Security & Compliance in HPC is a delicate balancing act.

In standard IT (banking/web), you lock everything down. In HPC, you need High Throughput. If you encrypt every packet inside the cluster, the performance drops by 50%, defeating the purpose of buying a supercomputer.

Therefore, HPC security relies on a "Hard Shell, Soft Center" architecture (Perimeter Defense) rather than internal lockdowns.

Here is the detailed breakdown of the security layers, the "Data Classification" tiers, and the compliance training curriculum, followed by the downloadable Word file.

1. The Architecture: Hard Shell, Soft Center

Training must focus on the Perimeter. Once a user is "inside" (on a compute node), they often have fast, unencrypted access to storage.

• The Login Node (The Castle Gate):
• Rule: No one enters without MFA (Multi-Factor Authentication). SSH Keys alone are not enough (keys get stolen).
• Monitoring: fail2ban and aggressive IPS (Intrusion Prevention Systems) to block brute-force attacks.
• The DMZ (Data Transfer Nodes):
• Concept: Users should never upload data directly to the internal cluster. They upload to a "De-Militarized Zone" (DTN). A scanner checks the files for malware before moving them inside.
• The Compute Nodes (The Soft Center):
• Reality: These nodes often run stripped-down OS versions for speed. They should have NO internet access. A compute node should never be able to curl google.com.

2. Compliance Tiers (Data Classification)

You cannot treat all data the same. Training involves teaching teams to classify their data before they upload it.

• Tier 1: Open Science (Public)
• Data: Weather data, fundamental physics.
• Security: Standard login.
• Tier 2: Protected (PII / GDPR)
• Data: Student records, basic genomic data.
• Security: Data is encrypted At Rest (on the disk). Access Control Lists (ACLs) restrict who can see the folder.
• Tier 3: Restricted (HIPAA / ITAR)
• Data: Medical records, military simulations.
• Security: The Enclave. A separate, physically isolated cluster or a "Virtual Private Cluster" with full encryption (At Rest + In Transit). No internet access allowed whatsoever.

3. The "Human Firewall" Training

The biggest risk in HPC is not a hacker breaking the firewall; it is a researcher accidentally setting chmod 777 (Make Public) on a folder containing patient data.

• Permission Hygiene:
• Lesson: Understanding Linux Groups. "Do not add your whole lab to your group if you are working on sensitive data."
• Drill: Using setfacl (Access Control Lists) to give read-only access to a specific user, rather than opening the whole directory.
• SSH Key Management:
• Lesson: "Never create a password-less key."
• Drill: How to use ssh-agent so you only have to type your passphrase once a day, getting convenience without sacrificing security.

4. Key Applications & Tools

Category	Tool	Usage
Authentication	Duo / Google Authenticator	The standard for MFA on SSH.
Scanning	ClamAV	Running virus scans on the Data Transfer Nodes (DTN).
Isolation	Apptainer (Encrypted)	Modern containers can be encrypted. Even if the admin steals the file, they can't read the data inside.
Audit	Splunk / ELK Stack	Logging every single sudo command and file access. Compliance auditors (HIPAA) require these logs to be kept for 6 years.