC‐7  Enforce regularly FILE‐AC‐3 and FILE‐AC‐5 by correcting all settings which deviate from the default settings. The meaning of “regularly” must be explicitly defined. 

FILE‐AC‐8  Inform the data owner when settings have been corrected.

FILE‐AC‐9   Document publicly the default settings for all standard files and folders as defined in FILE‐AC‐2, the inheritence scheme as well as the enforcement policy. 

1.2 PROVISIONING

Ref.  Requirement  Comment 

FILE‐PRV‐1  Document all dependencies of storing files. For example, the storage of some web contents depends on AFS, AFS back‐ups depend on CASTOR, etc. 

Document

Security Baseline for File Hosting

Page 4 of 4 1.3 ADDITIONAL SECURITY BASELINES

Ref.  Requirement  Comment 

FILE‐ADD‐1  Implement the requirements defined in most recent “Security Baseline for Servers” [4]. 

2. REFERENCES [1] The CERN Security Team, “Security Implementation (Template)”, EDMS 1062504 [2] Network Working Group, RFC2119, http://www.ietf.org/rfc/rfc2119.txt [3] The CERN Security Team, “Data Protection Policy”, in draft [4] The CERN Security Team, “Security Baseline for Services”, EDMS 1062500