confidentiality in HSL

Introduction

The HSL is dedicated to the confidentiality of datas, in accordance to the main ISO2700x rules and more technicals common-sense tools and organisations.

  • A physical place (« bulletproof »)
  • A dedicated network – RIPE – routing
  • A full enclosure infrastructure (autonomous infra)
  • A specific IT Team (with confideltiality-specific-accreditation – in progress)

Partitionning, physicals protections

The HSL is designed for physical protection of servers against direct access. Some example of mesures :

  • A dedicated closed physical area in the loria building
  • 3 zones
    • Office / Computer room / Red room
    • Differents individual authorization
  • A almost dedicated power supplie
  • A isolated authentication system
  • Strong authentication (2 factors).
    • Biometric & badge
  • Armored glass

Network Security

A dedicated network, dedicated equipments, without external intervention or dependances :

  • Dedicated RIPE Register,
  • Its own DNS, NTP, APT, …
  • (differents) firewalls with stricts rules, even between
    internal networks
  • NAT
  • LAN prefered to VLAN, same kind of Vhosts on the
    same physical host.
  • Log centralisation
  • Bastion (ssh) & dedicated VPN … or not.

System Security

A organisation of systems and middleware dedicated to the data protection against leaks.

  • Full centralized and replayable infrastructure
    • Hypervisor & vhosts
    • Service & config deployement
    • Security fix
  • Monitoring & alert
  • Centralisation account … or not
    • Centralized users and group rights … or not
    • Application accounts
    • Proxy outgoing… or not.
    • All services inside :
      • Squid, APT Mirror, NTP, private DNS views,and more…