Transcript Internet-based Research: Perspectives of IT

Research Data Protection:
An Overview of the VCUeRA System
Jim Ward
Director of Research Information Systems
Office of Research
What Types of Data Protection?
• Physical Protection
• Physical access and environmental controls
• Network Protection
• Network attacks and threats
• Application Protection
• Authentication and Authorization
• Hardware Protection
• Hardware failures, backups and redundancy
Current Configuration
• Office of Research currently manages eleven
servers
• Windows 2003 Server
• The VCUeRA production system consists of
four servers
• Two Web servers
• IIS (Internet Information Services) 6.0
• Two Database servers
• SQL Server 2000
• Database size: 95GB (24 DVDs or 132 CDs)
Physical Security
• Located at University Computer Center
• Building and VCU Computer Center have 24 hour
security and access
• Require passwords at
system console
• Renamed administrator’s
account
• Disable guest accounts
Physical Security Cont.
• Environmental Controls
• Dedicated air conditioning and noise containment
• Dedicated Power and UPS
• All servers have redundant power supplies
• Servers should be on a dedicated circuit
• Multiple circuits are installed at Computer Center
• UPS (Uninterruptable Power Supply)
• Computer Center has a dedicate USP for entire center
Network Security
• VLAN (Virtual Local Area Network)
•
•
•
•
Server VLAN
Desktop VLAN (SECNet)
Wireless VLAN
Residence Hall VLAN
Server VLAN
Desktop VLAN
VCU Network
Wireless VLAN
Residence Hall VLAN
Network Security Cont.
• Firewall – defines which ports the system is
allowed to use
Only allow
Web access
from
anywhere
Only allow web
access from VCU
address
• Web Servers
• Only allow access to http and
https ports from anywhere
• Database Servers
• Only allow access to SQL
port from web server
• Implemented using two firewalls
• Network based (controlled
by VCU Network Services)
• Server based (installed on
server and controlled by OR
IT staff)
Application Security
• Secure HTTP (HTTPS)
• A secure method for viewing web pages
• Same technology as used by banks and other
online commercial retailers
• At VCU, a certificate must be issued and installed
on each server yearly
• A certificate is issued for https://vcuera.research.vcu.edu
• Application Authentication
• Process for determining user identity
• VCUeRA uses VCU eID
Application Security Cont.
• Application Authorization
• Process by which user is granted access to specific area of
the application
• VCUeRA uses application roles
• Access granted to a specific department or school requires
department chair or school dean approval
• Access to a entire module requires approval from the Vice President
for Research
Hardware Failures
• Disk Failures
• RAID
• Web servers use RAID 1
• Database servers use RAID 5 with hot spare
• Sever Log Monitoring
• Software installed to monitor servers log (application,
security, system log)
• Sends e-mail notification when an error or warning is written
to any server log
• DELL Open Manage
• Monitors server for dell specific hardware issues and writes
error to server logs when error occurs
Backups
• Backups of Servers
• VCU has a dedicated VLAN for backups and
requires using a second dedicated network card
• Perform nightly incremental backups using
Computer Center’s Tivoli Storage Management
• Additional Database Backups
• A full copy of the database is created each night on
the server (takes about 15 minutes)
• Every 20 minutes a copy of any database changes
are copied to disk
• These are backed up using Tivoli
Redundancy
• Website
• Two servers acting as one
• If one fails, we can continue to function on other
• Database
• The files created from the changes backup are also
copied to the second database server.
• If a manual restore of the production database was
required, it would take 8-10 hours.
• 4-5 hours to restore the backup file from tape, plus
• 4-5 hours to restore the database
• Can restore in a little as 20 minutes
Additional Protections
• Security Patches
• Security patches are manually installed within 1
week of release from Microsoft
• Usually installed after hours
• Remote Access
• On campus, use Remote Desktop for remote
administration of servers
• Off campus, a VPN (Virtual Private Network)
session is required for all administrative functions
VCUeRA Configuration
VPN Server
Tivoli Backup Management
Remote
administration
of servers
Firewall
HTTP and HTTPS
requests to Web1
and Web2
Web1
DB1
Data
Copy
Web2
https://vcuera.research.vcu.edu
DB2
Future Plans
• Perform yearly vulnerability scans by
Technology Services
• System Logs sent to Technology Services
MARS system (Technology Services’
Monitoring, Analysis and Response System)
• Move two servers to Computer Center’s hot site
• Second web server
• Backup database server
What does this mean for me?
• Data needs to be protected with numerous
layers of security
• Make backups of your data and secure them
• If you require a server or storage space, you
should contact Technology Services at
http://www.ucc.vcu.edu/
• Provide storage space
• Provide server support, maintenance, and security
for dedicated servers at a cost of $100 per server
per month
• DO NOT install a server in your office
Inquisite
• Accounts are distributed to departments
• Annual fee of $800 per year per account
• Department assigns an account administrator
• Manage all surveys for account
• Serve as primary contact for department regarding
Inquisite
• Investigators can request an account separate
• Still need to designate an account administrator
• Still required to pay $800 per year per account
• More information can be found at
http://www.ts.vcu.edu/faq/inquisite/
QUESTIONS?