In MinSec for SaaS/PaaS, the Credential and Key Management item has the following:
1. Integrate with Stanford's SSO services, preferably SAML.2. Review administrative accounts and privileges quarterly.3. Adhere to the Stanford password complexity rules if not integrated with a Stanford SSO service.4. API keys: 1. Minimize their generation. 2. Grant minimum necessary privileges. 3. Rotate at least annually. 4. Do not hardcode.5. Do not share credentials.
For point 1, this is already done: There are two ways to log in to Globus: Using CILogon, or using Google. In both cases, authentication ends up going through Shibboleth.
For point 2, we can make a note in the Server section, for admins to make sure they regularly check their endpoints, and delete ones that aren't needed anymore.
For point 3, we can make a note in the Server section, for admins to make sure they choose a complex password for their Globus ID.
Points 4 and 5 do not apply here specifically. For server admins, they should be following MinSec for Servers. For developers using Globus services, they should follow MinSec for Applications and MinSec for SaaS/PaaS themselves. And we don't address developers on our site right now (but if we do, point 4 should be noted!).
In MinSec for SaaS/PaaS, the Credential and Key Management item has the following:
1. Integrate with Stanford's SSO services, preferably SAML.
2. Review administrative accounts and privileges quarterly.
3. Adhere to the Stanford password complexity rules if not integrated with a Stanford SSO service.
4. API keys:
1. Minimize their generation.
2. Grant minimum necessary privileges.
3. Rotate at least annually.
4. Do not hardcode.
5. Do not share credentials.
For point 1, this is already done: There are two ways to log in to Globus: Using CILogon, or using Google. In both cases, authentication ends up going through Shibboleth.
For point 2, we can make a note in the Server section, for admins to make sure they regularly check their endpoints, and delete ones that aren't needed anymore.
For point 3, we can make a note in the Server section, for admins to make sure they choose a complex password for their Globus ID.
Points 4 and 5 do not apply here specifically. For server admins, they should be following MinSec for Servers. For developers using Globus services, they should follow MinSec for Applications and MinSec for SaaS/PaaS themselves. And we don't address developers on our site right now (but if we do, point 4 should be noted!).