A New Level in Security: ISO 27001:2013

DNAnexus is pleased to announce it has updated its Information Security Management System (ISMS) to comply with the current ISO/IEC 27001:2013 standard. DNAnexus cloud-based services for secure genomic information management and analysis are implemented and delivered within the framework of this updated internationally recognized security standard.

In recent years, ISO/IEC 27001 and accompanying ISO/IEC 27002 (information security management controls) have been revised. The new version ISO/IEC 27001:2013 is the first revision since ISO/IEC 27001:2005 and puts more emphasis on measuring and evaluating how well an organization’s ISMS is performing.

DNAnexus has always taken a proactive approach to security and compliance. With the updated ISO 27001:2013 security standard, regulatory compliance has never been more robust, providing customers with the highest level of data security for both research and clinical use.

Interested in learning more about ISO 27001 or the DNAnexus platform’s compliance with HIPAA, CLIA, dbGaP, and EU Privacy? A number of detailed white papers on the subject are provided on the DNAnexus website.

Security Update: GHOST Vulnerability

On January 27, 2015, a security vulnerability known as GHOST (CVE-2015-0235) was disclosed, impacting many Linux systems. The vulnerability could potentially be exploited to steal sensitive data such as encryption keys and user passwords. We have no evidence that any DNAnexus customer data or credentials were compromised using this vulnerability, and an in-depth analysis of the vulnerability attack vectors indicates that such a compromise was unlikely.

At DNAnexus, the security of our clients is our top priority. As soon as the vulnerability was disclosed, we started identifying services on our platform that were affected. All such services were patched to eliminate the vulnerability within 5 hours after it was initially disclosed. After this initial response, we started a thorough analysis of how our systems and the security of our clients could have been affected. The analysis found no indications of exploit, and we were able to exclude large portions of our systems from the hypothetical risk of attack. However, due to the scope of the vulnerability, we are continuing the analysis and will update here if any additional information is found.

We welcome customer feedback – if you have any questions or comments about our security practices, please reach us at support@dnanexus.com.

Interactive jobs: connecting to DNAnexus with SSH

In the quest to make app development on the DNAnexus platform easier and more interactive, we are excited to announce today a new feature – SSH connections to compute jobs. Bioinformaticians and Linux developers are familiar with the SSH command, used to connect to remote computers over the network. The new feature makes it easier to monitor DNAnexus jobs, debug them if something goes wrong, or use DNAnexus workers as powerful interactive workstations in the cloud. Jobs running on the DNAnexus platform can now be optionally configured to allow SSH connections to their execution environment.

By default, DNAnexus jobs have always been firewalled from the Internet, and only have network access to the DNAnexus API. This default will remain, but now three new command-line options are available when launching your job:

  • Running  dx run <executable> --allow-ssh will configure your job to open the SSH port for network connections from IP ranges that you specify.
  • Running  dx run <executable> --ssh will do the same as above, but also immediately connect to the job as soon as it starts running.
  • Running  dx run <executable> --debug-on <error-type> will configure your job’s execution environment to set a breakpoint, so that if the job encounters an error, you can connect to it over SSH and examine what went wrong.

As before, outbound access by jobs can be configured using network access permissions.  Inbound access is restricted to SSH connectivity only, and must be enabled explicitly by the user at run time using the options above.

One-time setup of your user account is required to allow use of SSH connections. Use dx ssh_config to perform this setup. This will generate a new SSH key pair, which you can protect with a password, and configure your account with the public key. Only you and the job you’re connecting to can see the public key; the private key remains on the computer that you ran dx ssh_config on.

When you log in, the system will automatically start the byobu window manager running the tmux terminal multiplexer, so that you can use multiple terminals to monitor the job and do other tasks, and can resume where you left off if you get disconnected. Further information on the state of the job and on how to use the terminal is presented in a banner when you log in.

We have been using this feature for the past few weeks, and it has already proven to be a great tool for debugging and understanding the performance of our genomics tools in the cloud. Detailed documentation is available on the DNAnexus wiki.  We have also provided a tutorial on deploying an interactive “Cloud Workstation” to explore and manipulate data stored on DNAnexus data as you would on a local Linux machine.

If you have any questions or comments, don’t hesitate to ask them on DNAnexus Answers!