Monday, May 7, 2018

Trusted CI Webinar May 21st at 11am ET: The EU General Data Protection Regulation (GDPR)

CACR's Scott Russell is presenting the talk, "The EU General Data Protection Regulation (GDPR)" on May 21st at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The European Union’s General Data Protection Regulation (GDPR) is slated to come into effect on May 25, 2018, and organizations around the world are struggling to determine whether they are covered, what is required, and what will happen if they don’t satisfy its requirements.

This webinar will provide an introduction to GDPR, including an overview of the law's requirements, an in-depth discussion of when and to whom the law may apply, and potential strategies for organizations that are unsure of whether they are covered. The webinar will also provide insight into the motivation behind the law, the legal and practical ramifications of its enforcement outside of the EU, and highlight current uncertainties relating to the scope and impact of the law. Attendees will leave with an improved understanding of how GDPR may impact their organization, and will be equipped with basic strategies to manage risks arising from the enforcement of the law.

This webinar is a product of the Trusted CI, the NSF Cybersecurity Center of Excellence. Trusted CI is supported by the National Science Foundation under Grant Number ACI-1547272. For more information about the Trusted CI please visit: Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
Scott Russell is a Senior Policy Analyst at the Indiana University Center for Applied Cybersecurity Research (CACR), where his work focuses on privacy and cybersecurity policy. A lawyer and researcher, Scott received his B.A. in Computer Science and History from the University of Virginia, received his J.D. from Indiana University, interned at MITRE, and served as a postdoctoral fellow at CACR.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, April 24, 2018

Announcing: 2018 NSF Cybersecurity Summit Call for Participation and Student Program

Greetings! It is our great pleasure to announce and invite you to the 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure.  The event will take place Tuesday, August 21st through Thursday, August 23rd, at the Westin Alexandria near the new National Science Foundation Headquarters in Alexandria, VA. Attendees will include cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community, as well as key stakeholders and thought leaders from the broader scientific and cybersecurity communities. Registration and hotel reservations details will be announced in the coming weeks. We are pleased to announce the call for participation and student program are now open!

Call for Participation (CFP) - Now Open
Program content for the summit is driven by our community. We invite proposals for presentations, breakout and training sessions as well as nominations for student scholarships. The deadline for CFP submissions is June 13th. To learn more about the CFP, please visit:

Student Program - Accepting Applications
Each year, the summit organizers invite several students to attend the summit. Students who are interested in complex cybersecurity needs around and new, efficient, effective ways to protect information assets while supporting science will benefit more from attending.
Undergraduate and Graduate students may self-nominate or be nominated by a teacher or mentor. The deadline for applications is June 4, 2018. To learn more about the Student Program, please visit:

On behalf of the 2018 NSF Cybersecurity Summit organizers and program committee, we welcome your participation and hope to see you in August.

Wednesday, April 11, 2018

Trusted CI Webinar April 23rd at 11am ET: Toward Security-Managed Virtual Science Networks

Duke University's Jeff Chase and RENCI's Paul Ruth are presenting the talk, "Toward Security-Managed Virtual Science Networks" on April 23rd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Data-intensive science collaborations increasingly provision dedicated network circuits to share and exchange datasets securely at high speed, leveraging national-footprint research fabrics such as ESnet or I2/AL2S.   This talk first gives an overview of new features to automate circuit interconnection of science resources across campuses and in network cloud testbeds, such as GENI (e.g., ExoGENI) and NSFCloud (e.g., Chameleon).    Taken together, these tools can enable science teams to deploy secure bandwidth-provisioned virtual science networks that link multiple campuses and/or virtual testbed slices, with integrated in-network processing on virtual cloud servers.

Next, we outline a software framework to address security issues arising in these virtual science networks.   We show how to deploy virtual science networks with integrated security management programmatically, using software-defined networking and network function virtualization (SDN/NFV).   As an example, we describe a prototype virtual Network Service Provider that implements SDX-like functionality for policy-based interconnection of its customers, and incorporates out-of-band monitoring of permitted flows using Bro intrusion detection instances hosted on cloud VMs.  We also describe how to use a new logical trust system called SAFE to express and enforce access policies for edge peering and permitted flows, and to validate IP prefix ownership and routing authority (modeling RPKI and BGPSEC protocols) in virtual science networks.

This material is based upon work supported by the National Science Foundation under Grants No. (ACI-1642140, ACI-1642142, CNS-1330659, CNS-1243315) and through the Global Environment for Network Innovations (GENI) program.  Any opinions, findings, and conclusions or recommendations do not necessarily reflect the views of NSF.
Jeffrey S. Chase is a Professor of Computer Science at Duke University.  He joined Duke in 1995 after receiving his PhD in Computer Science from the University of Washington (Seattle).    He was an early leader in automated management for cluster services, cloud hosting systems, and server energy management.   He served as an architect in NSF’s GENI project and is a principal of ExoGENI, a multi-campus networked cloud testbed.

Paul Ruth is a Senior Research Scientist at RENCI-UNC Chapel Hill.  He received his PhD in Computer Science from Purdue University in 2007.  He has been a primary contributor to the ExoGENI testbed since 2011 and is currently the networking lead for the NSF Chameleon testbed.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, April 9, 2018

Cyberinfrastructure Vulnerabilities 2018 Q1 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to Trusted CI’s mailing lists.

We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.

Some of the sources we monitor for possible threats to CI include:

In 1Q2018 the Cyberinfrastructure Vulnerabilities team issued the following 3 vulnerability alerts to 91 subscribers:

If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through This mailing list is public and the archives are available through

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at

Tuesday, April 3, 2018

Single vs multiple users on a cluster node?

Trusted CI recently received the following query from Chester Langin and are sharing his question and our answer with his permission:
As a security person, can you tell me the advantages and disadvantages of allowing more than one than one user on a cluster node at a time?  I ask because we just moved from Rocks/SGE to OpenHPC/SLURM.  Our old cluster allowed multiple users per node so, with 20 cores as an example, users with jobs running 8, 8, and 4 cores could all be running on the same compute node.  This provides high efficiency.  Our new cluster apparently restricts this so if the first user runs a job with, say 8 cores, nobody else can use that same node and 12 cores are not being used.  So, our users will be noticing that jobs will be backing up in queue.
Should we configure SLURM to allow multiple users per node?  Do you have a recommendation?  Can you give me pros and cons?
This is a classic example of a risk/reward trade-off. As you note in your question, allowing only a single user per node has the down side of lower efficiency. So what do you gain? 

There are risks with allowing multiple users per node in that user accounts are not as strong a guarantee of isolating users from each other as is having them on separate nodes. Bugs in the underlying system  (and hypervisor if we’re talking virtual machines), misconfigurations of the operating system, and errors in setting file permissions can allow information, potentially sensitive information and credentials, to leak between users on the same node. Some examples include CVE-15566, CVE-2017-5715, CVE-2017-4924. Additionally we've seen two recent cases in our software assessments where we found file system permissions were set too permissive allowing users to see each other data.

Hence you gain some risk reduction. We assume you can estimate the value of the efficient reduction in terms of lost CPU time, but how to you estimate the benefits of the risk reduction so you can compare these two things?

Unfortunately, quantifying this trade-off isn’t trivial - it’s a judgement call. Some questions to ask to determine which path makes sense for your system involved gauging the consequences of the security risks:
  • How big and diverse is your user community? If your users are all from a collaborating community or within the same institution, the consequences of data leakage could be lower. But if you have users who are competing research groups or companies, the stakes could be higher
  • What type of data does your system handle? Is it regulated data or other sensitive data that would increase the impact of the risks in question?
  • How you handle an incident can greatly impact its consequences. How poised are you to handle a incident if it occurs? Do you have a incident response plan in place that you regularly exercise? 
  • What is the risk tolerance of your stakeholders? Are you expected to squeeze every ounce of performance out of the system or is reputation considered more important? Is there any recent history related to security incidents that may impact this?

Monday, March 26, 2018

Upcoming events featuring Trusted CI

Interested in the latest from Trusted CI? Want a chance to chat in person with us? Members of Trusted CI will be participating in a number of upcoming events over the next few months.

EDUCAUSE Security Professional Conference 2018 (April 10-12) in Baltimore, MD. EDUCAUSE brings higher education security professionals together to network and discuss current trends in the industry. Trusted CI's Mark Krenz and Warren Raquel are presenting training sessions on Incident Response and Security Log Analysis. Also, Trusted CI's Von Welch and Jim Basney are co-presenting with IU CACR's Anurag Shankar on Cybersecurity for Research on Campus.

KINBERCON (April 23-25) in Harrisburg-Hershey, PA. KINBERCON's focus is on next generation networks and technology, and brings together leaders in education, healthcare, libraries, and government. The format of KINBERCON includes panels and technical workshops. There are many opportunities for collaborative discussions with speakers and attendees. Trusted CI's Von Welch will be presenting on the project and the intersection of campus IT, info sec, and research.

The 2018 NSF SI2 PI Meeting (April 30-May 1) in Washington, D.C. The SI2 PI workshop brings together PIs to present their projects to fellow PIs through posters, lightening talks, and brief presentations. Trusted CI's Von Welch is presenting "Software Security: Selecting engineering and security practices to enable robust CI and trustworthy science."

Internet2 Global Summit (May 6-9) in San Diego, CA. The summit focuses on advanced and trusted infrastructure, identity, federation and access management, and solutions for researchers with the goal of benefiting the entire research and education ecosystem. Trusted CI's Jim Basney will be co-presenting CACR's Anurag Shankar on "Cybersecurity for Research on Campus: Not Just HIPAA & FISMA."

PEARC 18 (July 22-26) in Pittsburgh, PA. PEARC is an all-inclusive event for scientists, engineers, scholars, artists, and educators who depend on efficient, secure, and reliable digital infrastructure. This year's theme is seamless creativity. Presentation abstracts are still under review. Trusted CI intends to attend and present at this year's conference and will update the community as more information is available.

The 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure (August 21- 23) in Alexandria, VA. The Summit is hosted by Trusted CI and welcomes cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI Community, as well as key stakeholders and thought leaders from the broader scientific and information security communities. The Summit includes training sessions, plenary session, and opportunities to network and socialize with peers. Be on the lookout for our call for proposals.

Whether you are an operational security pro, high speed networking researcher, NSF PI, or identity management specialist; the coming months present some interesting opportunities to network and collaborate. We look forward to seeing you at these events.

Thursday, March 22, 2018

New name, same mission

Dear friends of CTSC,

We're writing to announce that the Center for Trustworthy Scientific Cyberinfrastructure (CTSC) is becoming Trusted CI, the NSF Cybersecurity Center of Excellence.

Why are we making this change? While it clearly conveyed our mission, our initial name was a mouthful -- and, with the added CCoE designation, we found that people struggled to remember it. Trusted CI will build better name recognition, through consistent branding across our website ( and social media (@TrustedCI). 

The new name still emphasizes what we're about: Achieving the NSF goal of creating high-quality, trusted cyberinfrastructure (CI) that supports high-quality, trusted science. It will also make it easier for you to remember how to get help for your NSF CI projects: Email (be sure to identify which NSF project your query relates to). 
As we roll out the new branding this spring, we'd like to extend an active invitation to engage our services. From quick questions to collaborative engagements lasting months, Trusted CI tackles challenges of all sizes. 

We're happy to assist with anything related to cybersecurity for NSF CI projects, and we're focused on tailored solutions that impact your work as little as possible. And now all you have to remember is Trusted CI!