Strengthening Supercomputing Security: Insights from LuxProvide’s Head of Security

Introduction: Security in High-Performance Computing

Supercomputers, like MeluXina, deliver high value computational power to key industrial and public sectors.

This technological leadership may make supercomputers very desirable targets for malicious actors.

The complexity of high-performance computing systems and the sensitivity of the processed data demands robust security frameworks to answer the requirements for information protection as well as compliance with national and European regulation.

Enforcing a zero-trust approach, operating real-time security monitoring and the early detection and analysis of emerging cyber threats are key elements that constitutes the operational security pillars for MeluXina.

The article highlights several facets of how LuxProvide enforces technical security and regulatory compliance with MeluXina without trading off on high performance, availability and user experience.

Table of Contents

• National and European Regulatory Compliance
• Information Security: ISO 27001 Certification
• Data Protection in HPC
• Zero Trust Architecture: Security Paradigm
• Cybersecurity Events Detection and Response
• Threat Intelligence: A Step Ahead of the Cyber Threats
• Balancing Security and Performance
• Conclusion: Building a Secure Foundation for Innovation

December 19, 2024.

National and European Regulatory Compliance

LuxProvide takes specific precautions to comply with national and European regulations, in particular the General Data Protection Regulation (GDPR), the Network and Information Systems (NIS) Directive, and the upcoming European Cybersecurity Act.

Audits and Certification: Regular audits assure compliance with the gold standard for information security management systems: ISO 27001.

Furthermore, LuxProvide guarantees that all data hosted and processed on MeluXina remains in Luxembourg.

Information Security: ISO 27001 Certification

LuxProvide is ISO27001 certified since 2022, showing its strong commitment to be a secure and trusted supercomputer centre.

This international standard guarantees that the information system is following industrial and governmental best practices in terms of information security management.

This includes risk management with the identification, comprehensive assessment and mitigation of the security risks, supported by a deep understanding of the current and emerging security threat landscape.

Well defined policies and procedures dictate access management, data encryption, threats and vulnerability management as well as security incident and response workflow.

Controls are performed continuously to ensure consistent compliance of the information system processes with LuxProvide security policy.

A continuous improvement framework drives the daily life of the information security management system (ISMS) with security control outputs and threats intelligence supporting the improvement of the operational security. This is also achieved by measuring the effectiveness of actions being taken to improve the LuxProvide security posture.

Technical and compliance audits are performed regularly by impartial third parties to challenge and assert LuxProvide as a trusted environment.

Data Protection in HPC

Supercomputers can easily deal with massive amounts of data, however highly privacy-focused sectors require more than pure computing power. For example when dealing with healthcare records or building AI models for the finance industry, effective technical solutions and operational processes are paramount for providing a high data protection level, and thus trust in the supporting platform.

The security model that we apply at LuxProvide relies on the security triad: Confidentiality, Integrity and Availability.

Confidentiality: Data is encrypted at rest and in transit using strong encryption algorithms. Access is managed by enforcing roles-based access control policies ensuring that information is only accessible by the intended user.

Integrity: Data integrity is ensured through robust storage systems and transfer protocols, with data and metadata handled by different systems.

Availability: Resiliency is built at all levels within the platform, with no single points of failure.

Zero Trust Architecture: Security Paradigm

As recommended by the NIST, the MeluXina security architecture is based on a “zero-trust” model where all unknown actions are denied by default.

This effectively translates into the following practices:

• Physical access to the infrastructure is strictly monitored with granular access granted by roles
• At the physical network level, segmentation is applied so that production flows are separated from the management ones
• At logical level, privileged access is tightly restricted and closely monitored
• Generally, access is granted on a per-session, per endpoint basis
• Anonymous access or request is forbidden
• Cleartext communication is blocked
• Any modification to the production information system needs to be validated by change request and peer review
• Multi-factor authentication enforced anywhere possible
• The state of assets is closely monitored

This architecture reduces the attack surface and, in conjunction with an efficient monitoring, provides an overall high information security level.

Cybersecurity Events Detection and Response

LuxProvide performs real-time security monitoring of MeluXina and its associated services.

The Security Operation Center (SOC), supported by the Security Information and Event Management solution (SIEM), keeps a close eye on the information system.

Suspicious activities such as unauthorized access, privilege escalation or brute force attempts are being recorded and raise alerts based on detection rules.

The SOC operators act on alerts following a security incident procedure.

Based on the criticality and qualification of the raised alerts, a pre-defined incident response plan is triggered with a purpose to isolate or mitigate the impact of the incident.

Threat Intelligence: A Step Ahead of the Cyber Threats

The threat landscape is constantly evolving, and being secure today essentially requires proactive steps.

LuxProvide leverages threat intelligence feeds to protect against identified malicious actors.
Indicators of compromise (IOCs) are being gathered from different trusted sources such as MISP, CISA or VT and injected into network and security devices.

IOCs typically list public domains, IPs and file hashes that are known to be malicious, and which can be used to prevent connections and access, reducing risk of contamination and compromise.

At LuxProvide, frontal firewalls, for example, block inbound and outbound network traffic against a curated list of IOCs. The SIEM tracks connections and traffic against IOCs to evaluate security risks.

Vulnerability and patch management also play a very important part of the overall security posture of MeluXina and its associated services.

Based on a combination of vulnerability scans, advisories from product vendors and technological watch, LuxProvide aims at being informed of discovered vulnerabilities as soon as possible.

By policy, vulnerabilities that are identified are addressed immediately, with mitigation measures applied differently based on patch availability, the criticality of the vulnerability and the context of its applicability.

Balancing Security and Performance

The general performance trade-off of security is challenging in HPC environment where performance is key to succeed in the objectives supercomputers are designed for.

LuxProvide has set up its information protection systems to minimise impact to computational efficiency.

This was made possible by aligning an efficient layered perimetric security strategy while keeping the security overhead at a minimum for MeluXina users.

LuxProvide enforces security at physical and logical levels by ensuring that only the intended customer has access to allocated resources. As an example, compute resources are dedicated for customers during the lifetime of a computational task, ensuring both privacy and performance.

Conclusion: Building a Secure Foundation for Innovation

LuxProvide aims at closing the gap between innovation and security by combining state-of-the-art HPC technologies with strong cybersecurity frameworks without compromising efficiency and user experience.

Certified compliance with international and European standards such as ISO27001, GDPR and NIS2 guarantees LuxProvide sustained conformity with strict information system management security policies while leveraging security-by-design concepts with zero-trust architecture model ensure a strong operational security baseline.

This alignment between governance and operational security allows LuxProvide to be positioned as a trusted partner.