When doing cybersecurity, protective measures must be adapted to your environment and needs. For a bank, it's obvious that protecting physical and digital money, and confidential data about customers, is of the utmost importance. Hence, security is tight, well controlled and comes with lots of restrictions, giving attackers a very small attack surface to penetrate through. For CERN, with its open environment and academic freedom, the "bank" approach definitely doesn't work. But what if we were to build a bank à la CERN?
First, our bank would have many entrances: through CERN's outer perimeter firewall or via GSM, but also allowing people to connect to the Wi-Fi network once they're registered. Instead of having single entrances, like one Windows Terminal server cluster or one LXPLUS cluster, our bank has both. Plus the possibility to tunnel through using Windows Gateways or "SSHUTTLE". Similarly complex and diverse is the situation for entering the Technical Network used for accelerator controls and technical infrastructure: Terminal servers, Linux gateways, access for selected and approved virtual machines, web proxies allowing tunnelling, etc. On the way out, a bank would have locked you out. No news pages. No Facebook or Instagram. No Amazon. Internet access is tied down, strictly controlled, and reserved for professional purposes only. Tolerance of "personal use" just doesn't exist.
Secondly, our bank would be crowded with strangers: "bring your own device" (BYOD) is a common standard at CERN. A bank would strictly keep out any devices that are not centrally managed. There, you wouldn't have your personal laptop or smartphone on par with its internal network; you wouldn't have admin rights on any of your professional devices; the operating system and applications would be imposed on you; and any personal use would be blocked.
Thirdly, our bank wouldn't know who you really are ─ in the digital sense. At the CERN bank, you log in with your account and a password, but that's it. There's no strong verification to check whether the person who's logging in and knows the password is really who they claim to be. A real bank would have put in place two-factor authentication for each and every access, as well as tight access controls and a tight lock-out procedure in case you're logging in from an "unusual location". No exceptions even if you left your second factor, your smartphone, at home. You'd have to run home and get it.
Fourth, our bank would have flying ads and posters from other companies all over the walls. As we don't distinguish between personal and professional usage, our bank's email addresses can be used for other things. Signing up on for a social media account? Sure! Registering with your local grocery store? Done deal. Buying theatre tickets? There you go. Plus, messages can be automatically forwarded to any third-party mail provider if you believe their mail service is better. All of that's a no-go in a real bank. Its email address is for professional business only. And all emails remain on their mail servers to guarantee confidentiality. Reading emails on your personal device is blocked.
Fifth, our bank's systems accept any currency transaction. Importing the newest Python library from Anaconda? Downloading a fancy container image from Docker? Running NPM to update local code? All easily possible and all eventually pushed into production. Without checks, curation or control. A real bank applies maximum due diligence and a tight authoring process. While that slows down any deployment, it reduces the risk that "counterfeit money" makes it into their vaults.
So, would you trust our bank with your money? Better not. Fortunately, we're not a bank. And our balance between academic freedom, accelerator and experiment operations, and "security" is definitely not the same as that between "finance" and "security". In fact, a bank-like balance, a bank-like security posture, would kill our academic freedom and inhibit our efficient and effective operations. Still, don't you think we could do better? We could:
- Ensure that our entrances, our gates, are consolidated and better controlled. While our internet gate is well guarded , initial discussions on reviewing the interaction and inter-dependency between IT services, developers and the Technical Network have just started and need your commitment;
- Improve the protection of our pool of BYOD, as BYOD is the only way for the Organization to accommodate thousands of researchers coming and going, connecting locally and remotely every month. Therefore, additional protective means have been made available for BYOD and for devices owned by CERN;
- Make (wider) use of two-factor authentication to protect our computing accounts and their passwords from any malicious use;
- Definitely be more vigilant and careful with CERN email addresses and when browsing the web. Just "STOP ─ THINK ─ DON'T CLICK" before risking too much; and
- Put in place a better software development process, in particular when importing packages, libraries, virtual images and containers from third-party sources.