I can confirm that "computer security" is probably not the sexiest subject at a dinner party. For sure, it is not the most popular subject at CERN. No wonder, after the rollout of 2-factor authentication (2FA) and the new SPAM filter - both strengthening CERN's computer security and both causing inconvenience for end users. A recent email campaign inviting some 4500 users to join the 2FA pilot for LXPLUS stirred up quite some frustration among those invited. Whether it was a few very vocal individuals venting their unhappiness or some colleagues validly expressing their concerns, the feedback was not always friendly. Still, rest assured, we hear you!
Bear in mind that keeping everyone happy is not easy. Not only does CERN host three distinct communities - (1) the Linux, MacBook and open-source-loving academic Research and Computing sector, (2) the standardised world of Microsoft solutions in the Finance and Human Resources sector, and (3) a combination of both for running control systems in the Accelerators and Technology sector - CERN also welcomes 20 000 users and participants from all over the world who come to use its computing facilities. 19 805 to be exact. This implies a total of 28 712 primary computing accounts (plus 7183 and 6490 so-called secondary and service accounts, respectively); 32 214 mailboxes receiving professional and personal emails from all over the world and many forwarding them back into the world; 81 264 e-groups providing mailing list and access control functionalities; 5.633 websites promoting professional content, pet projects or CVs or serving as a personal homepage; 288.032 unmanaged "bring-your-own devices" (BYOD) plus a small minority of CERN IT-managed devices registered on our internal network; 15 621 OpenStack-hosted virtual machines and 18 366 OpenShift-hosted containers serving our community; 166 520 software repositories storing CERN-centric projects and code designed to run elsewhere; 1125 databases provided on demand; and a few thousand different ways of using LXPLUS as a computing cluster.
We have to secure all that! To protect CERN against any kind of successful large-scale attack - attacks others unfortunately fell for - while maintaining a good balance with our academic freedom and the operations of our accelerators and experiments, not impacting negatively on CERN's mandate, research and data taking, following international best practices, standards (ISO27k, CISv8, NIST 800 series, COWASP) and the recommendations of the 2023 cybersecurity audit, and keeping an acceptable level of usability and comfort in order to avoid annoying too many people.
Balancing all that - security, academic freedom, operations, standards, usability, happiness - sometimes works out smoothly, like with the not-so-new-anymore outer perimeter firewall, the new secure software development training or the deployment of a new antivirus solution, even if those solutions were mostly deployed behind the scenes and on an opt-in basis. Others come with some temporary (or less temporary, according to some people) pain, like the rollout of 2-factor authentication to the CERN web-sphere (2FA) and the new spam and malware filter that also now enforces anti-spoofing measures ("SPF", "DKIM", "DMARC"). Others might require us to substantially change the way we work - probably like having 2FA protection on LXPLUS. It is this impact on usability that we would like to avoid. That's why we run pilots and ask for your input (and understanding) in order to streamline our plans and measures and make "security" easy for you and beneficial to CERN. To strike the right balance.
We hope to strike a reasonable balance in 2025, too, with your help and understanding. Securing CERN together. Merry festivities and a Happy New Year!
