Security

NFS Security

TL;DR

None.

NFS does not provide any security whatsoever.

Explanation

Any user on a client that they control (such as a workstation, laptop, or a server on which they have sudo privileges) can impersonate any other user. Do not rely on NFS-based discretionary access controls (Unix permissions, ACLs, and ownership) to secure sensitive data.

If you need to store any amount of regulated data, contact TIG for assistance in specifying and building a private storage cluster or identifying a cloud computing provider that can meet your legal obligations. If you need to store smaller amounts of sensitive but unregulated data, encrypt all data stored on NFS, using a key which is stored on physical storage local to the server(s) on which it will be accessed.

In order to maintain the customary expectations of Unix-style discretionary access controls, TIG only supports NFS on managed CSAIL Ubuntu installations. However, it is not practical to impose sufficient technical restrictions, given the openness of the CSAIL environment, to prevent any user from bypassing access controls, so users should treat file ownership and permissions as they would a cheap plastic lock on a suitcase: a polite indication that only certain people are authorized to access the files, not an effective means of restricting access.

AFS provides stronger (although at this point still cryptographically weak) guarantees of access control.

Data at rest

Data stored on CSAIL NFS servers is protected against physical corruption by use of erasure coding or mirroring, with every block of data and metadata checksummed and verified on read. However, data on disk is not encrypted at rest. When CSAIL servers are decommissioned, drives are physically destroyed as a matter of customary practice but we cannot ensure that failed drives returned to a manufacturer are zeroized or otherwise made unreadable if the maker elects to refurbish and resell them.