akkornel
commented
6 years ago Point 2 is addressed in commit 9ca97a6. Point 3 is addressed in 995f492. Those were the only two points still open, so I think this is done!
Closed akkornel closed 6 years ago
akkornel
commented
6 years ago Point 2 is addressed in commit 9ca97a6. Point 3 is addressed in 995f492. Those were the only two points still open, so I think this is done!
In MinSec for SaaS/PaaS, the Credential and Key Management item has the following:
1. Integrate with Stanford's SSO services, preferably SAML.2. Review administrative accounts and privileges quarterly.3. Adhere to the Stanford password complexity rules if not integrated with a Stanford SSO service.4. API keys:1. Minimize their generation.2. Grant minimum necessary privileges.3. Rotate at least annually.4. Do not hardcode.5. Do not share credentials.For point 1, this is already done: There are two ways to log in to Globus: Using CILogon, or using Google. In both cases, authentication ends up going through Shibboleth.
For point 2, we can make a note in the Server section, for admins to make sure they regularly check their endpoints, and delete ones that aren't needed anymore.
For point 3, we can make a note in the Server section, for admins to make sure they choose a complex password for their Globus ID.
Points 4 and 5 do not apply here specifically. For server admins, they should be following MinSec for Servers. For developers using Globus services, they should follow MinSec for Applications and MinSec for SaaS/PaaS themselves. And we don't address developers on our site right now (but if we do, point 4 should be noted!).