By Gabriel Verdejo Alvarez, IT manager at the at the Research and Development Lab (/rdlab) and full-time staff at UPC (Universitat Politècnica de Catalunya)
IT security concerns are nowadays well-known for everybody. The Internet has provided in a few years an unprecedented boost of possibilities, but also a myriad of dangers and threats in this new digital world.
In research support, national or European projects as well as technology transfer activities, this issue is usually feared and sometimes partially ignored because of many other complex aspects (GDPR, Open research and FAIR principles, Data Management Plan or Ethical committees), and of digital sovereignty concerns (vendor lock-in vs. free software, independence, trustworthiness, or public-non-profit transparency society commitments).
In this article we share our experience in research support at the /rdlab – UPC, hoping it will be useful, and propose a secure solution for researchers: the MyDisk Platform.
Researchers and the research process in a public institution
In order to understand our proposal we first need some context. Research, unforeseeable by its nature, is not a standard process and requires a high degree of freedom and flexibility. Unlike other regular processes and activities (student enrolment or exam qualification), research needs are not predictable and evolve with the progress of the projects.
Furthermore, every researcher/group/partner has its own needs and “work methodology”, so a one-size-fit-all solution or a too rigid environment will deliver negative effects in the project outcomes. For example, some researchers might be working overseas (in different time zones), or in restricted environments, or might have strong security policies (hospitals, military research centres or hi-tech companies).
With these (and some more) considerations in mind, we designed a solution for our research groups allowing them to focus their time and efforts in the research process itself, and not in looking or configuring external IT infrastructures or complementary services unrelated to the projects.
As a public institution, the UPC is strongly committed to transparency and public service values, encouraging the usage of free software in all their areas following the guidelines of European initiatives like FOSSEPS/EU-FOSSA-2. In addition, free software allows access to the source code which provides additional benefits and possibilities to enhance security and transparency, for example:
- Source code can be audited in order to understand and confirm what it is really doing
- Source code can be checked and tested in order to find bugs
- Updates and security patches are always available to everybody
- Source code lets you contribute/adapt/modify/fork the project according to your needs
The MyDisk platform
MyDisk provides a safe and easy-to-use web-desk environment where researchers can work standalone or in collaborative mode with their partners, simply using a browser (see image below). MyDisk allows to store, access, edit and share data worldwide. Furthermore, it provides access to our source code GitLab service, to safe real-time chat and videoconference meetings, to project tracking (Agile Kanban) or allows to manage digital secrets.
All our servers and services are located in Barcelona, at the main UPC Datacenter facilities. A 250m2 TIER II+ ANSI/TIA-942 certified space, with a dual cooling system, redundant power generator and a 24×7 monitoring service provided by UPCnet.
The MyDisk platform integrates several free software projects in a single web dashboard, offering a virtual desktop environment to work autonomously regardless of your conditions. We proudly use these free software projects in our systems and services:
- GitLab: Source code repository
- HAProxy: HA and load balancing (web)
- Linux: Operating System
- Lustre/ZFS: Storage management
- Jitsi: Videoconferences
- MariaDB/Galera Cluster: Database services
- NextCloud: Web access and file management
- OnlyOffice: Online collaborative web editing
- OpenNebula: Cloud services management
- ProxySQL: HA and load balancing (databases)
Security in MyDisk
A centralized service makes it easier to deploy common security policies for users and services, simplifying the protection model. Nevertheless, you have a single point of failure that receives most of the attacks and security problems (e.g. brute force or denial of service). Moreover, as in research we often deal with sensitive data, we have to enforce data Confidentiality, Integrity and Availability (CIA triad).
In order to decrease threats, and to strengthen our platform as much as possible, we mainly address IT security issues at two levels: Architecture and Service.
Architecture layer
This level involves the design area, defining how the hardware and the services are connected and how they will operate (see image below).
Our network is segmented by service areas, isolating every function/service from the rest and forbidding access outside their scope. A perimeter firewall filters the Internet requests and a local firewall at each server ensures minimum damage policies.
Every service is executed in a private cloud environment, making good use of virtualization capabilities: isolation, scalability, availability, redundancy and flexibility. Our storage service is connected only to the system hosts, using a local bypass system VirtioFS to ensure that every VM can access only their required “slice” and keeping a good security-performance balance.
Our disk system relies on a parallel high performance network filesystem (Lustre with a ZFS backend. Unlike most filesystems, ZFS stores a checksum for every datablock guaranteeing the data integrity and self-healing capabilities. In addition, our system keeps three exact copies of every block for quorum and performance sake using our triad system.
Service layer
This level provides a secure user access and enforces good security behaviours inside the platform (see again Figure 1).
MyDisk services are only available through a secure web access (https), providing universal connection and an open device policy. Researchers can work with just a browser avoiding extra complexity like VPN setups and preventing the use of insecure alternatives like SMB, NFS or VNC.
Our web service has a self-defence protection system against common attacks, like brute-force or random scans. Any DOS attack is minimized by our load balancing service spreading the requests among several VM instances and through the countermeasures provided by our ISPs (UPCnet, CSUC and RedIRIS).
The user access service supports MultiFactor/2FA authentication through email pin, TOTP applications, physical token devices and user’s one-use pre-generated code. Besides, the user authentication can be federated with renowned services (SIR, UNIFICAT, eduGAIN…).
In order to promote good security behaviours and increase the overall platform security, MyDisk also offers a password and digital secrets (certificates, tokens…) management service:
- A trustworthy centralized place to control all your authentication credentials and a safe new password generator. Additionally, automatically checks for weak or compromised credentials warning the user if necessary.
- A safely way to share passwords among team members avoiding unsafe practices like sending clear text passwords by email or using chat messaging apps. MyDisk forbids group password sharing because group members could change over time, concealing who had access to a specific credential and worsening security leak tracking.
We want to stress that this service always uses a safe random per-user generated unique key to encrypt data credentials (even in the database tables!) guaranteeing privacy against database dumps or malicious system administrators.
For security’s sake, direct data sharing capabilities are restricted only between team members (group A members cannot “see” group B members unless they share a common group). For external shared data, we enforce security using date expiration, password protected, read or write only access options.
MyDisk allows private internal communication for group members using an instant messaging service and videoconferences with external users using just a browser or specific app clients available for any OS.
Regarding users and data access accountability, we log every interaction for a full month due the large log file size. Every researcher can review their own actions and the activity on accessible shares, defining to be noticed on specific events. For special audit requirements, we can also provide a lifetime monitor log service (see activity and MyDisk log, in Figure 1).
A regular daily backup is made every night, but in addition, MyDisk offers a built-in file control version management system that automatically keeps versions of every modified file using user’s quota free space. This way, every user can recover by itself accidental modified files or malicious ransomware attacks.
The future of MyDisk
Our platform was designed to provide a safe, flexible and useful workspace for researchers, therefore, its evolution evolves along the researcher’s needs and requirements. Immediate future plans include performance improvement and increasing storage space. Additionally, user authentication and data shared federation with other fellow research services has been successfully tested, opening a path for future European collaborations.
Do not hesitate to contact us for further details, we will be glad to hear from you!
About the author
The /rdlab provides specific IT support for UPC research groups, fellow universities and research centers in their national and European projects in order to foster their technology transfer initiatives.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022
