Skip to content

Commit 682f6e2

Browse files
JimMadgeJimMadge
committed
Add summary
1 parent d8b9c15 commit 682f6e2

2 files changed

Lines changed: 32 additions & 12 deletions

File tree

docs/architecture/defence_in_depth.md

Lines changed: 31 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,34 @@
11
(arch-defence)=
22
# Defence in Depth
33

4-
- Defence in depth
5-
- at K8s
6-
- PSS
7-
- Network (Cilium)
8-
- RBAC (and namespaces)
9-
- Data-at-rest encryption (protects from bad actors, compromise at infrastructure provider)
10-
- at infrastructure
11-
- network (vnet) isolation (out of band!)
12-
- Compromising the host is very unlikely
13-
- And even if it does happen, and privilege escalation occurs, there is no access to other networks
14-
- No access to data from other projects
15-
- The worst that can happen is a researcher trashes their own environment
4+
A FRIDGE instance is a {term}`TRE <Trusted Research Environment>` and so needs to be designed to provide a high level of protection.
5+
Some aspects of security are enforced by the [Kubernetes clusters](#arch-arch-tenancy-network) and others at the [infrastructure level](#arch-arch-tenancy-requirements).
6+
Therefore, responsibility for the security of FRIDGE is [shared](#arch-shared-responsibility) between the {term}`TRE Operator Organisation` and {term}`FRIDGE Hosting Organisation`.
7+
8+
A principle in the design of FRIDGE was defence in depth.
9+
That is, that no single failure should make it possible for sensitive data to be exfiltrated from the TRE in an unauthorised manner.
10+
Furthermore, the goal should be for security features to be enforced by two independent systems or roles so that a compromise of one is not sufficient to break security.
11+
12+
## Networking
13+
14+
- Network (Cilium)
15+
- at infrastructure network (vnet) isolation (out of band!)
16+
17+
## Privilege Escalation
18+
19+
### In Kubernetes
20+
21+
- RBAC (and namespaces)
22+
23+
### On Cluster Nodes
24+
25+
- PSS
26+
- Compromising the host is very unlikely
27+
- And even if it does happen, and privilege escalation occurs, there is no access to other networks
28+
- No access to data from other projects
29+
- The worst that can happen is a researcher trashes their own environment
30+
31+
## Data
32+
33+
- Data-at-rest encryption (protects from bad actors, compromise at infrastructure provider)
34+
_e.g._ access from host

docs/architecture/shared_responsibility.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
(arch-shared-responsibility)=
12
# Shared Responsibility
23

34
- Governance remains with the TRE

0 commit comments

Comments
 (0)