Security Compliance

In order to maintain our security posture we require Instances to meet the following compliance rules:

Compliance Rules

You must

You must not

  • Remove the access of the STFC Cloud Operations Team through any means

  • Change the root password changed

  • Disable the root or cloud (where present) user accounts

  • Store data of a personal, confidential or sensitive nature within the service, which is provided for scientific use only.

  • Use the service to store, process or manipulate any medical information or data.

  • Use the service for illegal purposes.

  • Infringe copyright material or other intellectual property rights.

  • Undertake activities that may impact the performance of other projects and services using the STFC Cloud, such as running network sniffer tools

 

Maintaining Compliance

We reserve the right to take action to maintain compliance and security posture without prior notice. These actions include but are not limited to the following:

We will

  • Regularly release compliant and updated images

  • Provide an ansible playbook to set a security baseline

  • Regularly scan our networks for vulnerabilities and misconfigurations

  • Notify users about any vulnerabilities or security issues that we find and set deadlines for remediation

  • Notify users about CVEs which affect our images via the mailing list

  • Notify users about the end of life of images and flavors with appropriate deadlines

  • Notify users about changes to this policy via the mailing list

  • Take appropriate actions when responding to a security incident

  • Shutdown or remove instances where a pre-agreed deadline has been missed and an exception has not been agreed

We will not

  • Take or maintain backups

We can

  • Disconnect the instance from the network

  • Turn off and lock the instance

  • Modify sudo permissions

  • Disabling images

  • Removing firewall holes

  • Make changes to security groups

  • Block access from particular user accounts

  • Block access from particular IPs

  • Log in to Instances to investigate issues

  • Apply updated compliance tools

  • Collect logs

  • Snapshot an instance for analysis purposes

  • Add, remove or update packages

  • Take action to reapply the security baseline

  • Add monitoring to VMs for compliance or accounting purposes

 

Custom images

If you maintain your own custom images you can apply our current compliance posture to any Instance or while building an image by running the vm_baseline role from here: https://github.com/stfc/cloud-image-builders/tree/main/os_builders