Externally accessible systems at PSU are those that present services to the open Internet that can be reached without the use of a VPN.
There have been some recent lapses in security among externally accessible Tier 3 (self-managed) systems as well as a push by OIT to better secure PSU’s network border. This has put the focus on these Tier 3 systems in MCECS. Users in MCECS have had a long history of being able to set up self-managed systems that run Internet accessible services. However, as external attackers become more sophisticated, the bar for maintaining adequate security on these systems has risen significantly.
New Tier 3 systems that need to be externally accessible (ie: seen from the Internet as running services, such as SSH, or a website) will need to provide justification as well as a detailed security plan that includes patch schedules, who manages the systems, rules for managing accounts on the system, security hardening practices, etc. The CAT will work with the user to evaluate whether there is sufficient attention being paid to maintain the safety of the externally exposed system.
We are also going through an audit of existing externally accessible Tier 3 systems. We will be contacting owners to see whether the systems still need the access, and about the security practices being employed on them.
The majority of our Tier 3 systems are not externally accessible (they need a VPN to access them) and are not affected by these changes.