stanford-rc / globus.stanford.edu

globus.stanford.edu — The Globus @ Stanford web site
https://globus.stanford.edu/
Other
3 stars 4 forks source link

MinSec Check: SaaS/PaaS: Encryption #25

Closed akkornel closed 5 years ago

akkornel commented 6 years ago

In MinSec for SaaS/PaaS, the Encryption item has the following:

1. Enable transport layer encryption TLS 1.1 or higher. 2. Use encryption of data at rest if available.

For point 1, we can add instructions to the Server setup docs to require TLS 1.1 or later. That can be enforced in grid-security configuration.

For point 2, Globus lives in AWS, so we can confirm with them that they use encryption for data at rest.

akkornel commented 6 years ago

Point 1 is addressed by commit 5880275.

For point 2, I have open Globus support request 309615.

akkornel commented 6 years ago

For MyProxy OAuth, I discovered that it had TLS 1.0 hard-coded as the only option. I ended up filing support request 309557, and the problem was recently fixed (see globus/globus-toolkit@b4175685b40f158a8eb0fdc6f8c928a6443e37d6)

A note will need to be added to docs: Sysadmins using MyProxy OAuth need to be using version 0.29 or later for the myproxy-oauth package.

Note that even though the new configuration is TLS 1.0 or later, that is not a problem, for the following reason:

• For end-user connections coming in to the OAuth server, those go through Apache, which can be configured to use TLS 1.1 or later. • The MyProxy OAuth code makes outgoing connections to a MyProxy server. And in commit 5880275, sysadmins are instructed on how to make MyProxy OAuth use TLS 1.1 or later.

In fact, the last point is how I discovered the bug: I was testing out MyProxy OAuth, after following the instructions from commit 5880275, and MyProxy OAuth would not work: MyProxy OAuth was only allowing TLS 1.0, and so the MyProxy service was killing the TLS connection as it was being set up.

That reminds me, another note needs to be added to the docs: When using MyProxy OAuth, configure Apache's SSL settings using https://mozilla.github.io/server-side-tls/ssl-config-generator/; if the "Modern" option is available, use it; else use the "Intermediate" option and add -TLSv1 to the SSLProtocol line.

akkornel commented 6 years ago

I've heard back on Support Request 309615. At this time, not all Globus data (that is, the data Globus stores in their infrastructure) is encrypted at rest. For the Globus Transfer and Sharing functions, encryption at rest will be done around July. For Globus Search, there is no timeline yet.

Globus Search is mainly used for searching published data sets (similar to the Stanford Digital Repository). It is not involved in data transfer, or other endpoint activities, unless someone sets it up (which is not a trivial activity). So, I don't consider it to be much of a problem, but I can put in a policy note about it.

As for at-rest encryption of data involved in Transfer and Sharing, there's not much we can do but wait. Although, it's worth noting that we can also rely on AWS' data isolation protections.

akkornel commented 6 years ago

Followup to two comments back: The software update has been noted in a site announcement (see commit f4e8024). And the MyProxy OAuth Apache configuration note has been added in commit 669b7e6. So, the items in that comment have been addressed.

One followup to the previous comment, the limitation on Globus Search is implemented in commit dc3cdba.

Again, all that's left is to wait for encryption at rest for Globus Transfer and Sharing components.

akkornel commented 6 years ago

Globus Support Request 344458 has been submitted to check on this.

akkornel commented 6 years ago

Globus have confirmed in support request 344458 that Globus Transfer and Globus Sharing (the server portions, that is) now encrypt data at rest. So, this item can be closed!

akkornel commented 5 years ago

One followup on this item, with respect to Globus Connect Personal: I found that GCP v3 already supports TLS 1.1+! In fact, they require TLS 1.2+, by setting the following line in ~/.globusonline/lta/ (equivalent path in Windows):

$GLOBUS_GSSAPI_MIN_TLS_PROTOCOL TLS1_2_VERSION

So, one open question is, what about GCP v2? I am looking into that…

akkornel commented 5 years ago

The answer has been found! GCP 2.x does not specify that line, so it probably falls back to whatever OpenSSL has, or whatever minimum the other end requires.

So, we should be pushing people to GCP 3.x. So, I'll have to update the docs with this information.

akkornel commented 5 years ago

Docs updated with commit b1a6651.

And I also posted an announcement (in commit 40a925e), pointing existing users to GCPv3.