CUBIC Security Measures

CUBIC Security Measures

HIPAA

CUBIC is NOT HIPAA-certified for ePHI.

PHYSICAL SECURITY

  • CUBIC is hosted in the same secure datacenter which hosts UPHS enterprise IT infrastructure
    • the datacenter has strict access requirements including showing proof of US citizenship or residency
    • the datacenter is staffed 24x7x365
  • only CUBIC sysadmins and approved technicians may approach CUBIC hardware

USER AUTHENTICATION

  • users must have an active UPHS ID
    • CUBIC delegates authentication to UPHS Active Directory and does not maintain user passwords
  • users must also be explicitly added as a CUBIC user

LOGIN ACCESS

  • CUBIC is within UPHS network boundaries
  • access to CUBIC can only be made while the user
    • on campus, on the UPHS network
    • on campus, on the PMACS network
    • is remote and using the UPHS VPN
      • UPHS VPN requires an active UPHS ID
    • is remote and using the PMACS VPN
  • no normal CUBIC users have any administrative privileges
    • only CUBIC systems administrators have privileges to make system modifications, including installing system software

PROJECT DATA SECURITY

  • each project has a project-specific pseudo-user and group associated
  • users may be added to a project only with explicit approval of the project's PI
  • access to a project may be:
    • read-only; privileges are:
      • reading any data in the project directory hierarchy
      • writing data to the project "dropbox" directory
    • read and write
      • reading and writing any data to the project directory hierarchy
  • write-access to projects is via the standard Linux "sudo" utility
    • users who need to write data to the project directory will use sudo to execute a command as the project pseudo-user
    • users who need a shell environment would use sudo to execute the "sudosh" shell
    • both sudo and sudosh log their executions
      • sudo logs the user who executed "sudo" and the command that was executed
      • sudosh logs all commands that are executed in the sudosh interactive session
  • a report of all users who have access to a project and their access level may be obtained by using the project_access_report utility while logged into CUBIC
  • CUBIC administrators are alerted by email any time an unauthorized account attempts to escalate permissions

DATA RECOVERY

We currently retain three (3) daily snapshots (read-only) of all home and project data on CUBIC. As we expand storage capacity, this policy may be expanded.

PROTECTION AGAINST DATA CORRUPTION

The security measures above serve to prevent accidental deletion and corruption of data:

  • all data modification operations require the use of "sudo" which requires the use of a password
  • daily data snapshots are read-only, providing up to 3 days of recovery in case of accidental deletion or modification