[OpenAFS] Purging the client cache
Christopher D. Clausen
cclausen@acm.org
Sat, 9 Jan 2010 17:19:48 -0600
Russ Allbery <rra@stanford.edu> wrote:
> We're starting a project to provide a set of AFS servers and a file
> space with additional security restrictions around who can access it
> so that it's suitable for storing data subject to various regulatory
> requirements. This space will require using either strong TLS or a
> VPN to access any files in that space.
>
> One of the concerns raised by our Information Security Office is that
> a primary point of this space is to get the data off of people's hard
> drives and into central storage that can be managed securely. If the
> data persists in users' caches after they disconnect from the VPN
> required to access the secure space directly, this would partly
> defeat this purpose.
If it were me, I would NOT allow such data to go to end-user systems
(and thus avoid having it cached there.) I would setup a few servers
within a secure data center and require all work to be done via remote
access to these systems (using RDP, SSH, FreeNX, etc.)
If the user can view data directly as a filesystem, they can copy it
elsewhere and you can no longer control it. If you force them to use a
specific set of systems, you can restrict how they could copy data off
of the system and even restrict, filter and log outbound network traffic
and filter outbound email (if needed.)
In this case I would setup an AFS cell (or maybe just a few file servers
in an existing cell) that was only accessible from this secure data
center and actually had vice partitions encrypted when on-disk on the
file servers, probably taking a performance hit for the additional
security (which is hopefully acceptable in this case.)
This way the data never leaves the data center and all access to it can
be enforced over encrypted channels (you can force high encryption with
RDP and do similar things with SSH to disable weaker ciphers.) This
should also help with access to non-file data such as SQL and Filemaker
Pro databases which don't work so well in AFS.
-----
And correct me if I'm wrong here, but wouldn't you also want to wipe the
client's system pagefile or swap area after VPN disconnect as some data
could be cached when swapped to disk? (This may actually be true when
using RDP and FreeNX as well as screen bitmaps and other data may be in
memory after the system disconnects.)
<<CDC