Security

Penguin Takes Security Seriously

We know that security and privacy are a top concern when it comes to using a HPCaaS (HPC as a Service™) or a compute-on-demand vendor. Penguin Computing's On Demand environment, POD, has implemented strong security policies to protect your data, secure your identity, and restrict network access to only authorized users.

Policies and Best Practices Ensure the Security of Your Data

Data Security:

Dedicated compute nodes, not virtualized or shared systems

POD uses standard Linux file system restrictions to protect the shared resources and prevent unauthorized access to the data. Only users who own the data have access to that data set.

The difference with POD is that compute nodes are not virtualized. Login nodes provide you with your own workspace, completely masking customers from each other. When a job is submitted, compute nodes are dedicated to you and not shared with all job submissions. Therefore, any compromise on a compute node will not affect other users.

Transferring data in and out of POD can be done via an encrypted SCP session (using SSH) or shipped to Penguin using an encrypted disk. Once the data is on POD, you use a POD Login Node for job submission. Using PBS TORQUE, your job is forwarded to a remote queue on the physical master node and executed on the physical compute nodes. Through your Login Node, you have complete control and exclusive access to your data.

Penguin has defined procedures and audits to ensure that file system security is implemented and maintained to your specifications.

Network Security:

POD’s network, storage, and compute is tightly coupled using high-speed interconnects.

The difference with Penguin On-Demand is that our network, storage and compute is tightly coupled using high-speed interconnects. This provides a proper and efficient HPC environment without compromising HPC performance.

The technology of this tightly coupled, HPC environment is designed to prevent actions on the cluster which are disruptive or circumvent security measures, thereby thwarting network scans, spoof forged packets, and packet sniffing.

This technology coupled with Penguin’s Acceptable Use Policy provides two-fold protection in ensuring that only the user can access their account. Prior to use of the system, POD customers must agree to the Acceptable Use Policy. In this agreement, customers agree to not:

	Attempt to tamper or interfere with the jobs or processes of other customers;
	Attempt to circumvent or expand any of the file permissions established by Penguin;
	Knowingly overload the storage associated with a compute node or otherwise intentionally cause a compute node to fail; or,
	Interfere with the operation of POD or disable or attempt to disable POD.

Identity Security:

Procedures, password policies, and controlled access

User identity is controlled at many levels. First, standard security procedures such as a robust, encrypted password policy are in place. Secondly, only known IP addresses defined by the user and identified by POD give the user access to the system. POD will only accept a remote login from a known, static IP address. Finally, access to POD is always made through an encrypted connection (either through SSH or VPN).

Regularly scheduled audits are conducted while private networks and firewalls are monitored 24/7. Automated systems and Penguin personnel check logs on a regular basis. Additionally, Penguin has implemented cutting-edge technology to protect against unauthorized network intrusions and denial of service attacks.

Best Practices for Security

When choosing your HPCaaS or computing-on-demand vendor, think about these things:

	Ask about monitoring of the system, scans, and audits. Understand your HPCaaS vendor’s protection of the system and feel comfortable with your data on their system.
	Know about updates to the compute resource and ask about access privileges for internal staff.
	Ask where data is kept and how it’s protected.
	Know about physical security of the compute and storage resources and how access is controlled.

POD’S Security Differentiation

Dedicated compute nodes, not virtualized or shared Security policies that only allow access from specific, known IP addresses Scheduled security audits and system scans Tightly coupled network infrastructure of storage and compute nodes High touch service managed and maintained by Linux experts Physical security: POD is located in a non-descript, state-of-the-art, highly secure co-location facility in an area that has minimal risk of natural disasters.