Thursday, January 22, 2015

Soliciting input on federated identity/InCommon needs

Hello, Von Welch, CTSC Director and PI here.

 I've recently accepted a one-year advisory term on the InCommon Steering committee. In that role, I will work to see the needs of NSF CI projects and similar research service providers (SPs) are addressed.

 The first thing I'd like to work on is getting all universities of interest to NSF projects to streamline scientific collaboration by sending those projects a user's name and email address when the user authenticates to the project using InCommon federated authentication. The InCommon Research and Scholarship (R&S) program includes only 100 universities that agree to send name and email address, and some of the largest research universities do not participate in the R&S program.

 We would like to change that. The InCommon Steering Committee plans to contact the CIOs at these universities to request their support. Knowing more about NSF funded projects that could benefit from outsourcing authentication to InCommon allows me to prioritize and strengthen those requests. As a starting point, if there is benefit to your project from specific universities supporting federated authentication and releasing a user's name and email address, please let me know who they are. 

 Going forward, I've created the CTSC Federated Identity Discussion List for further discussions around NSF CI projects and InCommon and federated identity. I won't be sending you any more emails directly, please join the list to be included in further discussions. You can find details at

I welcome hearing any other concerns or suggestions you have about InCommon, now or in the future.


Von Welch Director, Director and PI, Center for Trustworthy Scientific Cyberinfrastructure

Globus and CTSC engagement: data sharing

CTSC and Globus recently completed an engagement in which CTSC took a close look at the Globus data sharing feature. As many in the NSF community already know, Globus provides both services and applications that try to make it easier for scientists to focus on their science. One key Globus service is data management, especially the movement of files between two endpoints, e.g. between two users’ personal computers, between a user’s computer and a large institutional storage site, or between two other endpoints. In addition to an explicit data copy between endpoints, Globus also has a data sharing feature in which a user can make an entire folder accessible (read/write) to other Globus users. CTSC performed an assessment of this particular feature of Globus. The assessment covered a review of the design, architecture, and high-level implementation of the sharing feature. It was not a code review; however, the CTSC team did perform a source code installation of a Globus Connect Server, with the sharing feature enabled, and analyzed how credentials were being handled and how log files were being generated. While the assessment did not reveal any high security risks for the data sharing feature, CTSC did make a number of recommendations to address low-to-medium risks. These recommendations included improving the documentation, for both system administrators and users, and improving the logging and monitoring of sharing activity.

An ongoing challenge in such assessments of software features is the lack of clear process for doing the assessment, as the question is more one of “is this doing the right thing” without clear definition of what “the right thing” is (a challenge we also tackled in our engagement with Pegasus WMS). For this engagement we utilized a modified set of principles originally put forth by Saltzer and Schroeder in 1975 on the protection of information systems, to help guide our assessment. We think utilizing the principles helped significantly and plan to continue exploring their use in future engagements.

For more information, please see the Globus-CTSC Engagement final report, available at

We want to thank the Globus team, especially Rachana Ananthakrishnan, Mike Link, and Steve Tuecke, for their helpful collaboration on this engagement.

See how CTSC might engage with you and your NSF project at

Friday, January 16, 2015

Join CTSC! Analyst position open at IU CACR

IU/CACR has a position open for a analyst to join the CTSC team. This is an opportunity to join a team of smart, talented folks working on securing NSF computational science. Please apply via the prior link or contact Von Welch if interested.

Monday, January 12, 2015

Shutting down June 1st, 2015

For the past couple of years, we've operated as forum for conversations and announcements about CTSC and cybersecurity for CI.  Based on the feedback we've gotten, it seems isn't clicking with people as a way for communication. Since creating it, we've also established a set of email lists for discussions about cybersecurity and CI at
Since it's costing a small, but non-trivial amount of money to operate the service, we're going to shut it down on June 1, 2015.
We hope you'll subscribe to one or more of the email lists at If you have other suggestions for how you'd like to communicate with CTSC or your peers working on cybersecurity for CI, please let us know.
Von, for the CTSC team