Reinforcement of security measures: configuration of data access rights

Faced with the multiplicity of threats and attacks on information systems which represents numerous and serious risks (compromising or blocking information systems, theft of sensitive data, attempts to damage the image of organisations, etc.), government security services have, during recent years, elaborated a general security framework as well as a group of measures to assure its implementation, for the objective of providing the best possible protection of state interests. This is what is constituted in the Politique de sécurité des systèmes d'information de l'État (PSSIE), carried in the circular of the Prime Minister, n° 5725/SG of 17 July 2014. The PSSIE is applied to all the information systems of goverment administrations and progressive compliance to its numerous clauses must be the goal of each administration.

IDRIS was amongst the first, since August 2013, to implement the framework for the protection of the national scientific and technical potential (PPST) which specifically concerns establishments with a scientific or technical vocation. The progressive implementation of the conjoining PSSIE measures is acutely urgent at a sensitive centre such as IDRIS due to the power of its supercomputers and the very large number of scientific projects which depend on its resources and store their research results there.

IDRIS, in close consultation with the other national centres such as GENCI and the national RSSI of the CNRS, all closely associated in this process, will progressively deploy the new security measures. The goal of these measures is progressive compliance with the PSSIE rules with the objective of obtaining an official security approval for the supercomputers in exploitation, according to the criteria currently in effect, anticipated for IDRIS around mid-2017.

Implementation will develop through several measures (which will be followed by the tightening of the SSH service configuration, a filter of IP connection addresses per user and not only per project, and the requiring of a double authentification to access computer resources). The first of these measures consists of restricting the opening of standard file access rights (Unix) to users other than the owner; this will, at present, only be incitative for users of the same project but, in several weeks, access will be forbidden to users from other projects. Nevertheless, for each of these situations, which correspond in certain cases to imperative needs in work modalities, technical possibilities will be offered to obtain the same effect as previously. It will simply be necessary to follow specific procedures which are precisely described on the following page: How to configure the access rights to your data .

We are very aware that these supplementary constraints, as there often are with any new security measure, could be considered negatively by our users. They will undoubtedly cause some small additional difficulties for certain users. Nevertheless, the same as for the physical security measures which, in our troubled times, are imposed on everyone to reinforce the protection of individuals, the measures spoken of in this letter are destined to preserve the means available to you, on which a large portion of the national scientific community strongly depends, and the multiple fruits of the research carried out on these means, in every discipline, and which represent an essential part of the national scientific potential.

Denis Girou
IDRIS Director