Encryption (Using HTTPS) for all endpoints and UI #102
Comments
|
All services and UI need to use encryption (HTTPS) |
This was referenced Jul 31, 2018
Closed
|
Data-browser and portal as well as Azul service use HTTPS with certs from ACM. Data-browser and portal redirect http to https. |
|
I polled everyone in tech-arch. This is done. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As the Data Coordination Platform, we want to be protected, to protect each of our services from each other, and to protect the human subjects data we have. This requires authn and authz on our endpoints and on any access routes.
All components in a secure and federally compliant system need to have four main features: authentication #73 , authorization (#99 #101 ), audit trails #103 , and encryption. Even if hosting public data, a system containing Federal Government data still needs to have these features for all of the administrative and operational components to maintain integrity. This has the added benefit of enabling reuse of components in more settings than the HCA. Even though the first use of the DCP Blue Box (HCA) is an open data store, we need to add authentication to components of the DCP. Some of these will be operations-facing, those that are user-facing will be configurable so that they can be turned off during HCA DCP deployment.
From discussion in call, we need end to end encryption to have AuthN. @rhiananthony made another ticket for ensuring end to end encryption for the DCP. Purple needs SSL, needs both certificates and guidance on setting up SSL. @kislyuk will follow up to see if they can set up a proxy and shut off HTTP.
Do they need vault set up also for certificates? No, with Amazon certificates manager you don't need vault.
AC:
The text was updated successfully, but these errors were encountered: