Deployment in AWS

Texas Digital Library deploys its hosted Digital Repository (DSpace) Vireo service in Amazon Web Services. Each repository instance is deployed on a single EC2 instance with attached EBS volume for storage.

AWS security compliance documentation

• AWS Security documentation: https://aws.amazon.com/security/

• AWS Compliance documentation: https://aws.amazon.com/compliance/

Backups

TDL uses AWS Snapshot service for backups and maintains two weeks of daily disk snapshots and 1 monthly disk snapshot, kept in Amazon’s S3 storage for at least one year. TDL also provide optional long-term digital preservation storage. (See Digital Preservation section and Digital Preservation of DSpace Content for more information on long-term digital preservation of DSpace materials.)

Vireo is NOT intended to be a storage solution, submissions should eventually be passed into a repository system.

Security-focused monitoring

• Scheduled, regular updates and patch deployment for the hosted operating system and system applications on TDL servers.

• Continual monitoring for DSpace Vireo service availability, with notifications sent to administrators in the event that the service is experiencing an outage. Outages, whether due to system or application failure or external attack are resolved as quickly as possible by TDL technical staff.

• On-going review of known exploits which may affect DSpace Vireo hosting followed, as needed, by manual patching and updates to limit exposure.

• Monitoring for notifications from customers of service failures, outages, or issues via the ZenDesk support system. Issue tickets are resolved by technical staff.

• Monitoring of the DSpace Vireo technical community discussions for discovered security vulnerabilities. Discoveries of a security vulnerability are followed by integration of the fix into the deployed service.

Secure systems architecture

• Virtual Private Cloud with firewall, for provisioning resources in a logically isolated network.

• VPC peering, providing a networking connection between VPCs that enables routing of traffic using the private network.

• Use of jumpboxes for SSH access and secure access through SSL VPN.

• Layered IP filtering using Access Control Lists and Security Groups.

Authentication

• Primary authentication method is via member institution authentication systems using Shibboleth.

• IP address / range authorization (e.g. for restricting access to specific collections to "on campus") is available.

• Default DSpace Vireo authentication is available. (where DSpace Vireo manages all accounts, passwords and permissions)

Encryption

• All calls to hosted DSpace Vireo are encrypted using Transport Layer Security protocols (HTTPS). TDL requires HTTPS for all sites, and does not allow site data to be sent via plain HTTP.