Responsibilities of the VM Owner and VM Administrator

Definitions

VM Owner

The academic or postdoc business owner whose research is facilitated by, or made accessible from, the VM.

VM Administrator

An academic or postdoc designated by the VM Owner to administer the VM’s operating system. If your school or group has local IT staff that can do the VM administration (and they agree to your request to do so) they may be named as the VM administrator.

Owner, Administrator, Contact and Service Information

Each virtual machine will be associated with one or more VM Owners. It is the responsibility of the VM Owner(s) to ensure that each the following information is supplied to IT Services and that this information is kept up to date:

• Contact details for VM Owner.
• Brief details of the service(s) run on the VM, e.g., Webserver (HTTP and/or HTTPS), SSH, etc.
• Name and contact details of VM Administrator.

Responsibilities of the VM Administrator

The VM Administrator will have full administrator/root access to the operating system. The VM Administrator is responsible for keeping VM secure — this must be considered an on-going process:

• All security patches made available by the OS vendor must be applied in a timely manner. If necessary, the OS must be upgraded to a current version to ensure security patches are available.
• An appropriate firewall must be active on the VM at all times.
• Any application software accessible from the network (e.g., a Web server) must be appropriately secured (e.g., to prevent unauthorized access to the VM).
• User-access restrictions to the OS must be maintained (e.g., via appropriate SSH daemon configuration).
• All VMs are initially setup so that Research IT have Root/Administrator access. This access must be maintained.
• All VMs are initially setup with a Nessus/Tenable agent running which monitors for vulnerabilities.
  This agent must be maintained.

What happens if I do not keep my VM secure?

If a VM is found to be vulnerable we will contact you in order to plan remedial action, either by the VM Administrator, or if urgent, by ourselves. If remedial action is not taken, IT Services reserves the right to disconnect your VM from the network at short notice. This is in accord with University policy.

What happens if my VM is hacked?

IT Services reserves the right to disconnect your VM from the network without notice in the event of an apparent security-related issue.

VM Use and Data Storage

Use of the VM must comply with policies relating to University IT Facilities, in particular:

• Acceptable Use Policy
• Standard Operating Procedure for Staff
• Data Protection Policy

N.B. This service is NOT considered secure enough for sensitive and/or personal data. Any VM found to hold sensitive and/or personal data will be shutdown without notice.