The HSL is dedicated to the confidentiality of datas, in accordance to the main ISO2700x rules and more technicals common-sense tools and organisations.
- A physical place (« bulletproof »)
- A dedicated network – RIPE – routing
- A full enclosure infrastructure (autonomous infra)
- A specific IT Team (with confideltiality-specific-accreditation – in progress)
Partitionning, physicals protections
The HSL is designed for physical protection of servers against direct access. Some example of mesures :
- A dedicated closed physical area in the loria building
- 3 zones
- Office / Computer room / Red room
- Differents individual authorization
- A almost dedicated power supplie
- A isolated authentication system
- Strong authentication (2 factors).
- Biometric & badge
- Armored glass
A dedicated network, dedicated equipments, without external intervention or dependances :
- Dedicated RIPE Register,
- Its own DNS, NTP, APT, …
- (differents) firewalls with stricts rules, even between
- LAN prefered to VLAN, same kind of Vhosts on the
same physical host.
- Log centralisation
- Bastion (ssh) & dedicated VPN … or not.
A organisation of systems and middleware dedicated to the data protection against leaks.
- Full centralized and replayable infrastructure
- Hypervisor & vhosts
- Service & config deployement
- Security fix
- Monitoring & alert
- Centralisation account … or not
- Centralized users and group rights … or not
- Application accounts
- Proxy outgoing… or not.
- All services inside :
- Squid, APT Mirror, NTP, private DNS views,and more…