Security Policy Development
Performance-Aware Governance: Balancing Scientific Throughput with Institutional Risk.
The Delicate Balance of HPC Security
Unlike standard enterprise IT, HPC prioritizes low latency and collaboration. A policy that introduces too much friction—like heavy encryption on compute fabrics—degrades the very performance the system was built for. We develop frameworks that treat security as an enabler for high-speed science, not a bottleneck.
1. The "Science DMZ" Philosophy
We adopt the Science DMZ model to decouple high-volume research data from general enterprise traffic. This allows for high-speed data transfer nodes (DTNs) while keeping the control plane strictly locked down.
Risk-Based Differentiation: A node processing public weather data requires different controls than one handling HIPAA-regulated genomics data.
2. Core Policy Pillars
IAM & SSH Hygiene
- Mandatory MFA for all external SSH access.
- Federated Identity support (InCommon/CILogon) for global collaboration.
- No root login over SSH; mandatory use of SSH Certificates.
Workload & Containers
- Policy preference for Apptainer (Singularity) over Docker to eliminate root daemon risks.
- Scheduler-enforced limits (Slurm/PBS) to prevent Resource Exhaustion (DoS) attacks.
Data Governance
- Strict classification: Public, Internal, Restricted, and Regulated.
- Automated Scratch Scrubbing: Reducing liability by removing data untouched for X days.
Network Segmentation
- Strict isolation of the Management Network.
- No outbound internet for compute nodes; routing only via secure proxies/gateways.
3. Phased Implementation Strategy
Audit & Baseline
Deploying monitoring tools (Zeek/Fail2ban) in "passive mode" to establish normal behavior patterns.
PI Consultation
Engaging Principal Investigators to identify "Special Case" instruments requiring walled-garden VLANs.
Automation
Enforcing policy via Ansible. Using Slurm Prologue scripts to clean up processes between jobs.
HPC Policy Checklist
| Policy Domain | HPC Specificity | Target Standard |
|---|---|---|
| Acceptable Use | Explicit ban on crypto-mining and non-research tasks. | NIST 800-53 / ISO 27001 |
| Access Control | SSH Keys only; MFA on Login Nodes. | Zero Trust Model |
| Network | No direct internet for Compute Nodes; Science DMZ implementation. | ESnet Science DMZ Best Practices |
| Maintenance | Rolling updates to respect long-running scientific simulations. | Continuous Reliability |
Secure Your Research Integrity
Download our "Performance-Aware HPC Security Policy Template" and tailor it to your institutional needs.
Download Policy Guide (.docx)