We strive to deliver a secure environment, and take many security measures.

Amazon Web Services (AWS)

  • The service runs on Amazon AWS infrastructure in Frankfurt (eu-central-1) and Paris (eu-west-3).
  • Physical access to these data centers is restricted based on minimal needed access. The data centers are equipped with surveillance and detection systems and security measures are regularly audited by third parties. See AWS data center controls for more information.
  • Virtual access to the systems is only allowed via a bastion host, which only allows connections from VPN, and which is closely monitored for access. Access to production systems requires a second factor for authentication.

SURF Virtualization Platform

Additional infrastructure runs on the SURF Virtualization Platform. An overview of security measures for that platform:

  • Based on physical servers in the datacenters of InterXion, NIKHEF, UVT, UMCU and Equinix with controlled limited access in The Netherlands.

  • Online access to machines is restricted to VPN.

  • Access rights are limited per role.

  • A firewall with limited connectivity is used.

  • Separation of duties is used.

  • The platform is monitored.

  • The external systems manager yearly sends SURF a Security Compliancy report.

  • In case of emergency, high priority changes can be taken care within 30 minutes.

Encryption

  • All data in rest is encrypted using state of the art encryption using the AWS key management infrastructure.
  • We follow NCSC-NL's IT Security Guidelines for Transport Layer Security. The security configuration of public interfaces are regularly checked by Qualys SSL Labs, Hardenize.com and internet.nl; we strive for scores of A+ (SSL Labs), all-green (Hardenize) and 100% (internet.nl).
  • All data in transit is encrypted using application level TLS encryption. Internally, we use TLSv1.3 with up to date ciphers. To external clients, we support TLSv1.2 and TLSv1.3 with secure ciphers (rated "good" by NCSC-NL).
  • All non-transactional data is backed up hourly to an off-site location. Backups are stored encrypted.

Development

  • We conduct annual security audits:
    • Technical audits of the platform, the software and the AWS infrastructure (code audits, pen-testing, etcetera).
    • Compliancy with SURF Standard Framework for Cloud Services, AVG & GDPR Security.
  • All software used is open-source. This allows for inspection of the source-code and effectively review and penetration test the production software on security issues.
  • Systems are scanned for vulnerabilities. Announced vulnerabilities and scanned vulnerabilities are registered and mitigated through the change management process.
  • Upgrading the services is based on an OTAP process.

Secrets and keys

SRAM does not store user passwords in the platform. For authentication to applications, we support federation-based protocols like SAML2 and OpenID Connect (which require the user to log in at their own institution) and public-key based methods (for which we only store public keys and the secret keys never leave the user's system).

Advice

Collaboration admins can:

  • Periodically check whether all members of the collaboration still need the access they are granted.
  • Periodically check the SRAM logs for anomalies (entries that are suspicious).
  • Verify the identity of collaboration team members.

SURF service policy

Apart from the mentioned measures, we also adhere to general SURF measures:

  • Inventory: there is an up-to-date and complete overview of the infrastructure and resources used for the service.
  • Roles and responsibilities: there is an up-to-date and complete overview of roles, tasks and responsibilities for the service.
  • Change management: changes are implemented in a controlled way including decision making, test and fall back mechanisms etcetera.
  • Vulnerability management/patching: the service has vulnerability detection, management and resolution mechanisms.
  • Access restriction (logical): there are mechanisms for granting access, controlling rights and withdrawing access.
  • Hardening/access control: measures that limit access to the systems, infrastructure and data and prevent misuse (hardening of systems, firewalls, ACLs etcetera, protection of stored data and data transport).
  • Standardization in software development: software development standards and quality control mechanism are used.
  • Logging and monitoring: monitoring and logging take place, of which scope and objective are defined.
  • Incident response: procedures have been drawn up for reporting, analyzing, remedying and reporting security incidents throughout the chain.
  • Supplier agreements: contracts, SLAs, DAPs, etcetera lay down the agreements with suppliers, including reports and periodic consultations.
  • Appointments/screening with/of involved employees: requirements are set for employees, hires and employees at suppliers with regard to confidentiality and integrity.
  • Audit program: there is an audit program to check the effectiveness of the security measures taken.
  • For SRAM a DPIA has been done with the data we process.