System Security for OA Journal Hosting
Deployment in AWS
Texas Digital Library deploys its hosted Open Access Journals service in Amazon Web Services.
AWS security compliance documentation
AWS Security documentation: https://aws.amazon.com/security/
AWS Compliance documentation: https://aws.amazon.com/compliance/
Backups and Preservation
TDL uses AWS Snapshot service for backups and maintains two weeks of daily disk snapshots and 1 monthly disk snapshot, kept in Amazon’s S3 storage for at least one year.
TDL does not curate or conduct preservation planning on content within its hosted journals; however, the OJS platform provides tools for archiving in a LOCKSS or CLOCKSS network and the PKP Preservation Network.
Security-focused monitoring
Scheduled, regular updates and patch deployment for the hosted operating system and system applications on TDL servers.
Continual monitoring for journal service availability, with notifications sent to administrators in the event that the service is experiencing an outage. Outages, whether due to system or application failure or external attack are resolved as quickly as possible by TDL technical staff.
On-going review of known exploits which may affect Journals hosting followed, as needed, by manual patching and updates to limit exposure.
Monitoring for notifications from customers of service failures, outages, or issues via the ZenDesk support system. Issue tickets are resolved by technical staff.
Monitoring of the OJS technical community discussions for discovered security vulnerabilities. Discoveries of a security vulnerability are followed by integration of the fix into the deployed service.
Secure systems architecture
Virtual Private Cloud with firewall, for provisioning resources in a logically isolated network.
VPC peering, providing a networking connection between VPCs that enables routing of traffic using the private network.
Use of jumpboxes for SSH access and secure access through SSL VPN.
Layered IP filtering using Access Control Lists and Security Groups.
Follow PKP guidelines for secure deployment of the OJS application.
Authentication and Authorization
TDL-hosted journals use the default functionality for OJS, which authenticates users against its internal database.
Recaptcha and account validation is enabled for user registration to prevent spam user account creation.
Role-based access control is used within the application, with top-level Administrator access reserved for designated TDL staff only.
End users are not authorized to add new plugins, and developer must review any plugin requests for security vulnerabilities prior to making them available for use.
Encryption
All calls to hosted OJS journals are encrypted using Transport Layer Security protocols (HTTPS).