This article applies to: Shared File Services
- Access to SFS shares will be restricted to on-campus IP addresses (including VPN).
- No encryption is built into the SFS service. Customers can use their own encryption tools to encrypt their data (c.f., Policy 5.3, Use of Escrowed Encryption Keys).*
CIFS shares will reside in the Cornell Active Directory (AD) domain and can be presented through Cornell AD’s DFS namespace.
- CIFS volumes have an inherited, recursive ACL for the Cornell AD group you specify for “administrative” purposes as "(OI)(CI)F".
- End-users should be in different (non-administrative) Cornell AD groups.
- End-users should never be granted ‘Full Control’.
- The “everyone” group is removed.
- SFS administrators have no ACLs on your volume.
- NFS shares can be restricted to a list of explicit servers, as defined by the customer when submitting a request (or change) for an NFS share.
* HIPAA shares utilize encryption for data-in-flight. Data is not encrypted at-rest on SFS.