Adopted September 27, 2011
Access to CDL servers and systems is controlled and managed according to UC and UCOP policies and following CDL’s Information Technology Security Guidelines and Supporting Baseline Practices [URL] which dictate that “adequate authentication and authorization functions must be provided, commensurate with appropriate use and the acceptable level of risk. In general CDL follows a least privileges model, in which privileged users of a system are granted the least amount of privilege necessary to fulfill their responsibilities.”
Accordingly, the CDL manages access to its servers and systems through the following policies and practices.
- Account Provisioning & Removal
Individual server accounts are established for CDL service staff in development, staging, and production environments upon an authenticated request by an Administrative Official. Sudo, Unix group membership, and ldap records ensure that accounts and account privileges are limited to the level required for job responsbiliities. Accounts are disabled (passwords changed) within 1 business day of termination or departure and removed entirely within 2 weeks of termination or departure (allowing time for relocation of account-related content important to the CDL program or unit).
- Group membership
With the exception of system UNIX Groups (e.g. root, other, bin, sys, adm, uucp, mail, tty, daemon) membership in Unix groups is requested by CDL TechLeads for account holders as needed and is managed through LDAP.
- File and Data Transfer
CDL services that require internal (intra-CDL) or external data transfers may employ any data transfer method in which an incoming data transfer is monitored and logged, and the data transfer initiator, whether an individual or a process, is authenticated and authorized. When documented business needs require it, the CDL allows file transfer as one component of data delivery/ingest. Anonymous ftp access is not supported. File transfer into any directly managed and owned CDL server/system is limited to authenticated sessions and/or secure versions of file transfer (e.g. HTTPS, SFTP, FTPS, WebDAV) including the use of destination accounts with no shell or login access, encrypted control channel, and, optionally, encrypted data channel.
All login accounts/passwords use industry standard encryption and must meet minimum strength requirements. The CDL does not insist upon password expiration/rotation for active accounts (following “password sanity” logic, e.g. https://cryptosmith.com/password-sanity/)
Direct root login is disabled on all CDL servers. CDL System administrators are granted root privileges as necessary. The roster of system administrators with root privileges is set by CDL and IR&C managers and is reviewed annually.
- Role accounts
Role accounts are established as necessary but set to no password, i.e. privileged users must sudo to a role account. This ensures privilege management and allows tracking of role account usage back to individual users (via sudoers logging).
- External (Non-CDL) Account Holders
CDL establishes remote ssh/ftps access to its production, development, and staging environments only for explicit, documented and approved business needs. CDL maintains and is able to report to its data center partners, a list of those business needs and the related access requirements of personnel/processes. Most changes in access (i.e. addition, modification, or removal of an entity needing access) will be requested within one week of a change in business need; in no case will a change go uncorrected for more than 3 months.
- Ownership and contact: This policy was created and is maintained by CDL Tech Council with approval/endorsement by the CDL Executive Director. The policy is for internal use and not public posting but may be shared outside of CDL if a business need exists. Contact the CDL Manager, Infrastructure and Applications Support for more information.
- Related documents:
CDL Information Technology Key Security Guidelines and Supporting Baseline Practices
CDL Authorized External Users List