Multifactor Authentication MFA Project Why are we doing

  • Slides: 9
Download presentation
Multifactor Authentication (MFA) Project • Why are we doing this? • DOE has new

Multifactor Authentication (MFA) Project • Why are we doing this? • DOE has new requirements for protection of sensitive/and M&O (Management and Operation) data. • JLAB is attempting to balance these new requirements with the needs of JLAB scientists to easily share information with collaborators. • Authentication • Users with access to sensitive information will require MFA • Network + fileserver segmentation • Best practice to protect sensitive information using both fileserver ACL’s and network controls • Also allows users without access to sensitive information to continue to use existing appropriate authentication controls

Data Types • Open Science Data • Data that relates to the science at

Data Types • Open Science Data • Data that relates to the science at JLAB, experiment data, etc. • Can be publicly accessible or protected(up to the owners of the data) • JSA Data • Data related to the management, operation of JLAB and/or contains sensitive data. • • Business, Financial, Procurement, HR CAD and engineering drawings, specifications, designs SRF, Cryo Rad. Con • Accelerator Controls is out of scope – no changes

Current • /Group and M drive are the same file system. • Linux Desktop:

Current • /Group and M drive are the same file system. • Linux Desktop: /group/ccc • Windows Desktop: M: ccc • Contains both Open Science data as well as JSA data (~300 directories) • Open Science data examples: • /group/clas, /group/c-compton, /group/c-gep • JSA data examples: • /group/ccc, /group/FE, /group/budget, /group/dcg, /group/srf, /group/12 gev

Changes • Users who access JSA data will be issued MFA (i. e. ,

Changes • Users who access JSA data will be issued MFA (i. e. , Smart. Cards) • JSA data will only be available to users with MFA logins • Open Science data will be available to all logins • Staff (i. e. JSA employees) must use MFA logins (Windows, Linux, Mac) • Users that only need access to Open Science data will continue to use passwords • Will require /group to be split up…. • JSA data directories will be pulled out of /group (M drive) and relocated to new filesystem called /sgroup • Open Science directories will remain in /group

Windows • Windows users now: • M Drive is mapped to /group (contains both

Windows • Windows users now: • M Drive is mapped to /group (contains both data types) • Some people also use \jlabgrp to get there. • Windows users after: • JSA user, (MFA login) • M drive is mapped to /sgroup (New filesystem with JSA data) (\jlabsgrp) • O drive is mapped to old group directory without JSA data (\jlabgrp) • Open Science user (password login) • NO M Drive • O drive is mapped to old group directory without JSA data (\jlabgrp)

Linux • Linux users now: • /group (contains both data types) • Linux users

Linux • Linux users now: • /group (contains both data types) • Linux users after: • JSA user, (MFA login) • /sgroup (New filesystem with JSA data) • /group (old /group without JSA data) • (i. e. /group/ccc will not exist… /sgroup/ccc will exist) • Open Science user (password login) • NO /sgroup • /group (old /group without JSA data)

Mac • Mac users now: • Remote mount jlabgrp: /group (contains both data types)

Mac • Mac users now: • Remote mount jlabgrp: /group (contains both data types) • Mac users after: • JSA user, (MFA login) • Remote mount jlabsgrp: /group (New filesystem with JSA data) • Remote mount jlabgrp: /group (old /group without JSA data) • Open Science user (password login) • NO access to jlabsgrp • Remote mount jlabgrp: /group (old /group without JSA data)

Directories to be moved to jlabsgrp (part 1) 12 gevoffice 12 Gev_Procure 12 Ge.

Directories to be moved to jlabsgrp (part 1) 12 gevoffice 12 Gev_Procure 12 Ge. VUpgrade acc_ad acc_div_off accel_admin_sup accel_div_business_mgt accel_sup acc_int_safety_review Acc. Mgt ac_power adminsr ado ADSO aes ags align ANLcrab apt asd assistcfo assisthr Awards_and_Prizes_Task_Force bnnt budget-phy cadmedia caduser casa_adm CAS_Contractor_Assurance_System ccc CFO-Business-Svces CFO_Polices_Procedures_Guides CIO-Office cmm confsrv cryomod_tests det_anim det_pem 1 det_uf div-acc Division_Planning_and_Coordinating Docu. Share DOE_Contract_Directives doefinrev DO-PPE eecad ehs-QACI ehsrpt eid em emsc envfile ESH_TJSO_Group facilities fbv FE felcsr fel_optics felstudy Fin-IA fman fm-ir Food. Svcs halla_eng hallb 12 gevupgrade hallb_eng hallb-eng-acad-dwg Hallc_sup halld-electronics HR_staff HR_Users 2 ideas indsaf Infrastructure injst inst_group

Directories to be moved to jlabsgrp (part 2) Internal_Audit International_Services ISM_Review IT_Div IT_Steering_Committee jpac

Directories to be moved to jlabsgrp (part 2) Internal_Audit International_Services ISM_Review IT_Div IT_Steering_Committee jpac k 100104 labview LCLS-II liaison library londev mcc_ops mcc_tng me 10 me-group-fel Microphonics_Notes mis mod-implementation MSINST_HCO_Files msu nx OA pac_graphics ped performance_mgmt phys_div PIT procehsq proe projectcontrols Proj_Mgmnt radcon rcg_lead safety Sci. Ed scmb sels shms-eng sns WBS sns-cad Spoke_Cavity_Cryomodule SRF-Admin SRF_Contracts srfdpt srfmgt srfplan srfpma SRF_Projects srlscanners staffsrv stock Sustainability tabletop teamcenter Technology-Transfer theory TLSD transition TRC UIM_Interface_Coordination