Portal Policy

From Security Wiki
Jump to navigationJump to search

CIP/SDSC Portals Policy


Science Gateways, or Portals, provide access to HPC resources for a particular community of users. This purpose of this policy is for Portals to provide assurance to Resource Providers and users that the portals will provide appropriate access to, and use of the resources provided, and maintain accountability for the access and use.

Since these portals will manage credentials used to access resources on behalf of the portal users, it is critical that portals be able to securely manage credentials and access to resources. Portals must be designed, implemented, and managed according to minimum security standards which address requirements for authentication, authorization, accounting, and auditing.

In addition to the minimum requirements, individual sites may have their own additional requirements which exceed that of the minimum standards. Portals must be able to meet those higher requirements in addition to the minimum standards.

The CIP security officers will document the minimum standards for portals. Each site's security officer will document any site-specific standards not addressed in the minimum standards.

Portal developers will be responsible for design and implementation according to the provided standards, and will document the design and implementation, plus document how the design and implementation meet the security requirements cited above, and make those documents available for review to the Resource Providers and users.

Site security officers where portals are hosted will be responsible for verifying that the deployment and management of the portals meet security standards, and for taking appropriate measures in response to problems detected or complaints from Resource Providers or end users.

If portals do not meet the minimum security requirements for a particular site, Resource Providers will reserve the right to refuse or discontinue access to their resources for a particular portal.