Computational Cluster Programs

Security Policy on ATS-Hosted Clusters

 

 

 

Eligibility for Account: Who may Apply for a Login Id on an ATS-Hosted Cluster

Any current UCLA student, faculty or staff member with a valid UCLA Logon Id may apply for access to the Hoffman2 Cluster.

Those who are also affiliated with a research group may apply for access to that group's own virtual cluster resources. Cluster access can be authorized for people not affiliated with UCLA by written request from a PI who has purchased hardware on the Hoffman2 Cluster.

To access to the UCLA Grid Portal you must: a) have a login-id on a cluster which is participating in the UCLA Grid or b) be a current UCLA student, faculty or staff member with a valid UCLA Logon Id. UCLA Grid Portal access is not authorized for those not in these categories.

 

Safeguard Login ID and Password

 

UCLA Grid Portal Username and Password

If you use the UCLA Grid Portal to access a cluster at UCLA, keep your UCLA Grid Portal Username and password safe and do not allow anyone else to access the UCLA Grid Portal using your Username.

Cluster Login Id and Password

If you login to a Cluster login node directly, you will have a Cluster login id and password. Cluster login ids are single user login ids only. For security, do not let anyone else know or use your login id and password. Any form of use of another person's account, for example using an ssh public key to gain access, is a violation of this policy. If ATS suspects that a login id is being used by more than one person, ATS will suspend access to the login id until the matter has been resolved.

Login id/Password on other Systems that you use while using an ATS-hosted cluster

Because the cluster login nodes of ATS-hosted clusters are NOT behind fire walls, although ATS makes every attempt to ensure the security of the systems it hosts, there is no guarantee that they cannot be compromised by a malicious attacker. For your own security and the security of other computing equipment that you use, do NOT ssh to or scp to other machines from an ATS-hosted cluster. In the rare instance that the cluster is compromized, entering passwords or other authentication information for other machines may cause those machines to be compromised as well.

 

UCLA-401: Security Standard for Your Local System

UCLA Policy 401 - Minimum Security Standards for Network Devices specifies the minimum security standards for all electronic devices connected to the UCLA Campus Network, either directly connected, connected via UCLA dialup or UCLA Virtual Private Network (VPN). Make sure you meet these minimum standards.

 

UCLA-404: Protecting Personal Information (PI) on ATS-Hosted Cluster

 

Pursuant to UCLA Policy 404 any Personal Information (PI) data stored on the ATS-Hosted Cluster file systems must be protected.

Personal Information is defined as "an individual's first name or first initial, and last name, in combination with any one or more of the following: (1) Social Security number, (2) driver's license number or California identification card number, (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, (4) medical information, and (5) health insurance information."

Since ATS has responsibility for the cluster it also has responsibility for insuring that users of its file systems understand what is required of them.

To that end we need to know if you are storing any Personal Information on the ATS-hosted Cluster. If so we strongly recommend you remove it immediately. If this is not possible then you must encrypt the data per policy guidelines. If you do decide to keep it you must inform the Director of ATS, in writing, what kind of Personal Information you have and why you must keep it on the cluster. If a security breach occurs and Personal Information is stolen AND it is not encrypted then YOU as the custodian of the data are liable for the exposure.

 

Secure Login: Accessing the Cluster Login Node

You must use the Secure Shell Protocol (SSH) version 2 to access a cluster login node. You can use the ssh, scp, and sftp commands and local GUI interfaces, on Window's machines, for example, that are based on SSH version 2. Unless specified specifically on the cluster's web site, compute nodes, including interactive nodes, on a cluster can only be accessed from the login node.

Do not leave your local machine unattended while you are logged in from there to the cluster. If you think that your login id/password has been compromised, please change your password immediately and contact atshpc@ucla.edu. The ATS consultants will reply during normal business hours.