Computer Security: When a person leaves - access rights remain!
We have been contacted recently by an embarrassed project manager who just figured out that a student who left at the end of 2013 still had access rights to read the whole project folder in February 2014: “How can that be?! In any other company, access rights would be purged at the same time as an employment contract terminates." Not so at CERN.
CERN has always been an open site with an open community. Physical access to the site is lightweight and you just need to have your CERN access card at hand. Further restrictions have only been put in place where safety or security really require them, and CERN does not require you to keep your access card on display. The same holds for the digital world. Once registered at CERN - either by contract, via your experiment or through the Users' office - you own a computing account that provides you with access to a wide variety of computing services. For example, last year 9,730 students/technicians/engineers/researchers/staff joined CERN. A similarly large number of people left CERN as their contract with CERN or with their university ended. Eventually, a fraction of those people come back to CERN with a follow-up contract from CERN or their university, or having enlisted with another university. This is not unusual as students often graduate with a MSc degree in one place and continue with a PhD on their favourite research topic at another university.
Had we taken the harsh approach adopted by “normal” companies, we would have immediately closed their computing account, deleted all their data and wished them “Good Bye”, only to find that they re-join CERN a few weeks later. Not exactly optimal. Therefore, CERN has decided to grant a two month-long grace period: CERN computing accounts will be kept active for two months after the end of the affiliation with CERN. If a person comes back, nothing will have changed for him/her in CERN's digital world. If not, the account will be automatically blocked after this grace period and all data, e-mails, folders, etc. will be purged after another four months.
The project manager mentioned previously discovered this the hard way. He was worried, as his project dealt with sensitive data that needed to be kept well protected and accessible only on a need-to-know basis. People should not feel tempted to misuse access rights (“Don’t tempt me!”) - not to mention the potential of data leakage or misuse... Thus, if you want to be on the safe side and protect your data, service and folders properly (“How private is “private”?”), keep this article in mind. Usually people are not malicious and, if they were, they would have already had time to express that. Still, if required, you can ask us at Computer.Security@cern.ch to block an account prematurely, provided a written justification from the corresponding supervisor, hierarchy or team leader is given.
Click here for further information on the current CERN account policy.
Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.
If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.
Access the entire collection of Computer Security articles here.