Monday, September 10, 2018

CCoE Webinar September 24th at 11am ET: The SCI Trust Framework



David Kelsey is presenting the talk "The SCI Trust Framework" on Monday September 24th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
E-Infrastructures recognise that controlling information security is crucial for providing continuous and trustworthy services for their user communities. Such infrastructures, including grids and clouds, are subject to many of the same threats and vulnerabilities as each other because of the use of common software and technologies. Users who take part in more than one infrastructure are potential vectors that can spread infection from one infrastructure to another. All infrastructures can benefit from working together and sharing information on security issues.
Security for Collaborating Infrastructures (SCI) is a collaborative activity within the WISE trust community. The aim of the SCI trust framework is to manage cross infrastructure operational security risks. It builds trust between Infrastructures by defining policy standards for collaboration. The SCI group published version 1 of its trust framework in 2013. Two derivative frameworks have also been published; SIRTFI in 2015, and SNCTFI in 2017.
WISE/SCI has more recently produced version 2 of the SCI trust framework, to reflect changes in technology, culture and to cover a broader range of infrastructures. The framework contains numbered requirements in five areas (operational security, incident response, traceability, participant responsibilities and data protection) that each Infrastructure should address as part of promoting trust between Infrastructures. SCI’s updated version 2 was officially endorsed during the TNC 2017 conference by representatives of EGI, EUDAT, G√ČANT, GridPP, HBP, PRACE, SURF, WLCG and the USA’s XSEDE e-infrastructure.
The webinar will present the SCI Trust Framework together with current work on a new baseline AUP and a Policy Development Kit. Possible future activities will also be presented.
Speaker Bio:
David Kelsey is head of the particle physics computing group at STFC, UK and has been leading
Grid Security activities in many projects. He founded the Joint (WLCG/EGEE) Security Policy
Group in 2004. He is currently the Chair of the WISE steering committee and was founder of
the SCI activity. He has a Masters degree in Physics (Trinity College, Cambridge) and a PhD in
Physics (University of Birmingham). 

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, August 29, 2018

NRAO and Trusted CI Complete Comprehensive Cybersecurity Program Assessment

Trusted CI and the National Radio Astronomy Observatory (an NSF Large Facility supported in part by NSF Award # 1647378) have completed a successful engagement focused on assessing and facilitating the continued maturation of NRAO’s information security program.  On an accelerated schedule to dovetail with NRAO’s budgetary cycle, we completed an intensive fact-finding phase and delivered a draft copy of a recommendations report providing specific, prioritized actions that NRAO could take to bolster their security program.  Before the engagement execution ended, NRAO used our recommendations to gain initial approval for a budgetary proposal to their executive team, proposing the internal restructuring of their team, hiring a new full-time security position, investing in tools to improve network visibility, and identifying key assets that require additional protection.

David Halstead, Chief Information Officer for NRAO, states,
The Trusted CI engagement allowed Information Services to take a holistic view of the risk and threat landscape facing the observatory’s CI instead of the more traditional audits which largely ignore the research infrastructure and focus on the financial systems.


Engagement Process

Fact-Finding. Trusted CI gathered information using a variety of methods, including dynamic question and answer sessions with NRAO staff and through review of over one hundred public and private documents obtained from publicly accessible websites and from NRAO’s internal document repository.  NRAO also completed our rigorous survey assessing the current state of their cyberinfrastructure.  During this phase of the engagement, we held seven one-hour conference calls together, focused mainly on building Trusted CI’s understanding of NRAO’s security program.

Site Visit. The Trusted CI and NRAO teams also met for a period of three days onsite in Charlottesville, Virginia, giving us an opportunity to interact face-to-face.  During that time, we performed a physical walkthrough of NRAO’s onsite computing infrastructure, interviewed personnel with security functions, and held detailed discussions on the current status of the security program as well as possible opportunities for maturation.  When a passing blizzard forced NRAO to close its doors for one of those days, the teams refused to be slowed down and instead met virtually, maximizing the amount of time we could dedicate to working together. 


Recommendations Report. The subsequent report that Trusted CI delivered to NRAO first included a set of foundational recommendations.  Recommendations were marked ‘foundational’ if they appeared feasible to begin in the next six months; called for architectural, philosophical, or major resource additions or reallocations; and were expected to generate strong outcomes, particularly in facilitating other impactful actions.  We organized other recommendations by estimated benefit and cost to implement.  Grounded in best practices and community standards, these recommendations frequently referenced the Center for Internet Security (CIS) Controls and the Australian Signal Directorate’s Essential Eight, two evidence-based control sets, as well as Trusted CI’s four pillar framework for developing cybersecurity programs for open science.

Deep Dives. After delivering the final report, we used the remainder of our engagement time to facilitate phone and email discussions focused on implementing these recommendations.  Dr. Jim Basney and Ryan Kiser, Trusted CI subject matter experts in federated identity management and application whitelisting respectively, each joined for a conference call focused on his area of expertise in order to share insights and answer questions posed by NRAO.  Other topics of conversation included inventory and asset management, network visibility, and Trusted CI’s process and tools for self-assessing gaps and actions under the CIS Controls v7.

Reflections and Acknowledgements

NRAO’s effort and openness were critical to the success of this engagement.  Their willingness to share information, including providing access to NRAO’s internal documents, allowed us to tailor our recommendations to their specific level of maturation in each area.  We would like to thank all of the NRAO staff who spent time talking with us and responding to our questions, especially our primary engagees David Halstead and Pat Murphy, as well as Chris Clark, Karyn Roberts, Derek Hart, Josh Malone, Matthew McCleary, Ferzen Manglicmot, Wolfgang Baudler, Warren Richardson, and Guilhem Werbelow.

NRAO’s commitment extended beyond participation and into implementation, as evidenced by how quickly the organization created a plan based on Trusted CI’s recommendations and moved to enact it.  We are excited to see this engagement already having a major impact on the funding, structure, and visibility of their security program.

We would also like to thank Steven Berukoff and Tony Hays from the Daniel K. Inouye Solar Telescope (DKIST) project for permitting us to share one of their internal network diagrams with NRAO.  Steven and Tony had presented this diagram to us during a prior Trusted CI engagement and agreed to let us share it with NRAO.  Their example of “documentation done well” assisted in facilitating a discussion on the kinds of network documentation most useful from a security and operations support standpoint. 

Through interacting with NRAO and learning about their cybersecurity needs, the Trusted CI team continued to refine our understanding of the unique challenges and opportunities involved with securely supporting science.  We look forward to continuing to engage, advise, and grow with the community in this evolving landscape.  For more information on how to work with us, please visit our engagements page.

Monday, August 27, 2018

Apply for a One-on-One Engagement with Trusted CI for Early 2019

Trusted CI is accepting applications for one-on-one engagements to be executed in January - June 2019.  Applications are due October 1, 2018. (Slots are limited and in demand, so this is a hard deadline!)

To learn more about the process and criteria, and to complete the application form, visit our site:


During CTSC’s first 5 years, we’ve conducted more than 24 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.  

As the NSF Cybersecurity Center of Excellence, CTSC’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.

Tuesday, August 14, 2018

Trusted CI Begins Engagement with the Environmental Data Initiative

The Environmental Data Initiative (NSF DBI-1565103 and DEB-1629233) is an NSF-funded project accelerating curation and archive of environmental data, emphasizing data from projects funded by NSF’s Divisions of Biological Infrastructure and Environmental Biology.  EDI provides support, training, and resources to help archive and publish high-quality data and metadata. They operate a secure data repository and work closely with the Long Term Ecological Research Network (LTER) and DataONE to promote data management best practices.

The goals of this engagement are to review current authentication and authorization mechanisms, identify features and requirements for the future version of the EDI Data Portal and associated backend API, and document currently available authentication and authorization solutions. 

The Trusted CI-Environmental Data Initiative engagement began August 2018 and is scheduled to conclude by the end of December 2018.

Monday, August 13, 2018

CCoE Webinar August 27th at 11am ET: NIST 800-171 Compliance Program at U. Connecticut

Jason Pufahl is presenting the talk "NIST 800-171 Compliance Program at University of Connecticut" on Monday August 27th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The Department of Defense established DFARS 252. 204-701 which specifies that any research containing Controlled Unclassified Information (CUI) be protected using NIST 800-171. This presentation will discuss the University of Connecticut's approach to implementing the NIST 800-171 framework, including: Contracting, Faculty Engagement, Infrastructure Implementation, Training and Controls Review. 
The intention of this presentation is to provide a complete picture of what compliance with the NIST Standard requires. I will endeavor to describe the entire compliance process starting from conceptualization of the technology solution through to the post implementation review. The talk will be designed to appeal to compliance staff, technical staff and project managers and will emphasize elements required to build and sustain the compliance program. I will discuss the technology elements of our solution, generally, but will focus on how the technologies chosen met our goals of managing as many of the compliance requirements centrally as practical while providing a flexible solution.
Jason Pufahl is the Chief Information Security Officer for the University of Connecticut. He has 20 years of infrastructure and information security experience and has spent the last 10 years dedicated to information security and privacy. He has responsibility for information security for the institution, encompassing security awareness and training, disaster recovery, risk management, identity management, security policy and regulatory compliance, security analytics, and controls implementation.

Jason works closely with both the administrative and academic areas of the University. He is a member of the University’s Data Governance Committee, Joint Audit and Compliance Committee, and Public Safety Advisory Committee. He is also member of the University IRB with a primary focus of improving data privacy and security practices related to institutional research.

Jason has a Master’s in Education Technology and has a passion for professional development, security training and awareness. He designed and ran an information security and awareness game called HuskyHunt, founded the Connecticut Higher Education Roundtable on Information Security (CHERIS) to provide a quarterly forum for sharing of best practices in the field of information security targeted at higher education institutions in Connecticut and is active in the security community nationally. He is a frequent conference speaker and is a member of the NERCOMP vendor and licensing committee.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, August 8, 2018

Broader Impacts Project Report

In early 2018 Trusted CI undertook an effort to develop and implement a strategy to help meet the cybersecurity needs of a broader set of NSF projects through awareness and outreach; i.e., to broaden the impact of Trusted CI.
The project involved analyzing our existing impact on the NSF community, applying our observations to Trusted CI’s 5-year vision for an NSF cybersecurity ecosystem, and identifying six strategies for broader impacts.

The full report is available online. Some highlights of the report are summarized below.

The analysis portion of the project helped to identify a few major accomplishments for the project thus far:
  • Trusted CI has impacted over 190 NSF projects.
  • Over 150 members of NSF projects attended our NSF Cybersecurity Summit. 
  • Members of 70 NSF projects attended our webinars.
  • Almost 100 of these NSF projects are funded at $1 million or more.
  • 35 engagements have been conducted.
  • Over 250 hours of training seminars have been presented or hosted.

The project concluded with 6 recommendations:
  1. Fill in gaps in our collection of impact statistics (e.g., affiliation of training attendees).
  2. Explore outreach opportunities to the Education and Human Resources (EHR) and Biological Sciences (BIO) Directorates, which are currently underrepresented in our impact metrics.
  3. Increase attention on developing and maintaining the website, highlighting the content and services we are already providing. Our materials are only useful if our stakeholders can discover them. It’s helpful to consider different stakeholder perspectives when updating and reorganizing the website.
  4. Trusted CI should provide more materials addressing availability and integrity concerns from the community, leveraging external expertise.
  5. Trusted CI should document and share its experiences and expertise related to operating a community-focused center of excellence, to benefit other similar organizations.
  6. When implementing our 2019‐2023 vision, Trusted CI should emphasize outreach as an essential component of each strategic objective.
Our role in the NSF community is stable and growing. Trusted CI’s next five years present an exciting challenge to take what we have learned thus far and continue to support the cybersecurity needs of NSF projects.

Thursday, August 2, 2018

2018 NSF Cybersecurity Summit - TRAINING REGISTRATION OPEN

We are happy to announce that the registration for training sessions for the 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure is now open.  The training day sessions will take place on Tuesday, August 21st. If you have not already registered for the Summit, please do so here.

Once you have registered for the summit and if you are planning to attend training day sessions, please use this form to reserve your seat for the available training sessions. A list of training session descriptions is available here.

The deadline for registration for training is Tuesday, August 14th, one week prior to the event.

Wednesday, August 1, 2018

Trusted CI begins engagement with SAGE2


SAGE2 is a multi-site collaboration and visualization tool designed for use with tiled display walls. The mission of SAGE2 is to provide an innovative, user-centered, web-based platform for enabling local and/or distributed teams to display, manage, share, and investigate large-scale datasets on tiled display walls to glean insights and discoveries with greater speed, accuracy, comprehensiveness, and confidence. The project achieves this using web-based technologies such as Node.js that are maintained by large user communities. The project provides installation packages for deployment as well as hardware recommendations for new users who are building display walls for the first time. More information about SAGE2 can be found here.

In the last 4 years, institutions have installed over 90 display walls, half of which are in the US and half international, forming an estimated hardware infrastructure investment in excess of $8M. In addition, SAGE2’s user community is growing to include sectors outside of traditional higher-ed and research communities. The diversity and distributed nature of the SAGE2 user base provides a growing set of security concerns. Identity and access management procedures in particular provide unique challenges given the variety of institutions using SAGE2 to collaborate using display walls.

The primary goal of this engagement is to outline Identity and Access Management (IAM) procedures appropriate for SAGE2’s distributed user base. Trusted CI will also seek to identify and prioritize future security goals and additional opportunities to improve the security of SAGE2.

This engagement began in July 2018 and concludes by the end of December 2018.

Thursday, July 19, 2018

Trusted CI welcomes Engagement and Performance Operations Center as new partner

Trusted CI is happy to welcome the Engagement and Performance Operations Center (EPOC) as a new Trusted CI partner. EPOC was recently established “as a collaborative focal point for operational expertise and analysis and is jointly lead by Indiana University (IU) and the Energy Sciences Network (ESnet). EPOC will enable researchers to routinely, reliably, and robustly transfer data through a holistic approach to understanding the full pipeline of data movement to better support collaborative science.”
Cybersecurity and networking performance often intersect in ways that will benefit from this collaboration. This partnership will allow us to bring expertise together when called for by the community.
EPOC joins a growing list of Trusted CI partners, leading projects and organizations, we collaborate with to serve the open science community:

Wednesday, July 18, 2018

2018 NSF Cybersecurity Summit Agenda is now available

We're happy to announce that we have a tentative agenda for the 2018 NSF Cybersecurity Summit is available from the Summit webpage at https://trustedci.org/2018-nsf-cybersecurity-summit/  In the coming weeks we will be announcing a registration form for training sessions and make more detailed descriptions of plenary talks and training sessions available.

If you have not already registered for the summit, please do so here. You can book your hotel reservation for the conference here or go to the trustedci.org website and click on the link for the 2018 NSF Cybersecurity Summit and click on the link for The Westin Alexandria.  The deadline for the discounted hotel room block is Thursday, July 18th.

Friday, July 13, 2018

Trusted CI 5-year Vision and Strategy

The Trusted CI team is pleased to announce the publication of “The Trusted CI Vision for an NSF Cybersecurity Ecosystem”.  From the introduction:

This document establishes Trusted CI’s vision for a NSF Cybersecurity Ecosystem – a collection of people, knowledge, processes, and cyberinfrastructure – that is necessary to support cybersecurity across the diverse NSF community. Trusted CI is primarily responsible for bringing the vision of a NSF Cybersecurity Ecosystem to fruition. Hence, following Trusted CI’s vision is its mission statement and five-year strategic plan to fulfill that role.

This living document will guide our activities going forward and we welcome community feedback as to its content. As implied in the above paragraph, the vision is broader than any one project can accomplish and we will collaborate with others in the community to achieve this vision.

A full citation for the Vision document follows.  We’ll update the document with subsequent versions as required to keep abreast of progress, suggestions, and changes.

V. Welch, J. Basney, C. Jackson, J. Marsteller, and B. Miller, “The Trusted CI Vision for an NSF Cybersecurity Ecosystem And Five-year Strategic Plan (2019-2023),” Trusted CI, Apr. 2018 [Online]. Available: http://hdl.handle.net/2022/22178.

Wednesday, July 11, 2018

Trusted CI at PEARC`18


PEARC 18 (July 22-26) in Pittsburgh, PA, is just around the corner, and Trusted CI will be have a strong presence there. The conference is an all-inclusive event for scientists, engineers, scholars, artists, and educators who depend on efficient, secure, and reliable digital infrastructure. This year's theme is seamless creativity. 

Trusted CI staff will present workshops on both practical information security for science projects and guidance on building security into the development, packaging, distribution, and management of software in support of science and research. The first, entitled “Practical Cybersecurity Programs for Science Projects and Facilities,” delves into the foundational elements of a cybersecurity program necessary to provide a secure and safe environment for science, focusing on the four pillars of such a program: Alignment to Mission - identification of critical resources and processes; Resources - money, people; Governance - roles and responsibilities, risk management and acceptance, policies; Controls - selecting a good baseline control set, and will include guidance on maintaining and evaluating an established cybersecurity program. The latter, “Software Engineering Practice for Science, Research, and Scientific CI” will introduce the Software Engineering Guide which provides guidance and tools for building security into the development, packaging, distribution, and management of software in support of science and research -- participants will leave with a strategy for improving security in any performance computing or scientific CI project that uses or produces software, and a preview of new tools coming out of the NSF CCoE for software security programs.

Along with the two workshops, Trusted CI’s Von Welch will moderate a panel following Anita Nikolich’s keynote talk, Hacking Academia, that will strive to echo a “fireside question & answers” session with Ms. Nikolich, further exploring key concepts exposed in her keynote that will discuss the necessity of feedback loops between the academic community, cybersecurity operators and underground security researchers.

Finally, Trusted CI is proud to announce that this year it will be participating in PEARC’s Partner Program, and thus, will have a table in the exhibitor’s area to network. So, if you attend the conference, stop by and say hello.

Tuesday, July 10, 2018

CCoE Webinar July 23rd at 11am ET: Trustworthy Computing for Scientific Workflows

Mayank Varia and Andrei Lapets are presenting the talk "RSARC: Trustworthy Computing over Protected Datasets" on Monday July 23rd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
There has been an unprecedented increase in the quantity of research data available in digital form. Combining these information sources within analyses that leverage cloud computing frameworks and big data analytics platforms has the potential to lead to groundbreaking innovations and scientific insights. As developers and operators of the widely used Dataverse repository and the Massachusetts Open Cloud platform, we have been working to advance this innovative revolution by colocating datasets in common platforms, curating and tagging datasets with both functional and legal access policies, offering helper services such as search and easy citation to promote sharing, and providing on-demand computational platforms to ease analytics. Unfortunately, we observe that a certain segment of our scientific user base cannot enjoy the full transformative capacity achievable within our cyberinfrastructure. Due to concerns over the privacy and confidentiality of their data sources, or the potential of commercial exploitation of their raw data sets, these researchers are isolating themselves within siloed data repositories and well-protected computational enclaves rather than sharing their datasets with fellow scientists.

This talk will describe cryptographic technological enhancements that are ready to provide scientific researchers with mechanisms to do collaborative analytics over their datasets while keeping those datasets protected and confidential. Secure multi-party computation (MPC) is a cryptographic technology that allows independent organizations to compute an analytic jointly over their data in such a manner that nobody learns anything other than the desired output. Hence, MPC empowers organizations to make their data available for collective data aggregation and analysis while still adhering to pre-existing confidentiality constraints, legal restrictions, or corporate policies governing data sharing. Our new Conclave framework can connect to many existing backend stacks where the data already live, can automatically analyze a query to identify when a computation must cross data silos, and can leverage MPC in a scalable and usable manner when it is necessary to enable the computation.

In summary, while data sharing cyberinfrastructures today are intended to allow everyone to benefit from the initial cost of having one researcher collect data, privacy concerns (and the resulting breakdown of data sharing) transform this burden into a marginal cost that every researcher who wants access to the data must pay. We will describe how a holistic integration of secure MPC into a scientific computing infrastructure addresses a growing need in research computing: enabling scientific workflows involving collaborative experiments or replication/extension of existing results when the underlying data are encumbered by privacy constraints.
Mayank Varia is a research associate professor of computer science at Boston University and the co-director of the Center on Reliable Information Systems & Cyber Security (RISCS). His research interests span theoretical and applied cryptography and their application to problems throughout and beyond computer science. He currently directs an NSF Frontier project that addresses grand challenges in cloud security, aiming to design an architecture where the security of the system as a whole can be derived in a modular, composable fashion from the security of its components (bu.edu/macs). He received a Ph.D. in mathematics from MIT for his work on program obfuscation.

Andrei Lapets is Associate Professor of the Practice in Computer Science, Director of Research Development at the Hariri Institute for Computing, and Director of the Software & Application Innovation Lab at Boston University. His research interests include cybersecurity, formal methods and domain-specific programming language design, and data science. He holds a Ph.D. from Boston University, and A.B. and S.M. degrees from Harvard University.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, July 9, 2018

Cyberinfrastructure Vulnerabilities 2018 Q2 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to Trusted CI’s mailing lists.

We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.Some of the sources we monitor for possible threats to CI include:

In 2Q2018 the Cyberinfrastructure Vulnerabilities team issued the following 4 vulnerability alerts to 91 subscribers:
If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available through https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Tuesday, July 3, 2018

NSF Cybersecurity Summit lodging deadline approaching

We would like to remind everyone that the deadline for reserving a room for the 2018 NSF Cybersecurity Summit at the discounted conference rate is July 12th. The number of available rooms in our block is limited so please reserve your room as soon as possible. You can book your hotel reservation for the conference here or go to the trustedci.org website and click on the link for the 2018 NSF Cybersecurity Summit and click on the link for The Westin Alexandria.


Also, if you have not already registered for the summit, please do so here.

Friday, June 29, 2018

Trusted CI Completes Engagement with GenApp

GenApp (NSF OAC-1740097) is a tool for rapidly generating science gateways. The goal of GenApp is to provide a graphical frontend and associated server backend for command line scientific applications. Trusted CI began an engagement with GenApp in January 2018, and completed the engagement in June 2018.

The engagement focused on performing a security review of the GenApp codebase and the various web applications generated by GenApp, as well as evaluating the technologies and architectures utilized by the GenApp development framework. Trusted CI worked with the GenApp team to create architectural diagrams, ran automated tools to analyze GenApp systems, and manually inspected key components of source code for vulnerabilities.

Findings included the need for more systematic sanitization of user input, keeping libraries up to date, and recommendations for secure settings of web services of GenApp-generated applications.

The GenApp staff has graciously consented to publication of the engagement report after a sufficient period to implement suggestions for remediation of issues. Trusted CI will contact GenApp towards the end of 2018 to verify that issues have been addressed, after which the engagement report will be made available to the public. The hope is that other NSF-funded projects which are primarily software-based can learn from the tasks accomplished during this engagement.

Thursday, June 21, 2018

NCSA video and news story about Trusted CI

The Trusted CI team is made of a partnership with Indiana University, the National Center for Supercomputing Applications (NCSA) at the University of Illinois, the University of Wisconsin-Madison, and the Pittsburgh Supercomputing Center.

Recently NCSA produced a short video about Trusted CI, titled "NCSA's Partnership with Trusted CI helps secure over $7 Billion worth of Science." Click below to see the video. Read the corresponding news story here.




Thursday, June 14, 2018

2018 NSF Cybersecurity Call For Participation (CFP) Extended to June 20th

We've extended the CFP deadline an additional week for community submissions.

Program content for the Cybersecurity Summit is driven by our community. We invite proposals for plenary presentations, training sessions, student scholarships, Table Top Talks and new this year the Community Leadership Recognition Program.

To learn more about the CFP, please visit: https://trustedci.org/call-for-participation-2018

Monday, June 11, 2018

Announcing the 2017 NSF Community Cybersecurity Benchmarking Survey Report and the 2017 NSF Cybersecurity Summit Report

The second NSF Community Cybersecurity Benchmarking Survey Report is now available:

http://hdl.handle.net/2022/22171

The Community Survey’s purpose is to collect, analyze, and publish useful baseline benchmarking information about the NSF science community’s cybersecurity programs, practices, challenges, and concerns. This year’s survey is significant for receiving responses from 15 of the 25 NSF Large Facilities, and should provide particular insight into the specific cybersecurity practices and concerns of Large Facilities. Notable takeaways from this year’s survey include the dramatic increase in respondents who use multi-factor authentication, the lack of standardization or uniformity around cybersecurity budgets, and the highly variable implementation of software best practices, operational and programmatic cybersecurity safeguards, and cybersecurity governance.

Additionally, the report of the 2017 NSF Cybersecurity Summit to the community is also available. The report outlines progress the community has made based on recommendations from the previous year, attendee details and survey results for both the plenary and training portions of the Summit. The report in its entirety can be reviewed here: 

http://hdl.handle.net/2022/21882

We hope the results and analysis provide by these reports offer insight and inspire discussion.

CCoE Webinar June 25th at 11am ET: Security Program at LSST

NCSA's Alex Withers is presenting the talk "Security Program at LSST" on Monday June 25th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The concept behind the Large Synoptic Survey Telescope (LSST) is simple: conduct a digital image-based survey over an enormous area of the sky and build an extensive astronomical catalogue over the course of ten years. LSST’s astronomical data is the ultimate deliverable to its users. This unique scientific computing environment presents many cyber security challenges. LSST has in place a cyber security program to facilitate its scientific mission: to protect its data access requirements and rights. We will discuss the beginnings of LSST’s cyber security program, adoption and experience with its risk management framework, existing and planned security operations at LSST sites, including the observatory site in Chile and the National Center for Supercomputing Operations (NCSA).

This talk is presented by Alex Withers. Alex is a Senior Cybersecurity Engineer at the National Center for Supercomputing Applications (NCSA). He is the Information Security Officer for the Large Synoptic Survey Telescope (LSST). He is also a PI and co-PI for a number of NSF-funded cybersecurity projects.
Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, June 5, 2018

2018 NSF Cybersecurity Summit Call For Participation Deadline Nearing & Registration Now Open


Greetings everyone, just a reminder that the 2018 NSF Cybersecurity Summit Call For Participation (CFP) deadline of June 13th is nearing.

Program content for the summit is driven by our community. We invite proposals for plenary presentations, training sessions, student scholarships and new this year is the Community Leadership Recognition Program. The deadline for CFP submissions is June 13th. To learn more about the CFP, please visit: https://trustedci.org/call-for-participation-2018

Registration - Now Open
We’re happy to announce that registration for the NSF Large Facilities community is now open: https://cacr.iu.edu/events/nsf-summit/registration.php
Ensure your participation and register today.

On behalf of the 2018 NSF Cybersecurity Summit organizers and program committee, we welcome your participation and hope to see you in August.


Jim Marsteller 
Program Chair

Monday, May 7, 2018

Trusted CI Webinar May 21st at 11am ET: The EU General Data Protection Regulation (GDPR)



CACR's Scott Russell is presenting the talk, "The EU General Data Protection Regulation (GDPR)" on May 21st at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The European Union’s General Data Protection Regulation (GDPR) is slated to come into effect on May 25, 2018, and organizations around the world are struggling to determine whether they are covered, what is required, and what will happen if they don’t satisfy its requirements.

This webinar will provide an introduction to GDPR, including an overview of the law's requirements, an in-depth discussion of when and to whom the law may apply, and potential strategies for organizations that are unsure of whether they are covered. The webinar will also provide insight into the motivation behind the law, the legal and practical ramifications of its enforcement outside of the EU, and highlight current uncertainties relating to the scope and impact of the law. Attendees will leave with an improved understanding of how GDPR may impact their organization, and will be equipped with basic strategies to manage risks arising from the enforcement of the law.

This webinar is a product of the Trusted CI, the NSF Cybersecurity Center of Excellence. Trusted CI is supported by the National Science Foundation under Grant Number ACI-1547272. For more information about the Trusted CI please visit: http://trustedci.org/. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
Scott Russell is a Senior Policy Analyst at the Indiana University Center for Applied Cybersecurity Research (CACR), where his work focuses on privacy and cybersecurity policy. A lawyer and researcher, Scott received his B.A. in Computer Science and History from the University of Virginia, received his J.D. from Indiana University, interned at MITRE, and served as a postdoctoral fellow at CACR.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, April 24, 2018

Announcing: 2018 NSF Cybersecurity Summit Call for Participation and Student Program

Greetings! It is our great pleasure to announce and invite you to the 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure.  The event will take place Tuesday, August 21st through Thursday, August 23rd, at the Westin Alexandria near the new National Science Foundation Headquarters in Alexandria, VA. Attendees will include cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community, as well as key stakeholders and thought leaders from the broader scientific and cybersecurity communities. Registration and hotel reservations details will be announced in the coming weeks. We are pleased to announce the call for participation and student program are now open!


Call for Participation (CFP) - Now Open
Program content for the summit is driven by our community. We invite proposals for presentations and training sessions as well as nominations for student scholarships. The deadline for CFP submissions is June 13th. To learn more about the CFP, please visit: https://trustedci.org/call-for-participation-2018

Nominations for the Community Leadership Recognition Program
The Summit seeks to recognize outstanding leadership in the cyberinfrastructure and cybersecurity field. These leaders have developed and established the processes and practices for building a trusting, collaborative community, and seriously addressing that community's core cybersecurity challenges in ways that remain relevant, as research technologies and infrastructure evolve and change. More information on the program and how to submit a nomination can be found here: http://trustedci.org/community-leadership-program

Student Program - Accepting Applications
Each year, the summit organizers invite several students to attend the summit. Students who are interested in complex cybersecurity needs around and new, efficient, effective ways to protect information assets while supporting science will benefit more from attending.
Undergraduate and Graduate students may self-nominate or be nominated by a teacher or mentor. The deadline for applications is June 4, 2018. To learn more about the Student Program, please visit: https://trustedci.org/summit2018/students


On behalf of the 2018 NSF Cybersecurity Summit organizers and program committee, we welcome your participation and hope to see you in August.

Wednesday, April 11, 2018

Trusted CI Webinar April 23rd at 11am ET: Toward Security-Managed Virtual Science Networks

Duke University's Jeff Chase and RENCI's Paul Ruth are presenting the talk, "Toward Security-Managed Virtual Science Networks" on April 23rd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Data-intensive science collaborations increasingly provision dedicated network circuits to share and exchange datasets securely at high speed, leveraging national-footprint research fabrics such as ESnet or I2/AL2S.   This talk first gives an overview of new features to automate circuit interconnection of science resources across campuses and in network cloud testbeds, such as GENI (e.g., ExoGENI) and NSFCloud (e.g., Chameleon).    Taken together, these tools can enable science teams to deploy secure bandwidth-provisioned virtual science networks that link multiple campuses and/or virtual testbed slices, with integrated in-network processing on virtual cloud servers.

Next, we outline a software framework to address security issues arising in these virtual science networks.   We show how to deploy virtual science networks with integrated security management programmatically, using software-defined networking and network function virtualization (SDN/NFV).   As an example, we describe a prototype virtual Network Service Provider that implements SDX-like functionality for policy-based interconnection of its customers, and incorporates out-of-band monitoring of permitted flows using Bro intrusion detection instances hosted on cloud VMs.  We also describe how to use a new logical trust system called SAFE to express and enforce access policies for edge peering and permitted flows, and to validate IP prefix ownership and routing authority (modeling RPKI and BGPSEC protocols) in virtual science networks.

This material is based upon work supported by the National Science Foundation under Grants No. (ACI-1642140, ACI-1642142, CNS-1330659, CNS-1243315) and through the Global Environment for Network Innovations (GENI) program.  Any opinions, findings, and conclusions or recommendations do not necessarily reflect the views of NSF.
Jeffrey S. Chase is a Professor of Computer Science at Duke University.  He joined Duke in 1995 after receiving his PhD in Computer Science from the University of Washington (Seattle).    He was an early leader in automated management for cluster services, cloud hosting systems, and server energy management.   He served as an architect in NSF’s GENI project and is a principal of ExoGENI, a multi-campus networked cloud testbed.

Paul Ruth is a Senior Research Scientist at RENCI-UNC Chapel Hill.  He received his PhD in Computer Science from Purdue University in 2007.  He has been a primary contributor to the ExoGENI testbed since 2011 and is currently the networking lead for the NSF Chameleon testbed.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, April 9, 2018

Cyberinfrastructure Vulnerabilities 2018 Q1 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to Trusted CI’s mailing lists.

We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.

Some of the sources we monitor for possible threats to CI include:


In 1Q2018 the Cyberinfrastructure Vulnerabilities team issued the following 3 vulnerability alerts to 91 subscribers:


If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available through https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Tuesday, April 3, 2018

Single vs multiple users on a cluster node?

Trusted CI recently received the following query from Chester Langin and are sharing his question and our answer with his permission:
As a security person, can you tell me the advantages and disadvantages of allowing more than one than one user on a cluster node at a time?  I ask because we just moved from Rocks/SGE to OpenHPC/SLURM.  Our old cluster allowed multiple users per node so, with 20 cores as an example, users with jobs running 8, 8, and 4 cores could all be running on the same compute node.  This provides high efficiency.  Our new cluster apparently restricts this so if the first user runs a job with, say 8 cores, nobody else can use that same node and 12 cores are not being used.  So, our users will be noticing that jobs will be backing up in queue.
Should we configure SLURM to allow multiple users per node?  Do you have a recommendation?  Can you give me pros and cons?
This is a classic example of a risk/reward trade-off. As you note in your question, allowing only a single user per node has the down side of lower efficiency. So what do you gain? 

There are risks with allowing multiple users per node in that user accounts are not as strong a guarantee of isolating users from each other as is having them on separate nodes. Bugs in the underlying system  (and hypervisor if we’re talking virtual machines), misconfigurations of the operating system, and errors in setting file permissions can allow information, potentially sensitive information and credentials, to leak between users on the same node. Some examples include CVE-15566, CVE-2017-5715, CVE-2017-4924. Additionally we've seen two recent cases in our software assessments where we found file system permissions were set too permissive allowing users to see each other data.

Hence you gain some risk reduction. We assume you can estimate the value of the efficient reduction in terms of lost CPU time, but how to you estimate the benefits of the risk reduction so you can compare these two things?

Unfortunately, quantifying this trade-off isn’t trivial - it’s a judgement call. Some questions to ask to determine which path makes sense for your system involved gauging the consequences of the security risks:
  • How big and diverse is your user community? If your users are all from a collaborating community or within the same institution, the consequences of data leakage could be lower. But if you have users who are competing research groups or companies, the stakes could be higher
  • What type of data does your system handle? Is it regulated data or other sensitive data that would increase the impact of the risks in question?
  • How you handle an incident can greatly impact its consequences. How poised are you to handle a incident if it occurs? Do you have a incident response plan in place that you regularly exercise? 
  • What is the risk tolerance of your stakeholders? Are you expected to squeeze every ounce of performance out of the system or is reputation considered more important? Is there any recent history related to security incidents that may impact this?

Monday, March 26, 2018

Upcoming events featuring Trusted CI

Interested in the latest from Trusted CI? Want a chance to chat in person with us? Members of Trusted CI will be participating in a number of upcoming events over the next few months.

EDUCAUSE Security Professional Conference 2018 (April 10-12) in Baltimore, MD. EDUCAUSE brings higher education security professionals together to network and discuss current trends in the industry. Trusted CI's Mark Krenz and Warren Raquel are presenting training sessions on Incident Response and Security Log Analysis. Also, Trusted CI's Von Welch and Jim Basney are co-presenting with IU CACR's Anurag Shankar on Cybersecurity for Research on Campus.

KINBERCON (April 23-25) in Harrisburg-Hershey, PA. KINBERCON's focus is on next generation networks and technology, and brings together leaders in education, healthcare, libraries, and government. The format of KINBERCON includes panels and technical workshops. There are many opportunities for collaborative discussions with speakers and attendees. Trusted CI's Von Welch will be presenting on the project and the intersection of campus IT, info sec, and research.

The 2018 NSF SI2 PI Meeting (April 30-May 1) in Washington, D.C. The SI2 PI workshop brings together PIs to present their projects to fellow PIs through posters, lightening talks, and brief presentations. Trusted CI's Von Welch is presenting "Software Security: Selecting engineering and security practices to enable robust CI and trustworthy science."

Internet2 Global Summit (May 6-9) in San Diego, CA. The summit focuses on advanced and trusted infrastructure, identity, federation and access management, and solutions for researchers with the goal of benefiting the entire research and education ecosystem. Trusted CI's Jim Basney will be co-presenting CACR's Anurag Shankar on "Cybersecurity for Research on Campus: Not Just HIPAA & FISMA."

PEARC 18 (July 22-26) in Pittsburgh, PA. PEARC is an all-inclusive event for scientists, engineers, scholars, artists, and educators who depend on efficient, secure, and reliable digital infrastructure. This year's theme is seamless creativity. Presentation abstracts are still under review. Trusted CI intends to attend and present at this year's conference and will update the community as more information is available.

The 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure (August 21- 23) in Alexandria, VA. The Summit is hosted by Trusted CI and welcomes cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI Community, as well as key stakeholders and thought leaders from the broader scientific and information security communities. The Summit includes training sessions, plenary session, and opportunities to network and socialize with peers. Be on the lookout for our call for proposals.

Whether you are an operational security pro, high speed networking researcher, NSF PI, or identity management specialist; the coming months present some interesting opportunities to network and collaborate. We look forward to seeing you at these events.