[OpenAFS] Purging the client cache

Christopher D. Clausen cclausen@acm.org
Sat, 9 Jan 2010 17:19:48 -0600

Russ Allbery <rra@stanford.edu> wrote:
> We're starting a project to provide a set of AFS servers and a file
> space with additional security restrictions around who can access it
> so that it's suitable for storing data subject to various regulatory
> requirements. This space will require using either strong TLS or a
> VPN to access any files in that space.
> One of the concerns raised by our Information Security Office is that
> a primary point of this space is to get the data off of people's hard
> drives and into central storage that can be managed securely.  If the
> data persists in users' caches after they disconnect from the VPN
> required to access the secure space directly, this would partly
> defeat this purpose.

If it were me, I would NOT allow such data to go to end-user systems 
(and thus avoid having it cached there.)  I would setup a few servers 
within a secure data center and require all work to be done via remote 
access to these systems (using RDP, SSH, FreeNX, etc.)

If the user can view data directly as a filesystem, they can copy it 
elsewhere and you can no longer control it.  If you force them to use a 
specific set of systems, you can restrict how they could copy data off 
of the system and even restrict, filter and log outbound network traffic 
and filter outbound email (if needed.)

In this case I would setup an AFS cell (or maybe just a few file servers 
in an existing cell) that was only accessible from this secure data 
center and actually had vice partitions encrypted when on-disk on the 
file servers, probably taking a performance hit for the additional 
security (which is hopefully acceptable in this case.)

This way the data never leaves the data center and all access to it can 
be enforced over encrypted channels (you can force high encryption with 
RDP and do similar things with SSH to disable weaker ciphers.)  This 
should also help with access to non-file data such as SQL and Filemaker 
Pro databases which don't work so well in AFS.


And correct me if I'm wrong here, but wouldn't you also want to wipe the 
client's system pagefile or swap area after VPN disconnect as some data 
could be cached when swapped to disk?  (This may actually be true when 
using RDP and FreeNX as well as screen bitmaps and other data may be in 
memory after the system disconnects.)