Computer Security: SAHARA - Security As High As Reasonably Achievable

History has shown us time and again that our computer systems, computing services and control systems have digital security deficiencies. Too often we deploy stop-gap solutions and improvised hacks, or we just accept that it is too late to change things. 

 

In my opinion, this blatantly contradicts the professionalism we show in our daily work. Other priorities and time pressure force us to ignore security or to consider it too late to do anything… but we can do better. Just look at how “safety” is dealt with at CERN!

“ALARA” (As Low As Reasonably Achievable) is the objective set by the CERN HSE group when considering our individual radiological exposure. Following this paradigm, and shifting it from CERN safety to CERN computer security, would give us “SAHARA”: “Security As High As Reasonably Achievable”. In other words, all possible computer security measures must be applied, so long as they are feasible and cost-effective. In order to achieve this, the security aspects of a new software application, computing service or control system would need to be reviewed beforehand – in the same way that other aspects, like functionality, availability, maintainability or usability, are defined and agreed upon beforehand.

I am happy that many of our colleagues from several departments, including BE, HR, FP, TE, and the HSE Unit, contacted us very early in their development and procurement process in order to check the corresponding security footprint. Great job guys. I hope that many more will do the same!

Unfortunately, in some cases, the Security team is involved too late in the process. This was the case, once again, with some of this year’s summer students. My fear that we would need to disappoint a few of them at the end of their contracts came true once again… in particular those students who were supposed to set up a web application. Summer students tend to do everything from scratch. Thus, as usual, at the end of their contracts, they ask us to open CERN’s outer perimeter firewall for their web application. But hold on. The application runs on a laptop under the student’s desk? His/her supervisors have no idea how to maintain its “Ubuntu” operating system? The web technology is outdated? It employs “Joomla!” or “Wordpress” instead of CERN’s Drupal? The application is using a local login or sending login passwords in plain text over the network? The webpages themselves are susceptible to common security flaws like “cross-site scripting” and “SQL injection”? It’s an impressive level-five failure for which we have to decline firewall opening. Result: complete frustration for the student who won’t have achieved a thing, a supervisor who is unhappy, and us unhappy too, for killing off a nice project.

Therefore, if you are supervising such a task, make sure your student contacts us at the very beginning. Let’s talk about good and bad IT practices; let’s talk about the building blocks already provided by the IT department; let’s talk about how to architect a good application and create well-designed software. Please spare both of us an uncomfortable situation where we  have to scrap your student’s project because it is completely insecure.

In fact, the “SAHARA” paradigm should be applied to every computing service, control system, software application and web application at CERN. Consider “security” early enough in your process and it will save time, effort and frustration later on. On both sides. And it will make CERN a more secure workplace, for the benefit of the Organization’s operations and reputation!


For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report


Access the entire collection of Computer Security articles here.

by Stefan Lueders, Computer Security Team