Computer Security: IT or not IT, that is the question

Following on from our recent Bulletin article on “How to succeed in software deployment” (see here), we repeatedly face the problem that “standard” IT services are replicated within CERN or even outsourced to external companies.

 

Past experience has shown that such non-centrally managed systems are more prone to security risks and, in the long run, are less well managed – that is, if they’re not eventually orphaned completely. If hosted outside CERN, there is also the risk that sensitive data from the Organization could be leaked and that CERN would not be able to intervene in the event of a security problem.

Imagine, for example, a slide show created by an external consultant and hosted in the cloud… While this might have been convenient for the consultant, a regular user of that cloud service, the content was lost once the consultant’s job was done and nobody at CERN took responsibility for the slide show. Or imagine a web page developed by a summer student using an external web-hosting company. It turned out that the website was flawed and leaked data but neither the student nor the web host were able or motivated to get this fixed. Or a questionnaire sent to colleagues asking personal questions, only for their answers to be disclosed to the general public. Or the development of a web application by an ex-colleague, who was later reimbursed by CERN.

CERN is in the comfortable situation of having many different centres of expertise: the medical service for our health, the fire brigade for safety, the RP group for radiation issues, the FP department for contracts and purchasing, the cooling, ventilation and electricity groups, the metrology section for measurements, technical groups knowledgeable in PCB design, the legal service, the HR department for personnel matters, etc. 

Luckily, the same applies to IT matters, and the IT department is there to support you in this. Of course, the commodities of modern life – Facebook, Twitter, smartphones and so on – have brought us closer to IT, but this doesn’t mean that we are all IT experts. While today it is easy enough to open another Dropbox folder, create a SurveyMonkey questionnaire or set up a Wordpress or Joomla webpage, this is not always to the overall benefit of CERN. 

So, just as you would consult the FP or HR departments, the medical or legal services or the radiation protection group for their respective expertise, shouldn’t we draw on the expertise and knowledge of our colleagues in the IT department?

If you plan to start a project employing IT technologies (websites, standalone servers, disk storage, external cloud services, etc.) or are already in the development process, may we propose that you consult either us at Computer.Security@cern.ch or our colleagues in the IT department? 

This would allow you to focus on the core of your project while we ensure that the IT technologies employed are fully supported and secured, kept up-to-date and fully backed up, and that the CERN Data Protection Policy is properly respected. 

In the long run, you can (and should) benefit! Some examples can be found here.


For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report


Access the entire collection of Computer Security articles here.

by Stefan Lueders, Computer Security Team