Application Administrator Obligations
|1.0||Initial Version||September 25, 2020|
|2.0||Reflect updated review procedures||March 23, 2021|
In order to safely operate the SLATE Platform, the SLATE Platform Administrators require that SLATE Application Administrators agree to the following:
- Operate applications from the SLATE catalog only in the manner for which they are intended.
- Not to substitute container image(s) referenced in an application’s Helm chart.
- Configure applications in the most secure manner afforded by the SLATE Platform that is consistent with its intended use.
- Update applications as advised by SLATE Platform Administrators or Edge Administrators of a SLATE cluster on which the application is located.
- Keep their contact information, including security contact information, entered in the SLATE Platform, and the contact information for any groups they create, up to date.
- Maintain the means to identify and contact users of applications that they operate.
- Produce and retain logs appropriate for traceability of application administration and usage sufficient to be able to answer the basic questions – who? what? where? when? and how? - concerning a security incident, and document the configuration of the logging mechanisms that produce this information.
- a. Logs should be retained according to the applicable policy of the group operating the application or the site operating the Edge Cluster. If there isn’t one, then a default of 90 days is recommended.
- Collaborate in the event of an incident with SLATE Platform Administrators and other organizations participating in the SLATE Platform as needed.
- a. Information shared between collaborators for security incidents will be handled according to the Traffic Light Protocol (TLP).
- Ensure that all users of SLATE applications acknowledge that:
- a. Use the applications only in a manner for which it is intended
- b. The actions of any one user may affect all others’ use of the applications
- c. Report any known or suspected security breach or misuse of the applications to an identified point of contact
The SLATE Platform Administrators may remove or disable applications out of urgent concern for the security or interoperability of the overall platform. Applications removed may be brought back in the context of the response to the incident with approval from the Incident Coordinator.
To support Application Administrators’ observance of these obligations, SLATE Platform Administrators will inform Application Administrators about vulnerabilities or insecure configurations in deployed versions of SLATE applications on the SLATE Platform that come to the attention of SLATE Platform Administrators.
This document is a policy of the SLATE (Services Layer at the Edge) project, supported by the National Science Foundation Office of Advanced Cyberinfrastructure: “CIF21 DIBBs: EI: SLATE and the Mobility of Capability”, award number OAC-1724821