En los siguientes subapartados se relaciona la selección de medidas tecnológicas de seguridad que se resuelven mediante el diseño de la arquitectura de la Plataforma Onesait con un enfoque de seguridad por defecto. También se incluyen las medidas relativas a la implantación y explotación de la plataforma.
Marco operacional
Se compone de las medidas que deben tomarse para proteger el funcionamiento del sistema como un conjunto integral de componentes para un propósito.
Planificación
Análisis de riesgo
Durante la implementación de la plataforma, se realizará un análisis de riesgos utilizando un lenguaje específico, con un catálogo básico de amenazas y una semántica definida. Es decir, una presentación tabular describiendo los siguientes aspectos:
- Identificar y valorar cualitativamente los activos más valiosos del sistema.
- Identificar y cuantificar las amenazas más probables.
- Identificar y valorar las salvaguardas que protegen frente a dichas amenazas.
- Identificar y valorar el riesgo residual.
Para ello se utilizará como base el catálogo de amenazas basado en la metodología Magerit y proporcionado por la ENS.
La siguiente tabla representa un análisis de riesgos con las amenazas más comunes en este tipo de sistemas.
AMENAZA | Salvaguardas | Riesgo residual |
Errores y riesgos no intencionados | ||
| [E.1] Errores de usuario | Principio de mínimo privilegio. Toda la información será rastreada. | Bajo |
[E.2] Errores del administrador | La organización llevará a cabo una formación específica para los administradores. | Bajo |
[E.4] Errores de configuración | Toda la configuración se prueba en entornos de prueba y preproducción antes de pasar a producción. | Bajo |
| [E.20] Vulnerabilidades del software | El lanzamiento a producción de una nueva versión se somete a pruebas funcionales y de seguridad en entornos de prueba y preproducción. Las versiones de software instaladas son versiones estables con los parches de seguridad recomendados por los fabricantes. | Bajo |
[E.21] Errores de actualización / mantenimiento de software | El lanzamiento de producción de una nueva versión se somete a pruebas funcionales y de seguridad en entornos de prueba y preproducción. | Bajo |
[E.24] Tiempo de inactividad del sistema debido al agotamiento de los recursos | La Infraestructura TIC cuenta con un sistema de monitoreo y alerta que alerta al administrador del sistema cuando los recursos alcanzan los límites establecidos. La infraestructura tiene capacidad elástica. | Bajo |
[E.25] Pérdida de equipo | Bajo | |
[A] Ataques intencionados | ||
[A.3] Manipulación de registros de actividad (log) | Los archivos de registro están protegidos por los usuarios del sistema. Solo los usuarios administradores pueden acceder a estos archivos con permisos de escritura. Las aplicaciones que generan estos registros tienen permiso de escritura donde el usuario inicia sesión mediante un certificado de clave privada. | Bajo |
[A.4] Manipulación de la configuración | Los archivos de configuración se encuentran en ubicaciones protegidas por los usuarios del sistema. Solo los usuarios administradores pueden acceder a estos archivos con permisos de escritura. Las aplicaciones que generan estos registros tienen permiso de escritura con el usuario conectado mediante un certificado de clave privada. | Bajo |
[A.5] Suplantación del usuario | El acceso debe ser mediante autenticación, configurable con doble factor o mediante certificados como el DNI. La organización deberá seguir en todo momento las normas de manejo de contraseñas establecidas. | Bajo |
[A.6] Abuso de privilegios de acceso | La organización debe seguir el principio de las reglas de privilegios mínimos. Se siguen las políticas de formación y sensibilización de la empresa. | Bajo |
[A.12] Análisis de tráfico | Todas las comunicaciones deben cifrarse mediante certificados de clave privada y estar firmadas por una autoridad de certificación. Toda comunicación debe hacerse después de la identificación en el sistema. Firewall de protección contra ataques. | Bajo |
[A.14] Interceptación de información (escuchas) | Todas las comunicaciones deben estar encriptadas mediante certificados de clave privada firmados por una entidad certificadora. Toda comunicación debe hacerse después de la identificación en el sistema. | Bajo |
[A.15] Modificación deliberada de la información | El personal recibe periódicamente cursos de formación y sensibilización en esta materia. La organización deberá seguir en todo momento las normas establecidas para el manejo de contraseñas. | Bajo |
[A.18] Destrucción de información | El personal recibe periódicamente cursos de formación y sensibilización en esta materia. La información está protegida en los sistemas bajo privilegios de espacio. La organización deberá seguir en todo momento las normas de manejo de contraseñas establecidas. | Bajo |
[A.19] Revelación de información | El personal debe recibir la formación necesaria para no difundir sus contraseñas. La organización deberá seguir en todo momento las normas de manejo de contraseñas establecidas. | Bajo |
Control de acceso
[op.acc.1] Identificación
Cada usuario tiene un identificador único a través de una cuenta. Si un usuario va a tener diferentes roles, ese usuario recibirá diferentes identificadores para que los privilegios y los registros de actividad estén siempre delimitados.
Cada cuenta de usuario tiene una función específica y permisos asociados, que se pueden asignar y recuperar. Además, todas las acciones realizadas por un usuario se registran en un registro de auditoría para que sea posible saber quién ha hecho algo y qué ha hecho alguien.
User accounts are managed by users with specific roles, so that the accounts can be disabled. Disabled accounts and their activity logs are retained in the system for a configurable period of time so that the retention periods applicable to each implementation can be met.
[op.acc.2] Access Requirements
Access to all system resources is protected by authentication and their use is restricted to the user who created them and to users and groups to whom access has been specifically granted by authorized roles.
There is the possibility to mark resources for public access. This option is never the default option and must be carried out by a user with special permissions on that resource.
Access to configuration parameters and Onesait Platform modules/components is restricted to administrator users and system operators only.
[op.acc.3] Segregation of roles and tasks
The access control system is designed with specific roles with different functions within the system.
At the platform user level, the roles that a user must be aware of are these:
- USER (ROLE_USER): This role has query-mode access to the platform, that is to say, it can consume platform information generated by others, but it cannot upload information. It can therefore consume dashboards, APIs, query ontologies, ....
- DEVELOPER (ROLE_DEVELOPER): This role can use all the DaM and IoT capabilities in the platform without restrictions. It can create ontologies, APIs, rules, ... It is the typical platform user, and the one that is created by default. It has limited access to the AI capabilities of the platform, to control the resource consumption of the installation.
- ANALYTICS (ROLE_DATASCIENTIST): This role extends the capabilities of the Developer role, allowing access to the analytical and AI tools. Therefore, it has access to the DataFlow, Notebooks, Models, ...
- ADMINISTRATOR (ROLE_ADMINISTRATOR): This role has administration access to the Platform Control Panel. From there, it can manage all the concepts of a platform instance created by the rest of the users, including management of users, ontologies, permissions, etc...
Internally, the platform manages a set of roles that allow the operation and management of a platform installation:
- DEVOPS (ROLE_DEVOPS): This role is in charge of managing the platform's CI/CD process. It has access to the Jenkins that is managed from the platform, from where it can launch the compilation and version generation pipelines, both of the platform and of verticals and micro services deployed on the platform.
- OPERATIONS (ROLE_OPERATIONS): This role has only access to the platform's monitoring tools, being able to know the status of each module and to generate alerts from them.
- SYS_ADMIN (ROLE_SYS_ADMIN): This role has the system administration access, allowing access to the underlying infrastructure of the platform.
Beyond these main roles, there are two more roles with special characteristics:
- VIEWER (ROLE_DATAVIEWER): This role is a subrole of the USER role. It only allows access to the Dashboards and Marketplace.
- PARTNER (ROLE_PARTNER): This role contributes to the platform ecosystem by being able to create solutions that are marketed together with the platform and therefore has all the permissions of the ANALYTICS Role plus access to a part of the platform Operation Console to be able to deploy and operate its vertical.
[op.acc.4] Access rights management process
As a consequence of the segregation of functions and tasks materialized in the roles exposed in the previous step, [op.acc.4], Onesait Platform complies with the following principles in access rights management:
- Least privilege: The privileges of each user are reduced to the strictly necessary minimum to fulfill their duties.
- Need-to-know: Privileges are limited so that users only access the information they require to fulfill their obligations.
- Ability to authorize: Only and exclusively the staff with competence to do so can grant, alter or cancel the authorization to access the resources, according to the criteria established by the person in charge.
[op.acc.5] Authentication Mechanisms
Onesait Platform can be configured with different authentication mechanisms depending on security requirements:
- Username and password
- Digital certificates: Such as electronic DNI (Spanish national identity document) or others, signed and issued by competent authorities.
- Double authentication factor: Authentication accompanied by SMS or e-mail with verification code.
[op.acc.6] Local access and [op.acc.7] Remote access
Failed access attempts do not reveal sensitive information to the user. The number of access attempts is limited in a configurable way and the access attempt is temporarily blocked after each failure to avoid brute force attacks.
As it is a service-mode platform, all access is remote. The selected infrastructure service provider allows the creation of VPNs in the cloud so that it is possible to protect access to the desired services through private networks.
Exploitation
[op.exp.1] Asset inventory
An up-to-date inventory of all the elements of the system shall be maintained, detailing their nature and identifying the person responsible for them, i.e. the person who is responsible for decisions relating to them.
[op.exp.2] Security configuration
The pieces of equipment shall be configured prior to their entry into operation, in such a way as to:
- Standard accounts and passwords are removed.
- The "minimum functionality" rule is applied: So that only those functionalities required for the fulfillment of requirements remain active.
- Functions that are not of interest, are not necessary, or even are inappropriate for the intended purpose, will be eliminated or deactivated by means of configuration control.
- The "security by default" rule will be applied. That is to say, all resources protected by default and permissions on them must be granted by the responsible users.
[op.exp.3] Configuration Management
The configuration of the system components shall be managed on an ongoing basis so that:
- The "minimum functionality" rule ([op.exp.2]) is maintained at all times.
- The "default security" rule ([op.exp.2]) is maintained at all times.
- The system adapts to new, previously authorized requirements ([op.acc.4]).
- The system reacts to reported vulnerabilities ([op.exp.4]).
- The system reacts to incidences (see [op.exp.7]).
[op.exp.4] Maintenance
To maintain the physical and logical equipment constituting the system, the following shall be applied:
- The manufacturers' specifications for installation and maintenance of the systems shall be followed.
- Continuous monitoring of announced defect shall be carried out.
- There will be an available procedure to analyze, prioritize and determine when to apply security updates, patches, upgrades and new releases. Prioritization shall take into account the variation in risk depending on whether or not the update is applied.
[op.exp.5] Change Management
Continuous control of changes made to the system will be maintained, so that:
- Onesait Platform updates will be analyzed to determine their suitability for incorporation or not incorporation.
- Before uploading a new version or a patched version in production, it will be tested on a non-production computer that the new installation works correctly and does not diminish the effectiveness of the functions required for daily work. The test equipment shall be equivalent to production equipment in the aspects being tested.
- Changes will be planned to reduce the impact on the delivery of the affected services.
- Risk analysis will determine whether the changes are relevant to the safety of the system. Changes involving a high-level risk situation shall be explicitly approved prior to implementation.
[op.exp.8] Logging of user activity
User activity in the system shall be logged, so that:
- The log shall indicate who performs the activity, when they perform the activity, and on what information.
- User activity shall be included, and especially that of operators and administrators insofar as they can access the configuration and act in the maintenance of the system.
- Successful activities and unsuccessful attempts should be recorded.
Onesait Platform implements the following functionality:
- The platform has an auditing system that allows every operation that occurs on the platform to be audited. These operations include logins and logouts in the Control Panel, communications between devices and systems, etc.
- The information associated with the audit is stored in a particular ontology for each user so that each user can access this information in a simple way (and, for example, create a monitoring panel).
- For this purpose, when a user registers in the platform, an ontology with identification Audit_ <userName> is created.
- Admin users can access the audit information of any user.
[op.exp.9] Incident Management Logging
All actions related to incident management shall be logged, so that:
- The initial report, emergency actions and system modifications resulting from the incident shall be recorded.
- Evidence shall be recorded that may subsequently support a legal claim, or be used to support it, where the incident may lead to disciplinary action against internal staff, external suppliers or prosecution of offences. In determining the composition and detail of this evidence, specialist legal advice will be sought.
- As a consequence of the incident analysis, the determination of auditable events will be reviewed.
[op.exp.11] Cryptographic Key Protection
Cryptographic keys shall be protected throughout their life cycle according to the protocols defined during the platform implementation:
- Generation.
- Transport to the point of use.
- Custody during operation.
- Archiving after removal from active operation.
- Final destruction.
System monitoring
[op.mon.1] Intrusion detection
Intrusion detection to the systems is ensured by the capabilities of the infrastructure-as-a-service provider AWS, which, through active monitoring of the contracted systems through Cloudwatch, monitors any installed element that is part of the Amazon Web Services infrastructure, collecting data in the form of logs, metrics and events, and offering a unified and correlated view of them. Besides, Cloudwatch incorporates an alarm system that can be used to automatically detect anomalous behavior in the data, and for automated troubleshooting to keep the systems running
[op.mon.2] Metrics System
In addition to the Cloud provider's monitoring, at the Monitoring level, tools are offered that allow to query the security status and monitor all hardware and software components. Besides, the platform includes CaaS Console, the Monitoring UI and the platform's audit module.
Protection measures
These are focused on protecting specific assets, according to their nature, with the level required in each security dimension.
Communications protection
[mp.com.1] Secure Perimeter
A firewall system shall be provided to separate the internal network from the outside. All traffic must pass through this firewall, which will only allow previously authorized flows to pass through.
The firewall contemplates, among others, the following rules:
- Unsecured protocols and ports must be disabled by default (port 80, http protocol, tcp without certificate).
- Block invalid packets.
- Block new packets that are not SYN.
- Block infrequent MSS values.
- Block packets from private subnets (Spoofing).
- Block connection attacks.
- Limiting new connections per second.
- Blocking fragmented packets.
- Limiting incoming TCP RST packets to mitigate TCP RST flooding.
During the implementation of the Platform, and based on a risk analysis, the set of rules to be implemented in the firewall will be determined.
[mp.com.2] Confidentiality Protection
Virtual private networks will be used when the communication runs through networks outside the security domain itself where possible. Algorithms accredited by the Centro Criptológico Nacional (Spanish National Cryptologic Center) shall be used.
[mp.com.3] Authenticity and Integrity Protection
All communications are protected by SSL certificates or electronic certificates such as DNI (Spanish national identity document).
Information protection
[mp.info.1] Personal data
In accordance with the EU regulation 2016/679 for data protection (GDPR, General Data Protection Regulation), the platform adopts the necessary requirements in software design and development to ensure privacy and personal data protection for the user in any possible scenario. Users will have their personal data secured and protected. They will be able to define restrictions and use information assignments, guaranteeing at all times the rights established in the GDPR.
- Accountability Principle
Onesait Platform implements the mechanisms by adopting the necessary measures for the processing of personal data, as required by the standard, in compliance with:
- Responsibility.
- Accountability.
- Protection Principles
From the beginning of Onesait Platform, the design was focused on full compliance with the standard, adopting the necessary measures in all the processes involving data processing, as a rule and from the origin. The platform provides authentication, authorization (by roles) and encryption (encrypted information) mechanisms, both in the transfer of information from systems and devices to the platform and in the consumption of stored information. This guarantees the confidentiality and integrity of the stored information, complying at all times with:
- Data protection by design and by default.
- Anonymization.
- Principle of transparency
Onesait Platform is completely transparent, both in terms of architecture and data management. The platform is an open-source solution, with the Onesait Platform Community version available on GitHub. Onesait Platform provides at all times:
- Right of access.
- Right of deletion.
- Logging of processing activities.
- Allows the existence of a data protection officer.
A users will have the possibility of managing both that user's profile and all of that user's information, from the ControlPanel, maintaining a principle of complete transparency and privacy for the user.
- Registration and privacy options
To register an account in the system, users must accept the platform's terms and conditions of use.
Users are informed about the use of data and rights according to GDPR and how to exercise them (contact information). After that, by using only the credentials (username / password), users can access their personal account on the platform.
Once the user has deleted their account, all the user information is also deleted if the user had marked it as "private". If the information (ontologies) was verified as "public", that information will remain.
The user can define privacy settings in accordance with the GDPR:
- Forget my data: The user can delete any information contained in the ontologies that user owns.
- Revoke consent: The user can revoke any consent previously granted.
- View my data: The user can view the data stored in the ontologies that user owns.
- Forget me: The user can delete that user's profile, removing all the information.
[mp.info.9] Backup copies
The system will take advantage of the facilities and tools provided by the AWS Cloud, specifically the snapshot concept that allows to back up data, allowing to take snapshots at a given time and running incrementally, and saving storage costs. These snapshots contain the information necessary to restore data on a final volume, producing an exact replica of the original volume. The replicated volumes load the data in the background, allowing to start using them immediately.
Protection of services
[mp.s.2] Protection of web services and applications
Onesait Platform implements by default the following measures to protect its services and applications:
- Protection against automation. Capacity to enable CAPTCHA.
- Protection against code injection.
- Protection against cross-site scripting.
- Restriction of permissions and accesses by default.
- Protection against Cross-Site Request Forgery.
- Secure session cookie.
- Policies against weak passwords.
- Insecure SSL and HTTPS protocol in all exposed services.
- Unnecessary resources.
- Throttling control.Periodic update of libraries and tools used in each release, so that known vulnerabilities are eliminated.
[mp.s.8] Protection against denial of service
- Application-level protection provided by Onesait Platform
- Limiting the number of erroneous accesses.
- Control of throttling in the exposed APIs.
- Updating to the latest stable software versions in each release.
- Protection provided by the infrastructure service provider.
Explained in the security measure [mp.com.1]. Secure perimeter.
- System sizing and scaling
The planned system sizing has sufficient capacity to support increases in demand. Also, scalability and robustness capabilities provide the flexibility to support these increases in demand.