R16. Security

From the CTS application:
The technical infrastructure of the repository provides for protection of the facility and its data, products, services, and users.
 

Application-level security

Dataverse installations are guided by the instructions in the “Securing your installation” and “Network ports” sections of the installation guide, among others dealing with the security of the application. These pages include documentation on securing Solr and API endpoints, forcing HTTPS, and using proxies all to ensure the application is adequately secured from external threats.

User authentication

The Dataverse software enables both remote and local authentication methods, including several managed authentication protocols for user accounts to simplify and secure:

The passwords of local authentication accounts are stored as salted hashes and make use of hashing algorithms. They also make use of strong password requirements (added in Dataverse software version 4.8).

Reporting security issues

Security issues present in the base application hosted in the Dataverse GitHub should be reported to security@dataverse.org. When fixes require code changes to secure the application, the IQSS team makes the changes and adds them to the next software release on GitHub.
 

Answers from successful applicants

Tilburg University Dataverse collection:

The technical infrastructure including the operational servers are located in a secure data center, where only authorized employees have access to the equipment after identification. The systems are all provided with redundant power supplies that are located on separate power groups that are powered by (separate) UPS and generators, even if there is a power failure. The space in which the equipment is located has climate control and a gas extinguishing system and is located above sea level.

Backups are made to disk and then written to tape in Amsterdam within 4 hours and also in tape in another city in the Netherlands (Almere) within 24 hours, so data are also safe if the data center in Amsterdam is unexpectedly completely destroyed.

According to the Service Level Agreement, DANS will resolve incidents according to the prioritization as follows:

  • Minor: Service is partially unavailable to ≤ 50% of all institutional repositories: within 24 hours and try to resolve 80% of these incidents within 5 working days
  • Middle: Whole service is unavailable to any of the institutional repositories: within 24 hours and try to resolve 100% of these incidents within 2 working days.
  • Major: Whole service is unavailable to more than one of the institutional repositories or partially unavailable to > 50% of institutional repositories: within 4 working hours and try to resolve 100% of these incidents within 2 working days.

In case DANS receives an alert that any alleged unlawful and / or illegal content has been stored by a data producer in DataverseNL, DANS will unpublish this dataset immediately and will inform the local Admin of the concerned institutional repository on how to take further actions.
 

QDR:

Security and risk management are carried out by QDR’s technical team, in collaboration with the Syracuse Maxwell School IT department, and a contract with a cloud infrastructure provider AWS. Dedicated instances purchased from AWS include brand new “10xlarge” servers (10x is a proprietary distinction by Amazon that indicates a dedicated server running on Intel Haswell processors) - that are refreshed every two years. Technical infrastructure is physically located in US-EAST (Ohio), but can be moved relatively quickly through QDR’s use of the infrastructure management tool Terraform (as described in R15). QDR created a virtual private cloud (VPC) for different applications deployed to AWS. The VPC is achieved through private IP subnets, as well as a virtual private network (VPN) that secures access to the VPC (this is achieved through authentication).

As described in R9 and R12, QDR creates redundant storage (located both at Syracuse and in the cloud with AWS) that prevents data loss, and limits the impact of service outages in the case of a natural disaster.

End-user access to data requires registration, and agreement to QDR’s General Terms and Conditions of Use (described in R2).

Links:
Terms and conditions: https://qdr.syr.edu/termsandconditions
Security and infrastructure: https://qdr.syr.edu/policies/security
 

DataverseNO:

DataverseNO is owned by and is part of UiT The Arctic University of Norway, and is not a separate corporate body (see also R0). This is why the security system, security incidents and security handling regarding DataverseNO is an integrated part of the security system, security organization and security administration at UiT. Several of the topics below are described in more detail in R9.

DataverseNO runs on UiT’s centralized storage and virtual infrastructure (VMWare). The backup routine builds on a daily backup with a snapshot of the data and the metadata, as well as the whole VMWare server (see also R9). The backup consists of a full snapshot of the server each 90th day followed by a daily incremental snapshot with an integrity check, until the next full backup. In this way, the state of the virtual machine can be restored 90 days back in time, or files / databases can be retrieved 90 days back in time. Recovery time depends on the amount of data. Currently (850 GB), it will probably take up to 1 hour to take a full restore of the server, including the OS-system as well as the application DataverseNO with all the data. A file or partly restore will normally take less time. A detailed time-to-error statement for DataverseNO is presented in R9.

The policy document Information Security Management System for UiT [1] applies to the entire institution and covers detailed operational routines for daily activities and offered services, including DataverseNO. The aim of this policy is to ensure that UiT be a trustworthy institution when it comes to handling of information confidentiality, information integrity and information availability.

Physical infrastructure:
DataverseNO is run on the physical infrastructure for applications and data storage employed at UiT The Arctic University of Norway (owner of DataverseNO). This infrastructure resides in two datacenters, each in different buildings on the UiT main campus in Tromsø, where data is replicated to avoid data loss in case of physical threats like fires, floods etc. Both datacenters are secured with at least two layers of key access doors from public areas, and access is restricted to authorized operational staff. The two VMWare nodes have each two power supplies, UPS and at least two network cards connected to redundant switches, and the whole operation is monitored continuously by a network monitoring system with automatic error alerts. The data storage is backed-up daily with a complete snapshot of the virtual server, making it easier and faster to restore the running environment in case of a server disaster. The back-up has versioning with a file retention time of 90 days. The backed-up data is stored in a separate data hall than the data hall where the production system is running. The two data halls are located in separate buildings, at a distance of 400 meters.

Operational security:
The DataverseNO system runs on a standard, virtual CentOS Linux distribution in VMware. The system is regularly updated as fixes are provided. Minor releases of the Dataverse software are installed as they become available from the development group at Harvard. Major Dataverse release updates are subject to careful planning and testing before being put into production. Administrator access to the DataverseNO virtual server and the VMWare infrastructure is limited to specific networks. The IT department at UiT have monitoring and alarm systems alerting on-duty personnel.

Information security:
DataverseNO complies with the UiT requirements for good computer use practices [1]. UiT has developed extensive technical and administrative procedures to ensure consistent and systematic information security. Good practice requirements include system security requirements, operational requirements and regular auditing and review. UiT have an appointed CERT (Computer Security Incident Response Team) [2] led by the IT department’s information security officer. The purpose of this is to improve the security of UiT’s data network, reduce the number of security incidents and the (potential) harm caused, as well as raise awareness of security issues among IT consultants and end users. This includes any incident affecting information security at UiT, incidents that compromise confidentiality and integrity of data, as well as unwanted incidents affecting the availability of data.

As described above and in R9, DataverseNO provides backup storage (located at two data centers) that prevents data loss, and limits the impact of service outages in the case of disasters. Procedures are implemented at UiT The Arctic University of Norway (owner of DataverseNO) to activate crisis teams to deal with system security disasters, see the Quality Handbook (Kvalitetshåndboka) [3] mentioned in Requirement R9.

DataverseNO is identified by the management of UiT The Arctic University of Norway (owner of DataverseNO) as an essential part of UiT’s strategy to fulfil the requirements for research data management from national and international funding agencies, as well as from the Ministry of Education and Research of Norway. DataverseNO has already become a core service for UiT researchers and their partners. UiT The Arctic University of Norway (owner of DataverseNO) commits to ensure the proper management and enduring operation of the repository service in accordance with the responsibilities described in the Steering document for DataverseNO [4]. The DataverseNO Preservation Policy describes the procedures for continuity of access and preservation in case of repository closure. See R10.

All systems and services (included DataverseNO) delivered by the UiT IT department are subject to risk and vulnerability analysis at implementation, at start up, and at regular intervals throughout the lifetime of the systems and services. UiT (including the IT department) has a management system in line with ISO27001 [5], and the risk assessments are based on ISO27005 [6] through guidelines and templates developed by UNINETT [7]. See supplementary information in R9. Due to some overlap between ISO27001/ISO27005 and the Quality Handbook there is an ongoing process at the UiT IT department to align the UiT policies further with the Information Technology Infrastructure Library (ITIL) [8] in order to deliver the best quality services possible.

The risk management of UiTs IT systems, including DataverseNO, is described in the Information Security Management System [1]. This system consists of a governing, an implementing and a controlling part, and constitutes UiT’s overall approach to information security, by securing the confidentiality, integrity and availability of the information.

References:
[1] Information Security Management System for UiT, only in Norwegian:
https://uit.no/Content/409330/Styringssystem-07012015-endelig.pdf
[2] Computer Security Incident Response Team - CSIRT: https://uit.no/om/orakelet/art?p_document_id=171411
[3] Quality Handbook (Kvalitetshåndboka), only in Norwegian: Can be obtained upon request
[4] Steering document for DataverseNO: https://site.uit.no/dataverseno/about/steering-documents/
[5] ISO27001 – Information security management systems: https://www.iso.org/isoiec-27001-information-security.html
[6] ISO27005 – Information technology - Security techniques - Information security risk management:
https://www.iso.org/standard/75281.html
[7] UNINETT Risk Management: https://www.uninett.no/infosikkerhet/risiko-og-s%C3%A5rbarhetsvurderinger-ros
[8] ITIL – IT Service Management: https://www.axelos.com/best-practice-solutions/itil