Adaptation to National Security Scheme (ENS)
- DevPortal Editor (Unlicensed)
- Onesait Platform
The following subsections list the selection of technological security measures that are resolved by the design of the Onesait Platform architecture with a default security approach. Also included are the measures relating to the platform's implementation and exploitation.
Operational Framework
This is made of the measures to be taken to protect the operation of the system as an integral set of components for a purpose.
Planning
Risk analysis
During the platform implementation, a risk analysis will be performed using a specific language, with a basic threat catalog and defined semantics. That is to say, a tabular presentation describing the following aspects:
- Identify and qualitatively value the system's most valuable assets.
- Identify and quantify the most likely threats.
- Identify and value the safeguards that protect against those threats.
- Identify and value the residual risk.
For this purpose, the threat catalog based on the Magerit methodology and provided by ENS will be used as a basis.
The following table represents a risk analysis with the most common threats in this kind of systems.
THREAT | Safeguards | Residual Risk |
Errors and unintentional risks | ||
| [E.1] User Errors | Principle of least privilege. All information will be traced. | Low |
[E.2] Administrator Errors | The organization shall conduct specific training for administrators. | Low |
[E.4] Configuration errors | All configuration is tested in test and pre-production environments before moving to production. | Low |
| [E.20] Software vulnerabilities | The release into production of a new version undergoes functional and security testing in test and pre-production environments. The software versions installed are stable versions with the security patches recommended by the manufacturers. | Low |
[E.21] Software maintenance / upgrade errors | The production release of a new version undergoes functional and security tests in test and pre-production environments. | Low |
[E.24] System downtime due to resource exhaustion | The ICT Infrastructure has a monitoring and alerting system that alerts the system administrator when resources reach the established limits. The infrastructure has elastic capacity. | Low |
[E.25] Loss of equipment | Low | |
[A] Intentional attacks | ||
[A.3] Tampering with activity records (log) | Log files are protected by system users. Only administrator users can access these files with write permissions. Applications that generate these logs have write permission where the user is logged in by private key certificate. | Low |
[A.4] Tampering with configuration | Configuration files are located in locations protected by system users. Only administrator users can access these files with write permissions. The applications that generate these Logs have write permission with user logged in by private key certificate. | Low |
[A.5] User impersonation | Access must be through authentication, configurable with two-factor or by certificates such as DNI (Spanish national identity document). The organization must at all times follow the established password handling rules. | Low |
[A.6] Abuse of access privileges | The organization must follow the principle of least privilege rules. Company training and awareness policies are followed. | Low |
[A.12] Traffic analysis | All communications must be encrypted using private key certificates and signed by a certification authority. All communication must be done after identification in the system. Firewall protection against attacks. | Low |
[A.14] Interception of information (eavesdropping) | All communications must be encrypted by means of private key certificates signed by a certifying entity. All communication must be done after identification in the system. | Low |
[A.15] Deliberate modification of information | Staff receive periodic training and awareness courses on this subject. The organization must at all times follow the established rules for handling passwords. | Low |
[A.18] Destruction of information | Staff receive periodic training and awareness courses on this subject. Information is protected on systems under space privileges. The organization must at all times follow the established password handling rules. | Low |
[A.19] Disclosure of information | Staff must receive the necessary training not to spread their passwords. The organization must at all times follow the established password handling rules. | Low |
Access control
[op.acc.1] Identification
Each user has a unique identifier through an account. If a user is to have different roles, that user will receive different identifiers so that privileges and activity logs are always delimited.
Each user account has a specific role and permissions associated with it, that can be assigned and recalled. Besides, all actions carried out by a user are recorded in an audit trail so that it is possible to know who has done something and what was done by someone.
User accounts are managed by users with specific roles, so that the accounts can be disabled. Disabled accounts and their activity logs are retained in the system for a configurable period of time so that the retention periods applicable to each implementation can be met.
[op.acc.2] Access Requirements
Access to all system resources is protected by authentication and their use is restricted to the user who created them and to users and groups to whom access has been specifically granted by authorized roles.
There is the possibility to mark resources for public access. This is never the default option and must be carried out by a user with special permissions on that resource.
Access to configuration parameters and Onesait Platform modules/components is restricted to administrator users and system operators only.
[op.acc.3] Segregation of roles and tasks
The access control system is designed with specific roles with different functions within the system.
At the platform user level, the roles that a user must be aware of are these:
- USER (ROLE_USER): This role has query-mode access to the platform, that is to say, it can consume platform information generated by others, but it cannot upload information. It can therefore consume dashboards, APIs, query ontologies, ....
- DEVELOPER (ROLE_DEVELOPER): This role can use all the DaM and IoT capabilities in the platform without restrictions. It can create ontologies, APIs, rules, ... It is the typical platform user, and the one that is created by default. It has limited access to the AI capabilities of the platform, to control the resource consumption of the installation.
- ANALYTICS (ROLE_DATASCIENTIST): This role extends the capabilities of the Developer role, allowing access to the analytical and AI tools. Therefore, it has access to the DataFlow, Notebooks, Models, ...
- ADMINISTRATOR (ROLE_ADMINISTRATOR): This role has administration access to the Platform Control Panel. From there, it can manage all the concepts of a platform instance created by the rest of the users, including management of users, ontologies, permissions, etc...
Internally, the platform manages a set of roles that allow the operation and management of a platform installation:
- DEVOPS (ROLE_DEVOPS): This role is in charge of managing the platform's CI/CD process. It has access to the Jenkins that is managed from the platform, from where it can launch the compilation and version generation pipelines, both of the platform and of verticals and micro services deployed on the platform.
- OPERATIONS (ROLE_OPERATIONS): This role has only access to the platform's monitoring tools, being able to know the status of each module and to generate alerts from them.
- SYS_ADMIN (ROLE_SYS_ADMIN): This role has the system administration access, allowing access to the underlying infrastructure of the platform.
Beyond these main roles, there are two more roles with special characteristics:
- VIEWER (ROLE_DATAVIEWER): This role is a subrole of the USER role. It only allows access to the Dashboards and Marketplace.
- PARTNER (ROLE_PARTNER): This role contributes to the platform ecosystem by being able to create solutions that are marketed together with the platform and therefore has all the permissions of the ANALYTICS Role plus access to a part of the platform Operation Console to be able to deploy and operate its vertical.
[op.acc.4] Access rights management process
As a consequence of the segregation of functions and tasks materialized in the roles exposed in the previous step, [op.acc.4], Onesait Platform complies with the following principles in access rights management:
- Least privilege: The privileges of each user are reduced to the strictly necessary minimum to fulfill their duties.
- Need-to-know: Privileges are limited so that users only access the information they require to fulfill their obligations.
- Ability to authorize: Only and exclusively the staff with competence to do so can grant, alter or cancel the authorization to access the resources, according to the criteria established by the person in charge.
[op.acc.5] Authentication Mechanisms
Onesait Platform can be configured with different authentication mechanisms depending on security requirements:
- Username and password.
- Digital certificates: Such as electronic DNI (Spanish national identity document) or others, signed and issued by competent authorities.
- Double authentication factor: Authentication accompanied by SMS or e-mail with verification code.
[op.acc.6] Local access and [op.acc.7] Remote access
Failed access attempts do not reveal sensitive information to the user. The number of access attempts is limited in a configurable way and the access attempt is temporarily blocked after each failure to avoid brute force attacks.
As it is a service-mode platform, all access is remote. The selected infrastructure service provider allows the creation of VPNs in the cloud so that it is possible to protect access to the desired services through private networks.
Exploitation
[op.exp.1] Asset inventory
An up-to-date inventory of all the elements of the system shall be maintained, detailing their nature and identifying the person responsible for them, i.e. the person who is responsible for decisions relating to them.
[op.exp.2] Security configuration
The pieces of equipment shall be configured prior to their entry into operation, in such a way as to:
- Standard accounts and passwords are removed.
- The "minimum functionality" rule is applied: So that only those functionalities required for the fulfillment of requirements remain active.
- Functions that are not of interest, are not necessary, or even are inappropriate for the intended purpose, will be eliminated or deactivated by means of configuration control.
- The "security by default" rule will be applied. That is to say, all resources protected by default and permissions on them must be granted by the responsible users.
[op.exp.3] Configuration Management
The configuration of the system components shall be managed on an ongoing basis so that:
- The "minimum functionality" rule ([op.exp.2]) is maintained at all times.
- The "default security" rule ([op.exp.2]) is maintained at all times.
- The system adapts to new, previously authorized requirements ([op.acc.4]).
- The system reacts to reported vulnerabilities ([op.exp.4]).
- The system reacts to incidences (see [op.exp.7]).
[op.exp.4] Maintenance
To maintain the physical and logical equipment constituting the system, the following shall be applied:
- The manufacturers' specifications for installation and maintenance of the systems shall be followed.
- Continuous monitoring of announced defect shall be carried out.
- There will be an available procedure to analyze, prioritize and determine when to apply security updates, patches, upgrades and new releases. Prioritization shall take into account the variation in risk depending on whether or not the update is applied.
[op.exp.5] Change Management
Continuous control of changes made to the system will be maintained, so that:
- Onesait Platform updates will be analyzed to determine their suitability for incorporation or not incorporation.
- Before uploading a new version or a patched version in production, it will be tested on a non-production computer that the new installation works correctly and does not diminish the effectiveness of the functions required for daily work. The test equipment shall be equivalent to production equipment in the aspects being tested.
- Changes will be planned to reduce the impact on the delivery of the affected services.
- Risk analysis will determine whether the changes are relevant to the safety of the system. Changes involving a high-level risk situation shall be explicitly approved prior to implementation.
[op.exp.8] Logging of user activity
User activity in the system shall be logged, so that:
- The log shall indicate who performs the activity, when they perform the activity, and on what information.
- User activity shall be included, and especially that of operators and administrators insofar as they can access the configuration and act in the maintenance of the system.
- Successful activities and unsuccessful attempts should be recorded.
Onesait Platform implements the following functionality:
- The platform has an auditing system that allows every operation that occurs on the platform to be audited. These operations include logins and logouts in the Control Panel, communications between devices and systems, etc.
- The information associated with the audit is stored in a particular ontology for each user so that each user can access this information in a simple way (and, for example, create a monitoring panel).
- For this purpose, when a user registers in the platform, an ontology with identification Audit_ <userName> is created.
- Admin users can access the audit information of any user.
[op.exp.9] Incident Management Logging
All actions related to incident management shall be logged, so that:
- The initial report, emergency actions and system modifications resulting from the incident shall be recorded.
- Evidence shall be recorded that may subsequently support a legal claim, or be used to support it, where the incident may lead to disciplinary action against internal staff, external suppliers or prosecution of offences. In determining the composition and detail of this evidence, specialist legal advice will be sought.
- As a consequence of the incident analysis, the determination of auditable events will be reviewed.
[op.exp.11] Cryptographic Key Protection
Cryptographic keys shall be protected throughout their life cycle according to the protocols defined during the platform implementation:
- Generation.
- Transport to the point of use.
- Custody during operation.
- Archiving after removal from active operation.
- Final destruction.
System monitoring
[op.mon.1] Intrusion detection
Intrusion detection to the systems is ensured by the capabilities of the infrastructure-as-a-service provider AWS, which, through active monitoring of the contracted systems through Cloudwatch, monitors any installed element that is part of the Amazon Web Services infrastructure, collecting data in the form of logs, metrics and events, and offering a unified and correlated view of them. Besides, Cloudwatch incorporates an alarm system that can be used to automatically detect anomalous behavior in the data, and for automated troubleshooting to keep the systems running
[op.mon.2] Metrics System
In addition to the Cloud provider's monitoring, at the Monitoring level, tools are offered that allow to query the security status and monitor all hardware and software components. Besides, the platform includes CaaS Console, the Monitoring UI and the platform's audit module.
Protection measures
These are focused on protecting specific assets, according to their nature, with the level required in each security dimension.
Communications protection
[mp.com.1] Secure Perimeter
A firewall system shall be provided to separate the internal network from the outside. All traffic must pass through this firewall, which will only allow previously authorized flows to pass through.
The firewall contemplates, among others, the following rules:
- Unsecured protocols and ports must be disabled by default (port 80, http protocol, tcp without certificate).
- Block invalid packets.
- Block new packets that are not SYN.
- Block infrequent MSS values.
- Block packets from private subnets (Spoofing).
- Block connection attacks.
- Limiting new connections per second.
- Blocking fragmented packets.
- Limiting incoming TCP RST packets to mitigate TCP RST flooding.
During the implementation of the Platform, and based on a risk analysis, the set of rules to be implemented in the firewall will be determined.
[mp.com.2] Confidentiality Protection
Virtual private networks will be used when the communication runs through networks outside the security domain itself where possible. Algorithms accredited by the Centro Criptológico Nacional (Spanish National Cryptologic Center) shall be used.
[mp.com.3] Authenticity and Integrity Protection
All communications are protected by SSL certificates or electronic certificates such as DNI (Spanish national identity document).
Information protection
[mp.info.1] Personal data
In accordance with the EU regulation 2016/679 for data protection (GDPR, General Data Protection Regulation), the platform adopts the necessary requirements in software design and development to ensure privacy and personal data protection for the user in any possible scenario. Users will have their personal data secured and protected. They will be able to define restrictions and use information assignments, guaranteeing at all times the rights established in the GDPR.
- Accountability Principle
Onesait Platform implements the mechanisms by adopting the necessary measures for the processing of personal data, as required by the standard, in compliance with:
- Responsibility.
- Accountability.
- Protection Principles
From the beginning of Onesait Platform, the design was focused on full compliance with the standard, adopting the necessary measures in all the processes involving data processing, as a rule and from the origin. The platform provides authentication, authorization (by roles) and encryption (encrypted information) mechanisms, both in the transfer of information from systems and devices to the platform and in the consumption of stored information. This guarantees the confidentiality and integrity of the stored information, complying at all times with:
- Data protection by design and by default.
- Anonymization.
- Principle of transparency
Onesait Platform is completely transparent, both in terms of architecture and data management. The platform is an open-source solution, with the Onesait Platform Community version available on GitHub. Onesait Platform provides at all times:
- Right of access.
- Right of deletion.
- Logging of processing activities.
- Allows the existence of a data protection officer.
A users will have the possibility of managing both that user's profile and all of that user's information, from the ControlPanel, maintaining a principle of complete transparency and privacy for the user.
- Registration and privacy options
To register an account in the system, users must accept the platform's terms and conditions of use.
Users are informed about the use of data and rights according to GDPR and how to exercise them (contact information). After that, by using only the credentials (username / password), users can access their personal account on the platform.
Once the user has deleted their account, all the user information is also deleted if the user had marked it as "private". If the information (ontologies) was verified as "public", that information will remain.
The user can define privacy settings in accordance with the GDPR:
- Forget my data: The user can delete any information contained in the ontologies that user owns.
- Revoke consent: The user can revoke any consent previously granted.
- View my data: The user can view the data stored in the ontologies that user owns.
- Forget me: The user can delete that user's profile, removing all the information.
[mp.info.9] Backup copies
The system will take advantage of the facilities and tools provided by the AWS Cloud, specifically the snapshot concept that allows to back up data, allowing to take snapshots at a given time and running incrementally, and saving storage costs. These snapshots contain the information necessary to restore data on a final volume, producing an exact replica of the original volume. The replicated volumes load the data in the background, allowing to start using them immediately.
Protection of services
[mp.s.2] Protection of web services and applications
Onesait Platform implements by default the following measures to protect its services and applications:
- Protection against automation. Capacity to enable CAPTCHA.
- Protection against code injection.
- Protection against cross-site scripting.
- Restriction of permissions and accesses by default.
- Protection against Cross-Site Request Forgery.
- Secure session cookie.
- Policies against weak passwords.
- Insecure SSL and HTTPS protocol in all exposed services.
- Unnecessary resources.
- Throttling control. Periodic update of libraries and tools used in each release, so that known vulnerabilities are eliminated.
[mp.s.8] Protection against denial of service
- Application-level protection provided by Onesait Platform
- Limiting the number of erroneous accesses.
- Control of throttling in the exposed APIs.
- Updating to the latest stable software versions in each release.
- Protection provided by the infrastructure service provider.
Explained in the security measure [mp.com.1]. Secure perimeter.
- System sizing and scaling
The planned system sizing has sufficient capacity to support increases in demand. Also, scalability and robustness capabilities provide the flexibility to support these increases in demand.