Posted by: Dan Sellars, Manager, Software Development and Julian Corduneanu, Manager, Cybersecurity
Security considerations are crucial throughout the process of developing Research Software. Today, software running on the internet is potentially vulnerable to exploitation. The tools to hack a computer system are available and some are pretty easy to use, even by non-experts. Often all it takes is some time and an Internet connection to access these tools.
What to consider?
The three main areas of concern to carefully plan when considering security are Confidentiality, Integrity and Availability:
- Confidentiality — Protecting data from unauthorized parties is an important consideration, even if engaging very strongly in Open Science. Early pre-publication results and users’ Personally Identifiable Information (PII) must be properly safeguarded by dedicated security controls.
- Integrity — Protecting the authenticity of the research data and research process is crucial to the final outcomes of the research.
- Availability — Digital data must be accessible to, and usable by, the authorized users of a platform anytime it’s needed.
A key step in safeguarding a Research Platform while addressing these concerns is to ‘harden’ its underlying Operating System (OS). Modern Operating Systems such as Linux, Windows and MacOS come with some security features out-of-the-box. However, they are designed to appeal to a wide range of use cases and be easy to use. Extra steps are required to configure the OS to meet certain security frameworks.
What needs to be done to harden an OS against a cyber-attack?
To answer this question, we can turn to one of the security organizations that have developed and published security recommendations and OS hardening benchmarks. The Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST), both based in the US, are top resources. As their guidelines are trusted and have been largely adopted by the cybersecurity community as best practice, they are a great resource to follow for your own deployment.
The practice of hardening the OS involves applying a large set of configuration changes or ‘controls’ that have been previously tested and confirmed useful by security practitioners. CIS have made available a Best Practices Guide and a Configuration Assessment Tool (CAT), CIS-CAT Lite, that can ease the process of checking or confirming what areas of your system may expose risks. NIST has also published a very useful Guide to General Server Security.
I have hardened my system; now what?
Once the server that will be deployed in production environment has been hardened, another key consideration comes into play: keeping it up-to-date. As soon as the deployed software is operating in a dynamic environment open to online threats, it is necessary to have a system update and test plan in place to ensure that OS patches and updates are applied promptly and do not negatively impact the deployed software. Maintaining the smooth and secure running of Research Software is an ongoing task once initial development has finished.
We hope this post has been useful in highlighting why security considerations are crucial in the research software development process. The resources linked above are excellent sources for more guidance on this subject.