What chaos! A cacophony of data everywhere you look! Today, if asked where you store your professional documents and data at CERN, you might give any number of answers: AFS, CDS, Ceph, CERNBox, DFS, EDMS, eFiles ("Alfresco"), EOS, GitLab, Indico, your personal computer, a dedicated webpage, an external hard disk, somewhere else… You can imagine how hard it is to control all this data and to properly secure and protect it against unauthorised access, abuse or theft. Particularly if you are dealing with confidential data that must not be disclosed to any third party.
So, let us help you. Based on the Data Classification Policy, the Legal Service, the Computer Security team and stakeholders from the FAP and IT departments have produced a Data Handling Policy (DHP) setting out how all CERN professional data must be handled. The ultimate responsibility for handling any kind of (digital) institutional data is shared: CERN IT services (the "data processors") will explicitly declare which type of data they can process, handle and store. You - as the "data controller" introducing data to CERN - can consult their declaration, tag your data according to the classification policy, and enter your data only into IT services that are aligned with that particular level of classification.
How does this work in detail? All CERN IT services have been asked to assess their compatibility with this new Data Handling Policy. Are they physically protecting data? Do they have access-control measures in place in order to guarantee the principle of least privilege? Is data encrypted in rest and in transit? Do they have procedures for properly destroying any media that have held data (in line with CERN's Data Destruction Rules)? What about other services they rely on? Based on their assessment, and as per the minimum requirements set for each classification level, they must declare that classification level. In addition, AFS, CDS, Ceph, CERNBox, DFS, EDMS, eFiles ("Alfresco"), EOS, GitLab, Indico and all the others must clearly inform you what kind of data they can handle for you, whether it complies with the most restrictive classification level they support, i.e. "classified data" including personal sensitive data, financial data, etc., "restricted data" visible only on a need-to-know basis, data which is internal to CERN, or just public data. You need to be sure that their declaration matches your expectations before you introduce data into their service*. Just check the corresponding service description in the CERN Service Catalogue (to come).
The IT storage group and the Computer Security team have already performed a very first assessment of CERNBox and its underlying storage system based on EOS. Data stored on CERNBox/EOS, like any other data handled by the central IT services, is physically protected by the premises of the CERN Data Centre and subject to tight access controls. Individual data stored on CERNBox/EOS is access-protected using e-groups and individual CERN computing accounts, meaning that your password is required to grant access (or not). Any transfer between CERNBox and a remote client is encrypted using the most recent, up-to-date encryption standard, i.e. TLS-over-HTTP. And, finally, the physical media storing CERNBox/EOS data, i.e. the SSDs and hard disks, have for years been subject to CERN's Data Destruction Policy, and all such media are properly wiped before leaving the CERN Data Centre for donation, sale or destruction. Hence, following this assessment and in line with the rules set out by the Data Handling Policy, CERNBox has been declared to be capable of storing any type of data, including that labelled as "classified". In addition, CERNBox provides all necessary means to receive sensitive data from external third parties in a secure, protected and confidential manner (see our dedicated Bulletin article "A "file drop" for confidential data").
While further assessments of the IT services are under way, and while more and more declarations will appear in the Service Catalogue during the year, you can already make a start. Think about where you store all your data. Consolidate your data if possible. And remember that you are a "data processor", too: your PC and laptop also store data. If they happen to store data labelled as "classified" - which they usually do (think of your passwords or mailbox!) - then make sure that you are compliant with the Data Handling Policy:
