Monday, April 12, 2021

Trusted CI webinar: Arizona State's Science DMZ, Mon April 26th @11am Eastern

Members of Arizona State University are presenting on their Science DMZ on Monday April 26th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.

Drawing upon its mission to enable access to discovery and scholarship, Arizona State University is deploying an advanced research network employing the Science DMZ architecture. While advancing knowledge of managing 21st-century cyberinfrastructure in a large public research university, this project also advances how network cyberinfrastructure supports research and education in science, engineering, and health.

Replacing existing edge network equipment and installing an optimized, tuned Data Transfer Node provides a friction-free wide area network path and streamlined research data movement. A strict router access control list and intrusion detection system provide security within the Science DMZ, and end-to-end network performance measurement via perfSONAR guards against issues such as packet loss.

Recognizing that the operation of the Science DMZ must not compromise the university’s network security profile, while at the same time avoiding the performance penalty associated with perimeter firewall devices, data access and transfer services will be protected by access control lists on the Science DMZ border router as well as host-level security measures. Additionally, the system architecture employs the anti-IP spoofing tool Spoofer, the Intrusion Detection System (IDS) Zeek, data-sharing honeypot tool STINGAR, traditional honeypot/darknet/tarpit tools, as well as other open-source software.

Finally, Science data flows are supported by a process incorporating user engagement, iterative technical improvements, training, documentation, and follow-up.

Speaker Bios:

Douglas Jennewein is Senior Director for Research Computing in the Research Technology Office at Arizona State University. He has supported computational and data-enabled science since 2003 when he built his first supercomputer from a collection of surplus-bound PCs. He currently architects, funds, and deploys research cyberinfrastructure including advanced networks, supercomputers, and big data archives. He has also served on the NSF XSEDE Campus Champions Leadership Team since 2016 and has chaired that group since 2020. Jennewein is a certified Software Carpentry instructor and has successfully directed cyberinfrastructure projects funded by the National Science Foundation, the National Institutes of Health, and the US Department of Agriculture totaling over $4M.

Chris Kurtz is the Senior Systems Architect for the Research Technology Office in the Office of Knowledge Enterprise at Arizona State University. Previously Chris was the Director of Public Cloud Engineering as well as the Splunk System Architect (and Evangelist) at ASU. He has been appointed as Splunk Trust Community MVP since its inception. Chris is a regular speaker on Splunk and Higher Education, including multiple presentations at Educause, Educause Security Professionals,  and Splunk’s yearly “.conf" Conference. Prior to architecting Splunk, he was the Systems Manager of the Mars Space Flight Facility at ASU, a NASA/JPL funded research group, where he supported numerous Mars Missions including TES, THEMIS, and the Spirit and Opportunity Rovers. Chris lives in Mesa, Arizona along with his wife, rescue dogs, and cat.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

 

Wednesday, April 7, 2021

Michigan State University Engages with Trusted CI to Raise Awareness of Cybersecurity Threats in the Research Community

Cybersecurity exploits are on the rise across university communities, costing valuable resources, and loss of productivity, research data, and personally identifiable information. In a DXC report, it was estimated that an average ransomware attack can take critical systems down for 16 days, and the overall worldwide cost of ransomware in 2020 was predicted to cost $170 billion.   Additional reputational impacts of cybersecurity attacks, although hard to measure, regularly weigh in the minds of scientists and researchers.

An event of this nature occurred at Michigan State University (MSU), which experienced a ransomware attack in May 2020. While many organizations attempt to keep the public from finding out about cyberattacks for fear of loss of reputation or follow-up attacks, MSU has decided to make elements of its attack public in the interests of transparency, to encourage disclosure of similar types of attacks, and perhaps more importantly, to educate the open-science community about the threat of ransomware and other destructive types of cyberattacks. The overarching goal is to raise awareness about rising cybersecurity threats to higher education in hopes of driving safe cyberinfrastructure practices across university communities. 

To achieve this, the CIO’s office at MSU has engaged with Trusted CI, the NSF Cybersecurity Center of Excellence, in a collaborative review and analysis of the ransomware attack suffered by MSU last year.  The culmination of the engagement will be a report focusing on lessons learned during the analysis; these ‘Lessons Learned’ would then be disseminated to the research community.  We expect the published report to be a clear guide for researchers and their colleagues who are security professionals to help identify, manage, and mitigate the risk of ransomware and other types of attacks.

Thursday, April 1, 2021

Trusted CI Engagement Application Deadline Extended

 

Trusted CI Engagement Application Deadline

 Extended till April 9, 2021

 

Apply for a one-in-one engagement with Trusted CI for early 2021

  

Trusted CI is accepting applications for one-on-one engagements to be executed in July-Dec 2021. Applications are due April 9, 2021

To learn more about the process and criteria, and to complete the application form, visit our site: 

http://trustedci.org/application


During Trusted CI’s first 5 years, we’ve conducted
 more than 24 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.   

As the NSF Cybersecurity Center of Excellence, Trusted CI’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.

Tuesday, March 30, 2021

Announcing the 2021 Trusted CI Annual Challenge on Software Assurance


The Trusted CI “Annual Challenge” is a year-long project focusing on a particular topic of importance to cybersecurity in scientific computing environments.  In its first year, the Trusted CI Annual Challenge focused on issues in trustworthy data.  Now, in its second year, the Annual Challenge is focusing on software assurance in scientific computing.

The scientific computing community develops large amounts of software.  At the largest scale, projects can have millions of lines of code.  And indeed, the software used in scientific computing and the vulnerabilities present in scientific computing can be similar to that used in other domains.  At the same time, the software developers have usually come from traditional scientific focused domains rather than traditional software engineering backgrounds.  And, in comparison to other domains, there's often less emphasis on software assurance.

Trusted CI has a long history in addressing the software assurance of scientific software, both through engagements with individual scientific software teams, as well as through courses and tutorials frequently taught at conferences and workshops by Elisa Heyman and Barton Miller, from University of Wisconsin-Madison.  This year’s Annual Challenge seeks to complement those existing efforts in a focused way, and leveraging a larger team.  Specifically, this year’s Annual Challenge seeks to broadly improve the robustness of software used in scientific computing with respect to security.  It will do this by spending the March–June  2021 timeframe engaging with developers of scientific software to understand the range of software development practices being used and identifying opportunities to improve practices and code implementation to minimize the risk of vulnerabilities.  In the second half of 2021, we will leverage our insights to develop a guide specifically aimed at the scientific software community that covers software assurance in a way most appropriate to that community,.  

We seek to optimize the impact of our efforts in 2021 by focusing our effort on software that is widely used, is situated in vulnerable locations, and is developed mostly by individuals who do not have traditional software engineering backgrounds and training.

This year’s Annual Challenge is supported by a stellar team of Trusted CI staff, including Andrew Adams (Pittsburgh Supercomputing Center), Kay Avila (National Center for Supercomputing Applications), Ritvik Bhawnani (University of Wisconsin-Madison), Elisa Heyman (University of Wisconsin-Madison), Mark Krenz (Indiana University), Jason Lee (Berkeley Lab/ NERSC), Barton Miller (University of Wisconsin-Madison), and Sean Peisert (Berkeley Lab; 2021 Annual Challenge Project Lead).

Monday, March 29, 2021

Trusted CI and the CI CoE Pilot Complete Identity Management Engagement with GAGE

 

The Geodetic Facility for the Advancement of Geoscience (GAGE), is operated by UNAVCO and funded by the NSF and NASA. The GAGE project’s mission is to provide support to the larger NSF investigator community for geodesy, earth sciences research, education, and workforce development. During the second half of 2020, GAGE and the Trusted CI/CI CoE Identity Management working group collaborated on an engagement to design a working proof of concept for integrating federated identity into GAGE’s researcher data portal.

The Cyberinfrastructure Center of Excellence Pilot (CI CoE) is a Trusted CI partner, specializing in providing expertise and active support to CI practitioners at the NSF major facilities in order to accelerate the data lifecycle and ensure the integrity and effectiveness of the CI upon which research and discovery depends. The Identity Management working group is a joint effort between the CI CoE and Trusted CI to provide subject matter expertise and advice to major facilities on trust and identity issues, best practices and implementation. The working group's target audience is NSF funded major facilities, but participation in the working group is open to anyone in higher education and IAM.

The engagement began in July 2020 with a month long series of interviews between working group members and GAGE department leadership. GAGE came into the engagement with a series of needs that had arisen from practice and with a request from NSF to collect information on how their research data was being used. The working group used the interviews to identify key systems and areas of impact in order to present GAGE with a design for integrating federated identity into their data portal using elements of InCommon’s Trusted Access Platform.

Over the next three months, the engagement team met with members of GAGE’s software development team, CILogon, and COmanage to finalize and implement the proof of concept design. This design used CILogon to consume federated identities from other InCommon member institutions and then used COmanage registry to store GAGE specific attributes for those identities to grant permission for accessing various data groups, membership in research projects, and home institutions. Identities and attributes stored in COmanage could then be passed to the GAGE data portal using OIDC claim tokens; granting permissions appropriately at the time of access and allowing GAGE to track which identities were requesting what permissions for their data.

The engagement culminated with a 15-page report delivered to GAGE in February 2021 containing detailed observations from interviews, alternate design configurations and tools for the proof of concept, lessons learned through the implementation process, and identification of future opportunities for investment and collaboration in IAM. Additionally, findings from this engagement will be included in an IAM cookbook that the working group plans to release in 2022. The Identity Management working group meets monthly on the second Monday at 2pm Eastern time. For more information about the Identity Management working group, please see the Trusted CI IAM page, the CI CoE working group directory, or join our mailing list to receive updates on working group meetings and products.

GAGE is funded by an NSF award managed by the Division of Earth Sciences (Award #1724794) and is operated by UNAVCO. The CI CoE Pilot is supported by a grant managed by the NSF Office of Advanced Cyberinfrastructure (Award #1842042) and is a collaboration between the University of Southern California, University of North Carolina at Chapel Hill, University of Notre Dame, University of Utah, and Indiana University. The working group would like to thank the following institutions and organizations for the collaboration and contributions to the engagement: Internet2 and InCommon, the CILogon team, the COmanage team, and the Globus team.




Announcing the 2021 NSF Community Cybersecurity Benchmarking Survey

It's time again for the NSF Community Cybersecurity Benchmarking Survey (“Community Survey”). We’ve appreciated all the great participation in the past and look forward to seeing your responses again this year. The Community Survey, started in 2016, is a key tool used by Trusted CI to gauge the cybersecurity posture of the NSF science community. The twin goals of the Community Survey are: 1) To collect and aggregate information about the state of cybersecurity for NSF projects and facilities; and 2) To produce a report analyzing the results, which will help the community level-set and provide Trusted CI and other stakeholders a richer understanding of the community’s cybersecurity posture. (To view the previous years’ reports, see 2019 Report, 2017 Report, and 2016 Report.) To ensure the survey report is of maximum utility, we want to encourage a high level of participation, particularly from NSF Major Facilities. Please note that we are aggregating responses and minimizing the amount of project-identifying information we’re collecting, and any data that is released will be anonymized.

Survey Link: https://docs.google.com/forms/d/e/1FAIpQLSeooNKQdKx-W5kRol0vTYq0oLogBaT5Sy0G2tG6LwGWSoLc3g/viewform?usp=sf_link

Each NSF project or facility should submit only a single response to this survey. Completing the survey may require input from the PI, the IT manager, and/or the person responsible for cybersecurity (if those separate areas of responsibility exist). While answering specific questions is optional, we strongly encourage you to take the time to respond as completely and accurately as possible. If you prefer not to respond to or are unable to answer a particular question, we ask that you make that explicit (e.g., by using “other:” inputs) and provide your reason.

The response period closes June 30, 2021.

Thank you.


Wednesday, March 24, 2021

Trusted CI’s Large Facilities Security Team Update Spring 2021


Trusted CI continues to address the cybersecurity needs of NSF’s Large Facilities (LFs) by coordinating the Large Facilities Security Team (LFST). The LFST comprises representatives from each of the LFs who are responsible for cybersecurity at their sites. The primary goal of the LFST is to encourage sharing of best practices, policies, and technologies among the team members to further cybersecurity at each of the LFs.

Communication among LFST participants is via a dedicated email list and monthly calls. Call format is either facilitated discussion of a pre-selected topic or a presentation followed by Q. and A. Topics during the past year included COVID-19 pandemic-related cybersecurity issues and response, a ResearchSOC overview, cybersecurity policy development, risk assessment, asset categorization, and supply chain vulnerability. The Trusted CI facilitators actively encourage input from all LFST members during these monthly calls, often producing informative insights on similarities and differences among site priorities and practices.

In service to the broader NSF cybersecurity community, input from the LFST was valuable to development of Trusted CI’s recently released Framework Implementation Guide for Research Cyberinfrastructure Operators. The team is reviewing NSF’s proposed revision to the Major Facilities Guide, which is currently open for comment.

We look forward to another year of learning and active cybersecurity collaboration among NSF’s Large Facilities!

For more information, or to join the LFST, email benninger@psc.edu or info@trustedci.org.