Monday, September 9, 2019

CCoE Webinar September 23rd at 11am ET: Jupyter Security at LLNL with Thomas Mendoza

Thomas Mendoza is presenting the talk "Jupyter Security at Lawrence Livermore National Laboratory" on Monday September 23rd at 11am (Eastern).

Please register here. Check spam/junk folder for registration confirmation email.
Jupyter Notebooks have become tremendously popular for creating, sharing and reproducing science. While they are relatively easy to setup and use, there has (until recently) been little concern regarding the security implications of running these Notebooks. This presentation will cover the developments and practices used at Lawrence Livermore National Laboratory to secure notebooks running in multi-tenant, HPC environments.
Speaker Bio:
Thomas Mendoza is a staff Computer Scientist at LLNL working for Livermore Computing’s HPC center on web architecture and security.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Friday, September 6, 2019

Trusted CI Finishes Engagement with the American Museum of Natural History

The American Museum of Natural History (AMNH) conducts research and education activities spanning multiple branches of science. Through the National Science Foundation's Campus Cyberinfrastructure (CC*) program (NSF OAC-1827153), AMNH developed and installed a Science DMZ to enable high speed transfer of large data sets. Connections were deployed regionally via NYSERnet and nationally via Internet2. Additionally, AMNH's ADFS identity management system was federated with InCommon to give researchers access to Globus data transfer nodes (DTNs).

Trusted CI's engagement with AMNH initially focused on developing an information security program tailored to the new Science DMZ. This effort started by reviewing existing AMNH policies and procedures which might apply to the Science DMZ. After this initial examination, it was decided that the accelerated timeline for installation and configuration of both the Science DMZ and the ADFS federation with InCommon left little time for refinement of a few security policy documents. Instead, effort was focused on fine-tuning system configuration for the Science DMZ by consulting outside expertise from ESnet.

Trusted CI documented the activities of this engagement in a final report. AMNH intends to document the processes of installation and configuration of their Science DMZ and the federation of their ADFS identity management system with InCommon. This documentation may give other similarly sized institutions a good starting point for installation of a Science DMZ or ADFS integration with InCommon.

The Trusted CI-American Museum of Natural History engagement began January 2019 and finished June 2019.

Wednesday, September 4, 2019

Trusted CI begins engagement with SLATE



SLATE accelerates collaborative scientific computing through a secure container orchestration framework focused on the Science DMZ, enabling creation of advanced multi-institution platforms and novel science gateways.  The ATLAS collaboration at the CERN Large Hadron Collider has an R&D program utilizing SLATE to centrally operate a distributed data delivery network having service endpoints at multiple computing facilities in the U.S., CERN, the UK and Germany, and has evaluated a cache deployed using SLATE within the ESnet backbone.  Similar approaches are already in production (the Open Science Grid data federation which is implemented in part using the Pacific Research Platform and Internet2) supporting LIGO and other science domains but as yet lack a generalized trust framework.  While innovation of the  new trust model initially is occurring in the context of the OSG and the worldwide LHC computing grid (WLCG), trusted federated edge infrastructures enabling operation of advanced computing platforms will in future be necessary to sustain a wide range of data intensive science disciplines requiring shared national and international cyberinfrastructure.

The deployment and operation of software through containerized edge services raises issues of trust between many stakeholders with different perspectives. Resource providers require guarantees that services running within their infrastructure are secure and operated within site policies; platform service developers and operators require flexibility to continuously deliver and compose new cyberinfrastructure supporting their scientific collaborations; edge cluster administrators need visibility and operational awareness while delegating some of their traditional deploy and operate responsibilities to centralized platform teams, following a NoOps model; and finally, the application workloads from end-user science communities rely on the foundational capabilities implemented by platform services to realize the full potential of shared cyberinfrastructure.  This engagement will focus on developing SLATE’s cybersecurity program in a way that  balances these needs.

The Trusted CI-SLATE engagement began July 2019 and is scheduled to conclude by the end of December 2019.  For additional information on SLATE, please refer to the paper,  “Building the SLATE Platform,” published in PEARC18.  Trusted CI will document the activities of this engagement in a final report to be made available to the public.

Tuesday, September 3, 2019

Trusted CI co-PI Jim Marsteller heading to Penn State University

With both excitement and sadness, I share with the Trusted CI community that Jim Marsteller, one of Trusted CI’s founders and a long-time leader of the NSF Cybersecurity Summit Program Committee and the Large Facility Security Team, will be leaving Trusted CI as part of moving from PSC to Penn State in September.

We’re excited for Jim in his new role at Penn State and wish him all the best. We are very glad that he is staying in the higher education family that is so important to Trusted CI’s mission of supporting research and look forward to continuing to work with Jim in his new role.

Please stay tuned for more news on how Trusted CI will adapt to this change of leadership.

Von - Trusted CI PI and Director

Monday, August 26, 2019

Spotlight on the Trusted CI partnership with the Science Gateway Community Institute

The Science Gateway Community Institute (SGCI) is an NSF-funded initiative to provide services, resources, community support, and education to those seeking to create and sustain science gateways -- online interfaces that give researchers, educators, and students easy access to specialized, shared resources that are specific to a science or engineering discipline.

Trusted CI began its partnership with SGCI about three years ago. The partnership has developed into two main functions: to provide specialized engagements to gateway developers and operators seeking cybersecurity support, and to present on relevant cybersecurity topics during SGCI focus weeks (formerly called "bootcamps") and related events.

Trusted CI Engagements with Science Gateways

Below are a few examples of Trusted CI's contributions to science gateways
  • GISandbox: Reviewed their operational security and science gateway code
  • 'Ike Wai: Reviewed their identity and access management (IAM) implementation
  • EarthCube Data Discovery Studio: Reviewed the security of the project server and website
  • UC SanDiego's BRAIN Lab: Advised on using the cloud storage service, Box, for one of their projects
  • The Rolling Deck to Repository (R2R): Presented best practices in transferring and archiving data
  • SeedMeLab: Advised the project on using software penetration testing
  • cloudperm: Trusted CI has written an app that checks permissions on Google documents to identify potential sensitive material accessible to the public. This scan has been used by SGCI to review its own documents.

Resources offered by Trusted CI include:

  • Developing a Cybersecurity Program: a tractable method to build policies and procedures for cyberinfrastructure
  • Cybersecurity checkups: a tailored approach to accessing the maturity of a security program
  • Identity and Access Management: a collection of resources to improve authentication and authorization
  • Open Science Cyber Risk Profile: Providing risk profiles for common scientific assets.
  • Training: providing training on cybersecurity via Science Gateway focus weeks and webinars
  • Providing advice to the SGCI team on protecting their own internal information assets.

Upcoming events

The next SGCI focus week is September 9 - 13 in Chicago, IL. According to the website, a few spots are still available.
The Gateways 2019 Conference is September 23 - 25 in San Diego, CA.

Wednesday, August 14, 2019

Trusted CI Engagement Applications Due Oct 2 2019


Apply for a one-in-one engagement with Trusted CI for Early 2020.
 Applications due Oct 2, 2019.


Trusted CI is accepting applications for one-on-one engagements to be executed in Jan-June 2020.  Applications are due Oct 2, 2019 (Slots are limited and in demand, so this is a hard deadline!)

To learn more about the process and criteria, and to complete the application form, visit our site:


During Trusted CI’s first 5 years, we’ve conducted
 more than 24 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.  

As the NSF Cybersecurity Center of Excellence, Trusted CI’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.


Monday, August 12, 2019

PEARC19 wrap-up: Continuing our Commitment to Open Science

Jim Basney and Von Welch
Trusted CI had another successful presence at PEARC19. As noted in our pre-conference post, we presented our technical paper, a workshop, a panel, a poster, and exhibitor table; as well as attending and contributing to many other PEARC-related events.

A few highlights:
  • Von's panel, "Community Engagement at Scale: NSF Centers of Expertise," was attended at full capacity.
  • Our workshop, "Trustworthy Scientific Cyberinfrascture," was the first public debut of our Fellows. Matias Carrasco Kind, Jay Yang, Aunshul Rege, and Gabriella Perez shared their research backgrounds and discussed their specific cybersecurity needs.
  • Members of the NSF project Services Layer at the Edge (SLATE) met face to face with Trusted CI to discuss their upcoming engagement.
  • A series of lightning talks from Science Gateway operators during the Trusted CI workshop provided four gateway operators a chance to connect with the community on their cybersecurity issues.
  • A random lunch encounter between Trusted CI staff and people in the Jupyter community led to a lively discussion on Jupyter security and is expected to lead to an upcoming collaboration on providing a Jupyter security workshop at a future conference.
  • We presented at the AI4GOOD workshop regarding cybersecurity and ethics of artificial intelligence.
Von's Panel - Not a single open seat!
We thank the PEARC program committee for providing the opportunity to connect with members of our community and look forward to PEARC20.


Trusted CI Fellows at the workshop
Kay Avila, Mark Krenz, Florence Hudson
Anurag Shankar and Andrew Adams at the poster session