Monday, October 30, 2017

IAM for Research Organizations at AGU17

CILogon and CTSC are co-organizing a workshop on Identity and Access Management for Research Organizations co-located with the 2017 AGU Fall Meeting. The workshop will provide an overview of identity and access management (IAM) issues including single sign-on (SSO) facing research collaborations and demonstrate IAM solutions available to both large and small collaborations using interactive tutorials. CTSC's Jim Basney and Scott Koranda will present.

The workshop will be held Sunday, December 10 from 9am to 5pm CT at the HIlton New Orleans Riverside. Visit the workshop's Eventbright page to register. There is no registration fee. Space is available for up to 20 attendees.

Workshop topics will include:
  • Research Identity Management Process Needs
  • Federated Identity for Authentication (SAML and OIDC)
  • The Complexities of SAML Federation
  • Non-Browser Clients and Federated Identity
  • Participant Lifecycle Management
  • Application Integration and Provisioning
Please contact jbasney@illinois.edu with any questions about the workshop.

Tuesday, October 10, 2017

Open Science Cyber Risk Profile publications

The Open Science Cyber Risk Profile (OSCRP) is a living document, developed under leadership from CTSC and ESnet, designed to help principal investigators and their supporting information technology professionals assess cybersecurity risks related to open science projects. We’re happy to share an update on its usage and appearances.
Richard LeDuc, Director of Computational Proteomics at the Proteomics Center of Excellence, Northwestern University, presented a poster “Protecting Proteomic Data Processing on the TDPortal with the Open Science Cyber Risk Profile” at the 65th ASMS Conference on Mass Spectrometry and Allied Topics.  The TDPortal is the front end to research system of the National Resource for Translational and Developmental Proteogenomics (NRTDP) running on high performance computing at Northwestern University. The poster describes the NRTDP’s use of the OSCRP to manage risks for the TDPortal.

Two recent articles also covered OSCRP: the University of California IT Blog published “Helping Scientists Understand Research Cyber Risks,” and it was the subject of an article in IEEE Security and Privacy Magazine.

Monday, October 9, 2017

CCoE Webinar Oct. 23rd 11am ET: Incident Response in an Open and Decentralized Network

Berkeley Labs' Aashish Sharma is presenting the talk " Incident Response in an Open and Decentralized Network" on October 23rd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.

This talk presents various aspects and challenges of monitoring and security of a big research network while keeping it open and usable. We focus on issues faced due to following attributes: 
  1. decentralization
  2. high Speed
  3. BYOD policy
  4. openness
We further provide insights into our detection and incident response process using some real world examples and how above attributes influence this process.

More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, September 27, 2017

CTSC welcomes two leading CIOs to its Advisory Committee

We are very pleased to welcome new members to the CTSC Advisory Committee:

Dr. David Halstead is the CIO for the National Radio Astronomy Observatory, a facility of the NSF operated under cooperative agreement by AUI, where his responsibilities are divided between Data Management for the Observatory’s HPC infrastructure in support of the national radio telescopes, and the general IT support for 500+ employees. He has served on number SuperComputing committees and is a founding member of the ACM’s SIGHPC Education Chapter. Prior to joining NRAO, he worked in the DOE Scalable Computing Laboratory in Ames Lab, and in the private sector with Celera Genomics.  

Dr. Melissa Woo is the Senior Vice President for Information Technology (IT) and Chief Information Officer at Stony Brook University. Prior to joining Stony Brook University, Melissa was the Vice Provost for Information Services and Chief Information Officer at the University of Oregon. Melissa has also worked for the central IT organizations at the University of Wisconsin-Milwaukee and the University of Illinois at Urbana-Champaign leading and supporting a number of areas, including research cyberinfrastructure, enterprise IT services, and IT operations and infrastructure.


David and Melissa join a committee that consists of Tom Barton of the University of Chicago, Neil Chue Hong of the UK Software Sustainability Institute, Nicholas Multari of Pacific Northwest National Lab (PNNL), and Nancy Wilkins-Diehr of the San Diego Supercomputing Center.

Both David and Melissa bring key expertise and experiences to the advisory committee. David, as CIO of NRAO, has the perspective of an NSF Large Facilities and the cybersecurity challenges they face in supporting research. Melissa, as CIO at Stony Brook, brings a wealth of experience in higher education IT and the key role it has supporting research nationally.

We thank both David and Melissa for joining the CTSC Advisory Board and look forward to working closely with them to support research and science cybersecurity challenges.

We also take this opportunity to thank Don Middleton of NCAR for his service on the Advisory Committee and wish him well in retirement.

Thursday, September 21, 2017

Ask CTSC: Questions for leadership to ask when considering handling regulated data.

We at CTSC field questions from the community about cybersecurity, either send directly to the team or via the ask@trustedci.org email address. To better help a broader portion of the community, we're going to start posting our responses here on the blog so they are available. (Don't worry, if your question is sensitive in some way we'll either answer it privately or work with you to sanitize it). This represents the first of such answers. -Von


Yesterday we received the following question from a member of the community:
What are the key questions that research computing leadership or a VP/VC/Dean of research should be asking themselves if they are considering taking on regulated data?
The question came with "I need this by Friday" plea, so here's our admittedly quick answer. Please chime in with a comment if you have suggestions.

Questions for leadership to ask when considering handling regulated data.
  • How can you best be involved at the contract negotiation phase? A number of folks have success negotiating out regulated data terms from contracts.
  • How do you track demand and judge when is it time to take the compliance plunge? Sometimes it will be one large project that will justify the cost, other times it will be an aggregation of smaller requests and expectation of future need.
  • How do you track the actual need of the researchers? While we tend to think of compliance for infrastructure or projects, the real issue is around the workflows of the researchers from end-to-end. In general you want to implement your compliance infrastructure to satisfy as many workflows, hence projects, as possible.
  • When does outsourcing compliance make sense? At the 2017 NSF Cybersecurity Summit, we heard from three major cloud vendors with compliance solutions and it was clear that while they handle key parts of compliance, it is at most a partnership and responsibility still resides with the institution.
  • What formal processes and mechanisms will you need to institute to manage regulated data contracts?  Ideally, one would have the PI contact the Office of Research Administration, which will then work with the CISO/central IT/research computing/compliance to evaluate needs and provide resources and a security budget for the PI to include in the contract, and help PIs with reporting to the agency (e.g. for FISMA).



  • How will you develop regulatory expertise/training?  Many campuses with medical schools have HIPAA expertise, but other regulations which contracts will likely include going forward, e.g. CUI/NIST 800-171 and FISMA, have not been a concern in academia.

  • How will you manage third parties (e.g. business associates for HIPAA)?   This will require assessments of due diligence and possibly additional costs for services.



  • How will you handle breach notification?

Added based on follow-up questions since the original post:
  • How will you get buy-in from all the impacted parties? This will impact a number of groups on across campus. Some schools have used an initial task force composed of stakeholder to plan.
  • How will you resource ongoing effort? Expect ongoing leadership to take a significant fraction of a person, with additional contributions by many others. As it ramps up, a full-time leader is not uncommon.
Thank you to Anurag Shankar of IU CACR for contributing to this post.

Monday, September 11, 2017

DesignSafe-CI and CTSC Engage for Cyber-checkup


CTSC has initiated an engagement with DesignSafe-CI (DesignSafe) (NSF-1520817, NSF-1612144, NSF-1612843), a component of the Natural Hazards Engineering Research Infrastructure (NHERI) and funded by the NSF under a Cooperative Agreement through the Division Of Civil, Mechanical, & Manufacturing Innovation (CMMI) (NSF-1520817). The scope of the engagement is to perform a cyber-checkup -- a high-level review of the project’s cybersecurity program. The process tailored to DesignSafe’s needs will constitute a fact-finding exercise that delves into DesignSafe’s security processes, policies and protocols. Due to the maturity of DesignSafe’s existing security program, CTSC anticipates the engagement will be completed by November 2017.

CCoE Webinar Sept. 25th 11am ET: Demystifying Threat Intelligence

CERN's Romain Wartel is presenting the talk "Demystifying Threat Intelligence" on September 25th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.

Threat intelligence has become a very popular keyword among security professionals in the recent years. What is this all about? Is this a service for sale or rather an intangible asset resulting from a trust relationship? Every organization is seeking relevant and target intelligence, ideally at little to no cost and yielding no false-positives. What are the myths and realities? Is threat intelligence a worthy investment? Is it more suitable to favor local or global sources? Are there services or tools that can facilitate threat intelligence management. Beyond obtaining information, an often overlooked aspect are the challenges linked with building the ability to take promptly and effectively action based on specific intelligence. Making good use of threat intelligence is what makes its value, but this requires time and efforts. Yet, a well-designed threat intelligence management and flow may in fact be the only realistic and affordable strategy for our community to mitigate sophisticated threats or well-funded attackers on a daily basis.

More information about this presentation is on the event page.
Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."