ACCORD Security


Security

ACCORD is appropriate for de-identified PII, FERPA, business confidential, and other types of de-identified sensitive data. ACCORD cannot be used to process highly-restricted data such as CUI, FISMA, and PCI data.

Authentication

ACCORD does not have its own user identity store but instead relies upon authentication via your home institution’s single sign-on tool.

Authorization

All members of a project have equal access to the data storage for that project, without sudo or root privileges.

Closed Environments

ACCORD environments have no outbound connectivity to the Internet other than approved library and tool repositories (PyPi, CPAN, CRAN, etc.). Connections to tools such as GitHub and external APIs are not allowed.

Encryption

All connectivity to ACCORD environments is encrypted using SSL over HTTPS.

Data transfers in/out via the Globus DTN meet FIPS 140-2 compliance.

Isolation

ACCORD environments cannot have any access to other environments. Environments run within isolated Kubernetes pods and their network connectivity is isolated and encrypted.

Private Environment URLs

When you request an ACCORD environment, a unique HTTPS endpoint is created for you and can only be used by you. For example:

https://jupyter-notebook-1a2b3c4d5e-mst3k.uvarc.io/

These environments cannot be shared.

Logging

All user interactions with ACCORD are logged including account creation, approval, project creation, changes in group membership, the creation of/changes to environments, and file uploads/downloads using a browser or the Globus DTN.

Client Posture-Checks

Access to ACCORD is restricted to computers that are sufficiently updated and meet minimum security requirements. To verify this, ACCORD uses OPSWAT, a small piece of software that users install on their local computers.

Step 1: Install the VPN Assessment Application (Opswat)

Opswat will be installed during the onboarding process for ACCORD.

Step 2: Resolve Security Requirement Issues

Requirement 1: Operating System


  1. Open System Preferences
  2. Click on Software Update
  3. Click Update Now

Note: Updating the Operating System may take up to a couple of hours. Do not shut down your computer or allow it to run out of battery during the update process. A restart of your computer may occur after the updates are complete.

  1. Open Windows Update by clicking the Start button in the lower left corner. In the search box, type "Update", and then, in the list of results, click either Windows Update or Check for updates.
  2. Click the Check for updates button and then wait while Windows looks for the latest updates for your computer.
  3. If you see a message telling you that important updates are available, or telling you to review important updates, click the message to view and select the important updates to install.
  4. In the list, click the important updates for more information. Select the check boxes for any updates that you want to install, and then click "OK".
  5. Click Install updates.

Note: Updating the Operating System may take up to a couple of hours. Do not shut down your computer or allow it to run out of battery during the update process. A restart of your computer may occur after the updates are complete. If you encounter issues while trying to update your Windows computer, visit the Fix Windows Update Issues Windows Support webpage

Requirement 2: Host-Based Firewall

Host-based firewall software must be installed and enabled.


  1. Open System Preferences
  2. Select Security and Privacy
  3. Select Firewall
  4. Click the lock in the lower-left corner and enter your credentials.
  5. Select Turn On Firewall
  6. Close System Preferences


  1. Select the Start button, then select Settings (the gear icon).
  2. Select Windows Security from the menu on the left.
  3. Select Firewall & network protection.
  4. You may then see several networks (i.e., Domain network, Private network). Select each network one at a time and set the Windows Defender Firewall to On.

Requirement 3: Antimalware Software

At least one antimalware software must be installed and enabled. We recommend the following:

Antivirus for Mac We recommend using either Gatekeeper or Microsoft Defender for Endpoint for Macs.
Antivirus for Windows We recommend using either Microsoft Defender or Microsoft Defender for Endpoint for Windows.

Requirement 4: Device Password

The device must be password protected, and it must lock automatically if there is no activity detected for at least 10 minutes. Configure your device to require a password to log in. Also, set your device’s screensaver or security settings to automatically lock after 10 minutes of no activity.

Requirement 5: Whole-Disk Encryption

Whole-disk encryption software must be installed and enabled. Accepted applications include BitLocker, Dell Data Protection, and FileVault.