Computer Security: How private is “private”?

What a surprise it would be for you to discover that everyone at CERN can access your Windows “My Documents” folder or your AFS home-folder? Reading your private letters? Looking at your private photos?  Digging through your confidential documents? Would you be embarrassed? You would not be the first.

 

Unfortunately, if you are not careful when handling the access control settings of your AFS and DFS folders, you can easily make a mistake. The IT Department's AFS and DFS services provide you with all the means to protect your documents, but you are the only one who knows which documents should be made accessible to whom…  So be careful!!! Mistakes are easy to make, and have happened in the past! The settings on DFS are complex and usually inherit rights from parent folders, so small slip-ups can quickly spread to every other folder. The settings on AFS require special commands (“fs setacl”) instead of the “chmod”-POSix commands. Currently, automatic tools only ensure that your AFS “~/private” and home folders are not globally readable (see here for details). Similar automatic tools do not yet exist for DFS. However, the DFS service permits access only to CERN people.

So this is as far as we can currently get: it is primarily up to you to regularly check whether your folders are properly protected and not (accidentally) opened. Ask colleagues you trust to try to access your protected documents - if these are not intended for their eyes, they shouldn’t have access. If they do, check out these links on AFS and DFS access control. Ensure that your private documents are properly protected. Remember that your “public” folder really is intended (and required!) to be public. Any document you put in there will be shared with all of CERN…

Also note that your privacy at CERN is paramount. CERN takes great care to protect the personal data entrusted to it. Our colleagues controlling the AFS and DFS file systems have all signed a special clause that their “functions, allowing access to confidential and/or sensitive information, implies strict conformance to the rules laid down in OC5 (i.e. the CERN Computing Rules) and in particular those governing confidentiality". In the rare instances where access to your files and folders on AFS and DFS is necessary, these strict procedures apply.


Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.

If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.


Access the entire collection of Computer Security articles here.

by Computer Security Team