Friday, July 13, 2018

Trusted CI 5-year Vision and Strategy

The Trusted CI team is pleased to announce the publication of “The Trusted CI Vision for an NSF Cybersecurity Ecosystem”.  From the introduction:

This document establishes Trusted CI’s vision for a NSF Cybersecurity Ecosystem – a collection of people, knowledge, processes, and cyberinfrastructure – that is necessary to support cybersecurity across the diverse NSF community. Trusted CI is primarily responsible for bringing the vision of a NSF Cybersecurity Ecosystem to fruition. Hence, following Trusted CI’s vision is its mission statement and five-year strategic plan to fulfill that role.

This living document will guide our activities going forward and we welcome community feedback as to its content. As implied in the above paragraph, the vision is broader than any one project can accomplish and we will collaborate with others in the community to achieve this vision.

A full citation for the Vision document follows.  We’ll update the document with subsequent versions as required to keep abreast of progress, suggestions, and changes.

V. Welch, J. Basney, C. Jackson, J. Marsteller, and B. Miller, “The Trusted CI Vision for an NSF Cybersecurity Ecosystem And Five-year Strategic Plan (2019-2023),” Trusted CI, Apr. 2018 [Online]. Available: http://hdl.handle.net/2022/22178.

Wednesday, July 11, 2018

Trusted CI at PEARC`18


PEARC 18 (July 22-26) in Pittsburgh, PA, is just around the corner, and Trusted CI will be have a strong presence there. The conference is an all-inclusive event for scientists, engineers, scholars, artists, and educators who depend on efficient, secure, and reliable digital infrastructure. This year's theme is seamless creativity. 

Trusted CI staff will present workshops on both practical information security for science projects and guidance on building security into the development, packaging, distribution, and management of software in support of science and research. The first, entitled “Practical Cybersecurity Programs for Science Projects and Facilities,” delves into the foundational elements of a cybersecurity program necessary to provide a secure and safe environment for science, focusing on the four pillars of such a program: Alignment to Mission - identification of critical resources and processes; Resources - money, people; Governance - roles and responsibilities, risk management and acceptance, policies; Controls - selecting a good baseline control set, and will include guidance on maintaining and evaluating an established cybersecurity program. The latter, “Software Engineering Practice for Science, Research, and Scientific CI” will introduce the Software Engineering Guide which provides guidance and tools for building security into the development, packaging, distribution, and management of software in support of science and research -- participants will leave with a strategy for improving security in any performance computing or scientific CI project that uses or produces software, and a preview of new tools coming out of the NSF CCoE for software security programs.

Along with the two workshops, Trusted CI’s Von Welch will moderate a panel following Anita Nikolich’s keynote talk, Hacking Academia, that will strive to echo a “fireside question & answers” session with Ms. Nikolich, further exploring key concepts exposed in her keynote that will discuss the necessity of feedback loops between the academic community, cybersecurity operators and underground security researchers.

Finally, Trusted CI is proud to announce that this year it will be participating in PEARC’s Partner Program, and thus, will have a table in the exhibitor’s area to network. So, if you attend the conference, stop by and say hello.

Tuesday, July 10, 2018

CCoE Webinar July 23rd at 11am ET: Trustworthy Computing for Scientific Workflows

Mayank Varia and Andrei Lapets are presenting the talk "RSARC: Trustworthy Computing over Protected Datasets" on Monday July 23rd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
There has been an unprecedented increase in the quantity of research data available in digital form. Combining these information sources within analyses that leverage cloud computing frameworks and big data analytics platforms has the potential to lead to groundbreaking innovations and scientific insights. As developers and operators of the widely used Dataverse repository and the Massachusetts Open Cloud platform, we have been working to advance this innovative revolution by colocating datasets in common platforms, curating and tagging datasets with both functional and legal access policies, offering helper services such as search and easy citation to promote sharing, and providing on-demand computational platforms to ease analytics. Unfortunately, we observe that a certain segment of our scientific user base cannot enjoy the full transformative capacity achievable within our cyberinfrastructure. Due to concerns over the privacy and confidentiality of their data sources, or the potential of commercial exploitation of their raw data sets, these researchers are isolating themselves within siloed data repositories and well-protected computational enclaves rather than sharing their datasets with fellow scientists.

This talk will describe cryptographic technological enhancements that are ready to provide scientific researchers with mechanisms to do collaborative analytics over their datasets while keeping those datasets protected and confidential. Secure multi-party computation (MPC) is a cryptographic technology that allows independent organizations to compute an analytic jointly over their data in such a manner that nobody learns anything other than the desired output. Hence, MPC empowers organizations to make their data available for collective data aggregation and analysis while still adhering to pre-existing confidentiality constraints, legal restrictions, or corporate policies governing data sharing. Our new Conclave framework can connect to many existing backend stacks where the data already live, can automatically analyze a query to identify when a computation must cross data silos, and can leverage MPC in a scalable and usable manner when it is necessary to enable the computation.

In summary, while data sharing cyberinfrastructures today are intended to allow everyone to benefit from the initial cost of having one researcher collect data, privacy concerns (and the resulting breakdown of data sharing) transform this burden into a marginal cost that every researcher who wants access to the data must pay. We will describe how a holistic integration of secure MPC into a scientific computing infrastructure addresses a growing need in research computing: enabling scientific workflows involving collaborative experiments or replication/extension of existing results when the underlying data are encumbered by privacy constraints.
Mayank Varia is a research associate professor of computer science at Boston University and the co-director of the Center on Reliable Information Systems & Cyber Security (RISCS). His research interests span theoretical and applied cryptography and their application to problems throughout and beyond computer science. He currently directs an NSF Frontier project that addresses grand challenges in cloud security, aiming to design an architecture where the security of the system as a whole can be derived in a modular, composable fashion from the security of its components (bu.edu/macs). He received a Ph.D. in mathematics from MIT for his work on program obfuscation.

Andrei Lapets is Associate Professor of the Practice in Computer Science, Director of Research Development at the Hariri Institute for Computing, and Director of the Software & Application Innovation Lab at Boston University. His research interests include cybersecurity, formal methods and domain-specific programming language design, and data science. He holds a Ph.D. from Boston University, and A.B. and S.M. degrees from Harvard University.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, July 9, 2018

Cyberinfrastructure Vulnerabilities 2018 Q2 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to Trusted CI’s mailing lists.

We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.Some of the sources we monitor for possible threats to CI include:

In 2Q2018 the Cyberinfrastructure Vulnerabilities team issued the following 4 vulnerability alerts to 91 subscribers:
If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available through https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Tuesday, July 3, 2018

NSF Cybersecurity Summit lodging deadline approaching

We would like to remind everyone that the deadline for reserving a room for the 2018 NSF Cybersecurity Summit at the discounted conference rate is July 12th. The number of available rooms in our block is limited so please reserve your room as soon as possible. You can book your hotel reservation for the conference here or go to the trustedci.org website and click on the link for the 2018 NSF Cybersecurity Summit and click on the link for The Westin Alexandria.


Also, if you have not already registered for the summit, please do so here.

Friday, June 29, 2018

Trusted CI Completes Engagement with GenApp

GenApp (NSF OAC-1740097) is a tool for rapidly generating science gateways. The goal of GenApp is to provide a graphical frontend and associated server backend for command line scientific applications. Trusted CI began an engagement with GenApp in January 2018, and completed the engagement in June 2018.

The engagement focused on performing a security review of the GenApp codebase and the various web applications generated by GenApp, as well as evaluating the technologies and architectures utilized by the GenApp development framework. Trusted CI worked with the GenApp team to create architectural diagrams, ran automated tools to analyze GenApp systems, and manually inspected key components of source code for vulnerabilities.

Findings included the need for more systematic sanitization of user input, keeping libraries up to date, and recommendations for secure settings of web services of GenApp-generated applications.

The GenApp staff has graciously consented to publication of the engagement report after a sufficient period to implement suggestions for remediation of issues. Trusted CI will contact GenApp towards the end of 2018 to verify that issues have been addressed, after which the engagement report will be made available to the public. The hope is that other NSF-funded projects which are primarily software-based can learn from the tasks accomplished during this engagement.

Thursday, June 21, 2018

NCSA video and news story about Trusted CI

The Trusted CI team is made of a partnership with Indiana University, the National Center for Supercomputing Applications (NCSA) at the University of Illinois, the University of Wisconsin-Madison, and the Pittsburgh Supercomputing Center.

Recently NCSA produced a short video about Trusted CI, titled "NCSA's Partnership with Trusted CI helps secure over $7 Billion worth of Science." Click below to see the video. Read the corresponding news story here.