FAQ Information Security

Information security DANS Data Stations and DataverseNL

General description

The DANS Data Stations and DataverseNL are web applications based on the Dataverse software, originally developed by the Institute for Quantitative Social Science (IQSS) at Harvard University. This software is open source and is actively developed by an international community, united in the Global Dataverse Community Consortium (GDCC). The source code is publicly available on GitHub, with Harvard University acting as the official maintainer.

DANS uses its own copy of the Dataverse source code and also develops its own improvements. These are submitted to the main project via pull requests. If approved, these contributions are incorporated into the central software.

As Dataverse is open-source software, it makes use of third-party libraries maintained and reviewed by the GitHub community. The software is used globally by over 120 institutions. Within the GDCC, members actively share information about security issues, enabling quick responses to potential vulnerabilities.

Information security policy

DANS follows the BIHO (Baseline Information Security for Higher Education) framework, including the maturity model issued by the Royal Netherlands Institute of Chartered Accountants (NBA).

A full audit is conducted every two years by SURF, complemented by an internal self-assessment. Together, these form the basis for continuous improvement of the organisation’s security policies and practices.

Service management

DANS uses a standard DTAP (Development, Testing, Acceptance, Production) environment for managing the DANS Data Stations and DataverseNL. Development takes place locally on developer workstations. Only the production server has access to real data; all other environments use test data.

The servers are owned by the ICT Services department of the Royal Netherlands Academy of Arts and Sciences (KNAW). System management is carried out jointly by ICT Services and DANS ICT support. All servers are hosted in the secure Interxion data centre in Amsterdam and are separated into dedicated network segments.

For DataverseNL, any new or modified code is tested on the acceptance server by local administrators at participating institutions. A separate demo server is available for testing and training purposes.

Security updates for the operating system, as well as for key software components (such as the web and application servers), are installed automatically. Production systems are protected with an additional security layer.

Data storage

Data are stored using SURFcumulus’ Object Store service and are replicated across three geographically separate locations in and around Amsterdam (at distances of 6, 8 and 12 km from each other).

Because Object Store currently lacks its own backup functionality, DANS uses Microsoft Azure, also part of the SURFcumulus suite, for off-site backups. All data are encrypted before upload, and encrypted backups are stored exclusively within the Netherlands.

Network traffic

Network traffic is monitored both by KNAW and, on a national level, by the Dutch National Cyber Security Centre (NCSC). DANS also uses SURFnet’s DDoS mitigation services.

The network is segmented and protected by a firewall. Production servers and test/staging environments are kept strictly separated.

DANS actively monitors its infrastructure for availability and performance indicators, such as CPU load, memory usage, disk space and bandwidth consumption.

User accounts

For DataverseNL, users are advised to log in using institutional accounts via SURFconext. It is also possible to create a local account, which must meet minimum password complexity requirements. Each participating institution is responsible for assigning user roles. These roles and their corresponding permissions are managed by local administrators.

At the DANS Data Stations, local accounts cannot be created. Users may log in with institutional credentials via SURFconext, or via external providers such as GitHub, Google or ORCID. All users are automatically assigned the DANS contributor role, allowing them to create datasets and submit them for review.

Administrator accounts

DANS follows the principle of “need to know”: access is granted only to staff who require it to perform their duties. Infrastructure access is centrally logged, while application-level data access is logged within the software itself.

Access rights are managed by DANS ICT support. DANS employees use institutional accounts via SURFconext, secured with two-factor authentication. When an employee leaves the organisation, the account is promptly deactivated. All accounts are personal and non-transferable.

A limited and controlled group of staff hold superuser roles for both DataverseNL and the DANS Data Stations. The Data Stations also support a data manager role, used by DANS data archivists for curation purposes.

All staff laptops and workstations are protected through encryption, password enforcement, update policies and antivirus software.

Certification

The technical infrastructure for the DANS Data Stations and DataverseNL is hosted by SURF and VANCIS, both of which are ISO certified.

Further information:

Logging

All changes to published datasets are logged by the Dataverse software. Edits result in either a minor or major version, and all differences between versions are publicly viewable on the dataset’s “Versions” tab. Application administrators can also query the database to see what changes were made by which user.

Only the logging process itself has write access to the log files. System logs are also forwarded to external logging systems at KNAW ICT Services and are analysed using Security Operations Centre (SOC) tools and Security Information and Event Management (SIEM). Note: this external logging currently does not yet apply to application and web server logs.