Monday, March 23, 2020

Tips for avoiding "Zoombombing"

As COVID-19 has necessitated increased use of telecommuting solutions, there have been instances of public Zoom meetings getting hijacked, or "Zoombombed," by malicious actors. Zoom has posted a blog with many helpful tips to prevent unintended access to your meeting and/or meeting controls.

The most important tip is to prohibit open access to the screen sharing feature during your meeting. You can disable this setting in your account profile:
  • Log into your Zoom account
  • Click the "Settings" tab on the left side of the screen
  • Search for "Screen Sharing"
  • Under "Who can share?" change the setting from "Participants" to "Host Only" (see screenshot below)
  • Save your changes

And when hosting a public meeting, do not use your personal Zoom Meeting ID. Create a separate meeting event for any link you share publicly.

Thursday, March 19, 2020

March 24th at 3pm ET: Trusted CI hosting COVID-19 virtual town hall

In case you missed our town hall on COVID-19, the slides and video have been archived.

Trusted CI is holding a Virtual Town Hall on Tuesday March 24th at 3pm Eastern to discuss the impact of COVID-19 on the NSF open science community. We recently posted a blog discussing recommendations for reducing cybersecurity risk while working remotely and protecting regulated data during the COVID-19 outbreak. In collaboration with NSF CI CoE Pilot and SGCI, we are also offering priority help to projects tackling COVID-19. The purpose of this Town Hall  is to review Trusted CI resources and recommendations, share what institutions are currently doing, and discuss your concerns. This Town Hall will be recorded.

If you'd like to submit a question or topic for discussion, email Jeannette Dopheide.  

Join us on March 24th at 3pm Eastern:
https://iu.zoom.us/j/471923848

Call coordinates:
Trusted CI is inviting you to a scheduled Zoom@IU meeting.

Topic: Trusted CI COVID-19 Town Hall
Time: Mar 24, 2020 03:00 PM Indiana (East)

Join from computer or mobile: 
https://iu.zoom.us/j/471923848

Meeting ID: 471 923 848

One tap mobile
+13126266799,,471923848# US
+16465588656,,471923848# US 

Dial by your location
        +1 312 626 6799 US
        +1 646 558 8656 US
        +1 253 215 8782 US
        +1 301 715 8592 US
        +1 346 248 7799 US
        +1 669 900 6833 US
Meeting ID: 471 923 848

 IU videoconferencing equipment: 26 471 923 848


Videoconferencing equipment outside of IU:
SIP:  471923848@zoomcrc.com
H.323:
162.255.37.11 (US West)
162.255.36.11 (US East)
221.122.88.195 (China)
115.114.131.7 (India Mumbai)
115.114.115.7 (India Hyderabad)
213.19.144.110 (EMEA)
103.122.166.55 (Australia)
209.9.211.110 (Hong Kong)
64.211.144.160 (Brazil)
69.174.57.160 (Canada)
207.226.132.110 (Japan)

Meeting ID: 471 923 848

Zoom@IU Team | cthelp@iu.edu | https://kb.iu.edu/d/bfqu

Keeping Regulated Data Secure during the COVID-19 Outbreak

The social distancing measures against COVID-19 have resulted in a massive shift of the workforce to home offices. While this has allowed work to continue, it has caused concern among some organizations, especially those without regulatory expertise or resources, who are collecting COVID-19 data or handling other types of regulated research data. We are therefore providing the following guidance to help organizations stay compliant with privacy and security regulations that impact research data, irrespective of whether it is COVID-19 related or other types of data.

[Note: You can also check out our earlier blog post titled “Recommendations for reducing cybersecurity risk while working remotely”.]

1. HIPAA (Health Insurance Portability and Accountability Act) 

First of all, determine if HIPAA is applicable. Not all personally identifiable health information is protected by HIPAA, only protected health information (PHI) created, received, maintained, and transmitted by covered entities (CE) and their business associates (BA). If you are neither, HIPAA may not apply to health data you collect, even if it is personally identifiable. That said, you should still consider it sensitive data and protect it using applicable safeguards below.

Collecting and processing PHI:
  1. Only use tools institutionally approved for PHI. 
  2. Do not use a vendor with whom your institution does not have a HIPAA business associate agreement (BAA). Here is a list of some vendors you might consider if you do not have HIPAA approved systems: 
    1. Qualtrics for surveys 
    2. SFax for e-faxing 
    3. Zoom for teleconferencing 
    4. Box for Healthcare for file sharing 
  3. Protect your workstations and mobile devices as described below. 
Protecting PHI when working from home:
  1. Follow institutional telework and IT policies and procedures. 
  2. Work with your IT professionals. 
  3. Secure your workstation (laptop/desktop). 
    1.  Use a workstation provided and secured by your institution. 
    2.  If you must use a shared workstation (e.g., a home PC), ensure you take the following security measures: 
      1. Do not use the workstation if it has an old and insecure operating system installed (e.g. Windows XP). 
      2. Create a separate account for yourself and password protect it. Access PHI only while logged into this account. 
      3. Do not share the account password. 
      4. Do not download PHI to the workstation. 
      5. Enable and password protect the screen saver. 
      6. Ensure that the firewall and antivirus are enabled. 
      7. Apply the latest patches. 
      8. Connect only to trusted, work-related websites. 
      9. Turn off the “Remember Password” feature in browsers/decline to store passwords to sensitive sites. 
      10. Do not backup the device to your personal cloud storage (e.g. Google or Apple) account. 
      11. Delete the account after you are back at work. 
    3. Secure your mobile device (smartphone/tablet). 
      1. Use a mobile device provided/secured by your institution. 
      2. If you must use a personally owned mobile device, take the following security measures:
        1. Follow your institutional policies/procedures regarding use of personal mobile devices for PHI. 
        2.  Do not download PHI to the device. 
        3.  Enable screen lock or PIN. 
        4. Do not backup the device to your personal cloud storage (e.g. Google or Apple) account. 
    4. Ensure encryption at rest and in transit. 
      1. Ensure that your home WiFi network is using encryption. 
      2. Ensure that the workstation/mobile device is full-disk encrypted.
      3.  Ensure that the URL for sites you visit begins with an https://. 
      4. Use a VPN, especially when using an untrusted network. 
      5. Use institutionally approved, encrypted communication tools for remote meetings. However, as of March 17th, US Dept. of Health and Human Services’ Office for Civil Rights (responsible for enforcing HIPAA) is allowing video chat tools such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype for COVID-19 response. Public facing apps such as Facebook Live, Tiktok, etc. are not allowed. 
      6. Do not record meeting sessions. 
      7. If you are backing up to external media, e.g., a USB disk, ensure that it is encrypted.
    5. Ensure physical security. 
      1. Keep your device and any connected media in a physically secure location. 
      2. Keep conversations private by restricting physical access to the home office space to others during meetings where PHI may be disclosed.  
Breach Notification:
  1. If you suspect an incident or a breach of PHI, immediately follow your institutional incident response process.
For the strictly privacy aspects of HIPAA, please refer to Dept. of Health and Human Service's guidance on HIPAA privacy and coronavirus.

2. GDPR (General Data Protection Regulation) 

COVID-19 related data on European Economic Area (EEA) persons falls under a “special category of personal data” under GDPR. 
  1. Processing this data requires consent from the subject. 
  2. Processing must be necessary for one or more of the following. 
    1. Allow an employer to function. 
    2. Protect the interest of the subject. 
    3. Reasons of substantial public interest. 
    4. Purposes of preventing or occupational medicine. 
    5. Reasons for public interest in the area of public health. 
  3. Records of data processing must be kept. 
3. DFARS 252.204-7012 (Defense Federal Acquisition Regulation Supplement) 

Protecting CUI while working from home: 
  1. Secure your workstation (laptop/desktop). 
    1. Work with your IT professionals. 
    2. If your institution provides it, use a web- or remote desktop-accessible virtual desktop interface (VDI) and a remote CUI enclave. 
    3. Use an institutionally provided and secured workstation. 
    4. Do not use a shared workstation such as a home PC. 
    5. Ensure both the firewall and antivirus are enabled. 
    6. Access CUI only while logged into your own user account. 
    7. Use a strong password. 
    8. Do not share the password. 
    9. Enable 2-factor authentication (e.g., fingerprint sensor) if possible. 
    10. Do not download CUI. 
  2. Mobile devices: 
    1.  Do not use mobile devices to access, store, or process CUI. 
  3. Ensure encryption at rest and in transit. 
    1. Ensure that your home WiFi network is using encryption.
    2. Ensure the workstation has full disk encryption. 
    3. Always use a VPN.
  4. Ensure physical security. 
    1. Keep your device and any connected media in a physically secure location. 
    2. Keep conversations private.  Restrict physical access to the home office space to others during meetings where CUI may be disclosed.  
Breach notification:
  1. If you suspect an incident or a breach, immediately follow your institutional incident response process. 
For more guidance, contact your Contracting Officer.
COVID-19 Phishing, Scams, and Fake News 
  1. Beware of COVID-19 phishing tactics and scams
  2. Avoid COVID-19 fake news and misinformation
Contact us if you need additional help or information.

Tuesday, March 17, 2020

Trusted CI, NSF CI CoE Pilot, and SGCI Offering Priority help to projects tackling COVID-19

The NSF Cyberinfrastructure Center of Excellence Pilot, Trusted CI, and the Science Gateways Community Institute are all available to help the science community tackle research to address the coronavirus disease 2019 (COVID-19) outbreak. If your project could benefit from expert cyberinfrastructure consulting in: 
  • data management and visualization, 
  • workflow management, 
  • use of cloud resources, high-performance clusters, or distributed resources; 
  • science gateway technology, 
  • cybersecurity, or 
  • compliance, 
please contact us for priority assistance. We are here to help.
To request assistance, please send an email to covid19@trustedci.org and we will be in contact.
Help with writing proposals related to COVID-19 is also available, but priority will be given to active projects.

[Cross posted to the SGCI Blog and the CI CoE website]

Friday, March 13, 2020

Recommendations for reducing cybersecurity risk while working remotely

You're probably aware of the COVID-19 / coronavirus pandemic. As the pandemic continues to unfold, our research and security communities will be increasingly impacted.  Numerous conferences have been canceled, and it has already been made public that two people who attended the cybersecurity conference, RSA, tested positive for coronavirus. Many institutions are now recommending or even requiring students and employees to work from home. While you may already be prepared to deal with one or two staff members working remotely or being out sick, most organizations are unprepared for the majority of their staff suddenly being in these categories.  Thus, Trusted CI would like to share some critical risks that we think are relevant to this situation and provide recommendations for how to mitigate them over the coming weeks.  Here are some questions to help you consider these risks.

Do you have all the passwords you need?
As people switch to working from home or go on extended leave, they may take passwords with them that other staff do not have. Do they normally keep the superadmin password on a sticky note on their monitor and now can't access it? This is a good opportunity to quickly review who has access and that they will have the necessary credentials for working remotely. We recommend the use of password managers (such as KeePass, 1Password, LastPass, etc.) to keep passwords securely stored and readily accessible through online means.

How will backups be handled?
Backups may require physical presence to change disks or tapes, but may be difficult to manage remotely. Still, these backups are essential for being able to make a proper recovery from a security incident. You may first want to check with your institutional IT group to see if they have the ability to manage these backups for you to reduce the need to travel to work.

Is your regular office environment's physical space being monitored and access controlled?
Reduced staffing at your facility may increase the risk of unauthorized/unmonitored physical access to your systems and information. Locking doors is recommended and checking with your institutional security for their practices will help you understand what is being monitored and how unauthorized access is determined.  Consider letting your custodial staff know your plans as normal security procedures such as locking doors may lapse during crisis mode and become a problem. On the upside, the chances of tailgating happening in the next few weeks is near zero.

Are you leaving unpatched workstations running?
Some staff may need to leave desktop or workstation systems in an unattended office for a long period of time. If these systems are not running services required for normal operation, it is recommended that these systems be turned off to avoid them becoming a liability if a critical vulnerability is released while away. Upon returning to the office, you should enforce an immediate vulnerability scan on these systems and patch as necessary. Check with your local institutional IT staff to make sure this would not interfere with their operations as they may expect systems to be kept running to remotely backup and patch computers.

Do you have enough redundancy of staff?
Redundancy of staffing is always important, but with the coronavirus threat, there is an increased chance of redundant staff being affected as well, leading to lack of coverage. We recommend designating additional staff to be prepared to act in a maintenance or security role, if needed, as an additional redundancy.

Do you have a secure channel to communicate?
When direct interpersonal communications are no longer possible for sharing of sensitive  information, the need for having a secure online communication channel increases. We recommend that identifying a secure channel that can be used (for example, Signal, SMIME, PGP/GPG, or another one recommended by your institution) and testing this channel with your staff in advance of any need to use it.  This becomes especially important when you forgot to share an important password with other staff and have no way of securely communicating it.

Will you be able to meet without your normal teleconferencing?
Demand for videoconferencing is expected to be at an unprecedented high as online classes and meetings begin to utilize it. It is possible that your normal video conferencing meetings will be disrupted or unavailable for a period of time. It is recommended that you identify an auxiliary method of holding such meetings. Also, if you are not doing so already, set a password on your teleconferencing meetings if possible and test that it works to prevent unauthorized access.

Can you perform all the steps in an incident response remotely?
Now would be a good time to review your security incident response plan to ensure that all the steps can be performed remotely, and if not, come up with an alternative approach.

Do you have enough VPN licenses?
One common method of providing remote access for employees is through a virtual private network (VPN).  However, the increased remote activity could mean a shortage of VPN licenses, so now would be a good time to check the number of available licenses and ensure that it matches with the expected load over the next few weeks.

Is there a bastion host you can use for remote access?
Those who use SSH, RDP or similar for accessing servers remotely may want to consider the use of a bastion host to provide a control point. This is a safer alternative than opening up direct remote access ports on internal systems. However, rather than rushing to set up a new bastion server, instead look for an existing one that has been provided by your institutional IT or ask for their recommendations.

Do you have a secure working space at home?
For many, the next couple weeks may mean sharing your working space with family who are also working or attending school remotely. It's important to consider the potential for sensitive information in meetings to be overheard across meetings happening simultaneously. If you haven't already, it would be a good idea to find or setup an isolated space in your home for holding such meetings.

Be aware of new phishing tactics and scams.
There have been reports that attackers are taking advantage of the fear and demand for information about COVID-19 to spread malware. One such attack is the "Coronavirus map", which "had weaponized coronavirus map applications in order to steal credentials such as user names, passwords, credit card numbers and other sensitive information that is stored in the users’ browser".

There are also additional resources that we've found online for raising your awareness about cybersecurity issues during the coronavirus threat that we're including in the list below:

Thursday, March 12, 2020

Transition to Practice success story: Simplifying scientist access to cyberinfrastructure with CILogon

Service provides identity management, so research projects don’t have to.

[Want to learn the basics about Transition to Practice? Read an introduction to the Trusted CI Cybersecurity Technology Transition to Practice (TTP) program >>] 

CILogon enables researchers to log on to cyberinfrastructure (CI). CILogon provides an integrated open source identity and access management platform for research collaborations, combining federated identity management (Shibboleth, InCommon) with collaborative organization management (COmanage).

Jim Basney is a senior research scientist, cybersecurity division, National Center for Supercomputing Applications (NCSA), University of Illinois at Urbana-Champaign. Jim is also deputy director for Trusted CI. We spoke with Jim about CILogon and about its transition to practice.

TRUSTED CI: Please tell us about the scope of your work, and how CILogon fits into that.

I'm here in the security group at NCSA. We are focused on enabling secure access to computational resources for scientists.

One aspect of that is working with Trusted CI. In my role as the deputy director for Trusted CI, I help researchers with their cybersecurity challenges. That includes identity and access management but also cybersecurity policies, data management, and operational security topics -- a wide range of cybersecurity topics.

Outside of my Trusted CI work, I mainly focus on the topic of identity and access management. CILogon is one of the projects that I work on in that context.

I also work on a related project called SciTokens which is about using JSON Web Tokens for access to scientific cyberinfrastructure.

We are integrating the research that's coming out of the SciTokens project into the CILogon service.

TRUSTED CI: How will that help CILogon?

It's going to give researchers more options for authorizing access to the variety of scientific services that they're using. Right now, CILogon is providing ID tokens that identify the researcher. This allows research collaborations to do attribute-based access control and identity-based access control using the researcher’s login.

SciTokens also adds capability-based access control so that you can have a least-privilege access control policy based on a potentially complex set of policy rules to say, “Yes, you are authorized to access this file” or “You're authorized to access this cloud resource or this space on the wiki.” It does not need to be based on your individual identity.

TRUSTED CI: Users can get lots of information on the CILogon website. Tell us in your own words what you see as the primary benefit and what value it brings to users.

Our goal is to enable logon to scientific cyberinfrastructure. We want to make it seamless for researchers to access the cyberinfrastructure that they need to conduct their research and their scientific collaborations.

Part of making that seamless is we want researchers to be able to use their existing identities. In most cases that's a campus identity through their campus identity provider. That could be part of the InCommon Federation or globally part of the eduGAIN interfederation service, in many cases using the open source Shibboleth single sign-on software. But it could also be identities from other providers like Google or GitHub or ORCID.

In addition to enabling that logon, we want to enable the providers of cyberinfrastructure to manage the access to those resources through onboarding and offboarding procedures that control how researchers log on; the duration of the collaboration; the ability to set collaboration-specific attributes, groups, and roles; and to do that in one place so that researchers have a consistent level of access across all the different cyberinfrastructure services that they're using.

Enabling that consistency means that we need to provide a service that supports many APIs and protocols for integrating identity management with the variety of research applications that the scientists need to use.

In CILogon, we support a long list of standards including OpenID Connect, OAuth, JSON Web Tokens, SAML [Security Assertion Markup Language], LDAP, certificates, and public keys.

We provide all these capabilities in a nonprofit, open-source, reliable, hosted software-as-a-service offering from NCSA, which manages our resources, contracting, and subscription process.

The goal of providing it as a service is that we understand that identity and access management software is fairly complex to operate, so we have a team on the CILogon project with the needed operational experience. We provide that as a service to a variety of research projects so they don't have to become experts in the software themselves -- they can just rely on us.

Institutions can make it available to the research projects that their researchers are part of. Because we're using standards like SAML, Shibboleth, and the InCommon Federation, we connect with what the institutions are doing because so many institutions in the US and around the world are part of these academic research and education federations.

We are compatible with the identity and access management services that are already on campus, and we're providing the glue to make that work with research cyberinfrastructure.

TRUSTED CI: Can you give some specific examples or scenarios of the kind of infrastructure you're describing; who might be connecting to that and why?

First, I'll talk about different types of applications.

We see in different science projects that scientists may use a science gateway, which is a web portal that hosts a variety of science applications and data through a web interface. They may be logging in to an HPC cluster to submit a large simulation. They may create a Jupyter Notebook to develop their reproducible workflow for their scientific work. They may be posting results and having discussions on wikis or mailing lists. They might also be developing services and deploying them on Kubernetes. These are some of the services that we get requests to integrate with a common identity and access management system.

LIGO [Laser Interferometer Gravitational-Wave Observatory] is an example of a scientific collaboration that uses many of these services and is a CILogon subscriber. LIGO is an international collaboration making it possible for the researchers that are part of that collaboration to access all of these different applications in a convenient way. This means that they can get access to the signals from the scientific instrument so that they can quickly analyze those results and publish their scientific results in a collaborative and secure way.

We're focused on the academic research and scholarship use case and that's a very broad set of researchers -- thousands of researchers on thousands of campuses across the US and many more globally.

On one end of the scale, we serve the research project that is only one or two investigators with some grad students on one campus. Then on the other end of the scale are international collaborations that may have thousands of participants. By offering a software-as-a-service platform that has these common integration points and is easy to get connected to, we intend to make it easy both for the small projects and larger projects to take advantage of the services.

TRUSTED CI: Do they pay for this service?

We have a free tier and then we have paid tiers that provide additional functionality and that also provide the contracted service-level agreements that especially the larger research projects depend on.

TRUSTED CI: Any restrictions on your target audience? In other words, do you have to be a US facility to be a paid client or a free client or could it be any other country?

It's not restricted to US facilities or just to NSF projects. Our requirement is that you do need to be focused on academic research. We're not serving the commercial research space.

In part, our target audience is meant to be compatible with what's called the REFEDS Research and Scholarship Entity category. That's an internationally recognized identity management policy about information sharing between academic institutions to support research using Federated Identity. That really enables all the work that we do with CILogon.

It's very important for us to stay within the bounds of that policy focused on the academic research use case.

TRUSTED CI: Do you have many international users?

Yes. We currently have about 8,000 active users each month and a significant percentage of those users are international. For example, we have over 100 active users from CERN [the European Organization for Nuclear Research]. We also see users from Germany, the UK, Italy, the Czech Republic, South Korea, Australia, and elsewhere.

TRUSTED CI: Anything else our readers need to know that is not documented on the website?

Everything should be documented on the CILogon website, and users can log in right from there.

TRUSTED CI: Talk a bit more about your support structure and particularly the paid tiers.

We have three tiers that are described on the website where your readers can find more details.

We call the no-charge tier our basic authentication tier. As the name implies, it's just providing our authentication service without any group management or attribute management -- just a basic authentication service with best-effort support.

The first paid tier is called Essential Collaboration Management. That adds the collaboration support -- the onboarding and offboarding, groups, attributes, and roles that are managed through open source software called COmanage. We publish that information into an LDAP directory and a SAML attribute authority providing multiple standard interfaces to the information about the researcher’s role in the collaboration. When a collaboration subscribes to that tier, that gives them the ability to manage that information about their collaboration in our environment.

The full-service tier includes all those capabilities plus it adds the SciTokens capability and adds Grouper for advanced access management and also provides dedicated service instances for more customized capabilities and improved performance.

TRUSTED CI: What is the chronology of CILogon?

CILogon grew out of NSF grants back in 2004 called GridShib for grid computing and Shibboleth. Combining those two technologies, we've built up the capability thanks to several NSF grants over the years, along with a Department of Energy grant. We had our first CILogon award from NSF in 2009 but we built that using software that was developed from the 2004 GridShib award [NSF award 0438385]. CILogon went live in 2010 with the free service tier.

In 2019, we transitioned from grant funding to the subscription funding model. We're now in our second year of subscription funding support.

Except for some core operational support that we get from XSEDE [the Extreme Science and Engineering Discovery Environment], which is really critical for the sustainability of that free tier, we are fully subscriber-funded.

TRUSTED CI: Are there other collaborators that you want to mention?

Scott Koranda is my co-PI. Scott works for a company called Spherical Cow Group. And of course, none of this would be possible without InCommon.

TRUSTED CI: Are there other things you've spawned from CILogon that are adding additional value?

Grouper and COmanage are existing products that we integrated into the CILogon service offering. Out of CILogon, SciTokens is one example where we spun off research building on some of the existing CILogon technology, developed new capabilities, and are bringing it back into the CILogon operational service.

TRUSTED CI: Is the software available to others?

All of our software is open source and published on GitHub.

The RCauth.eu service in Europe is an example of offering similar services using our open source software. Other large infrastructure providers can take the software and operate it themselves if they’d like, though we believe there is significant value provided by the CILogon operational team through our software-as-a-service offering.
___
This material is based upon work supported by the National Science Foundation under grant numbers 0850557, 0943633, 1053575, 1440609, 1547268, and 1548562 and by the Department of Energy under award number DE-SC0008597. CILogon operations is supported by subscribers.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the United States Government or any agency thereof.

Monday, March 9, 2020

Trusted CI Announces The 2020 Fellows

Trusted CI, the NSF Cybersecurity Center of Excellence, is excited to announce the Trusted CI Open Science Cybersecurity Fellows. Six individuals with professional interests in cybersecurity have been selected from a nationally competitive pool.  During the year of their Fellowship, they will receive recognition and cybersecurity professional development including training and travel funding to cybersecurity related events.

The 2020 Trusted CI Open Science Cybersecurity Fellows are:

Songjie Wang
Cyberinfrastructure Engineer, University of Missouri

Songjie provides services to the research community for cloud infrastructure and deployment, technology transformation, system engineering, and application development. He is actively involved in various research projects that concern problems in cloud computing, cybersecurity, mobile edge computing, and machine learning. He is a liaison between the college and the campus high-performance computing center to facilitate research productivity.



  

Mohamad Qayoom
IT Consultant, Louisiana State University Health Sciences Center New Orleans (LSUHSC-NO)

Mohamad serves LSUHSC-NO’s research community in bridging the gap between research and computing. He possesses a flexible portfolio of information systems management and services developed through hands-on architectural expertise. He is passionate about developing a top-quality IT workforce. He teaches courses in networking, security, and project management, and classes for IT certification exams.




Smriti Bhatt
Assistant Professor of Computer Science, Texas A&M University-San Antonio

Smriti Bhatt, Ph.D., does research in security and privacy in Cloud and Internet of Things (IoT). She focuses on securing authorization, communication, and data flow in the context of Cloud enabled IoT domains such as smart home, smart health, and wearable IoT. Dr. Bhatt is passionate about enhancing diversity and inclusion in computing and serves as a co-advisor for a Women in CyberSecurity student chapter. She is active in Grace Hopper Celebration, CyberW, and San Antonio Women in IT.


Luanzheng “Lenny” Guo
Ph.D. candidate, University of California Merced

Lenny’s research is under the supervision of Professor Dong Li and focuses on system resilience and reliability in high-performance computing (HPC) systems. Lenny has broad research interests at the intersection of HPC systems, data analytics, and cybersecurity. His continuing research goal is to develop cybersecurity solutions for HPC cyberinfrastructures.






Jerry Perez
Director of Cyber Infrastructure Operations, University of Texas at Dallas

Jerry Perez, Ph.D., has over 18 years of experience using and teaching HPC technologies. Dr. Perez is interested in collaborating with other universities to share HPC knowledge; teaching computer science subjects such as programming, systems design, and massive-compute high-throughput computing (compute grids); creating cyberinfrastructure projects to share resources; and promote academic excellence through HPC in the classroom.




Laura Christopherson
Senior Data Scientist, Renaissance Computing Institute (RENCI)
Laura's background is in theater, art, and information science. Her interests include social informatics, language and communication, user-centered design, and research and design ethics. At RENCI, she works with scientists to design and develop cyberinfrastructure to support them in their research. It is important to her to take good care of the scientists she works with and to make their research data safe and secure.




The Fellows will receive training consisting of a Virtual Institute, providing 20 hours of basic cybersecurity training over six months. The training will be delivered by Trusted CI staff and invited speakers. The Virtual Institute will be presented as a weekly series via Zoom and recorded to be publicly available for later online viewing. Travel support is budgeted (during their first year only) to cover fellows’ attendance at the NSF Cybersecurity Summit, PEARC, and one professional development opportunity agreed to with Trusted CI. The Fellows will be added to an email list to discuss any challenges they encounter that will receive prioritized attention from Trusted CI staff. Trusted CI will recognize the Fellows on its website and social media. Fellowships are funded for one year, after which the Trusted CI Fellows will be encouraged to continue participating in Trusted CI activities in the years following their fellowship year. After their training in the Virtual Institute, Fellows, with assistance from the Trusted CI team, are expected to help their science community with cybersecurity and make them aware of Trusted CI for complex needs. By the end of the year, they will be expected to present or write a short white paper on the cybersecurity needs of their community and some initial steps they will take (or have taken) to address these needs. After the Fellowship year Trusted CI will continue to recognize the cohort of Fellows and give them prioritized attention. Over the years, this growing cohort of Fellows will broaden and diversify Trusted CI’s impact.

 About the Trusted CI Fellows Program

Trusted CI serves the scientific community as the NSF Cybersecurity Center of Excellence, providing leadership in and assistance in cybersecurity in the support of research. In 2019, Trusted CI establish an Open Science Cybersecurity Fellows program. This program establish and support a network of Fellows with diversity in both geography and scientific discipline. These fellows will have access to training and other resources to foster their professional development in cybersecurity. In exchange, they will champion cybersecurity for science in their scientific and geographic communities and communicate challenges and successful practices to Trusted CI.

Fellows come from a variety of career stages. They demonstrate a passion for their area, the ability to communicate ideas effectively, and a real interest in the role of cybersecurity in research. Fellows are empowered to talk about cybersecurity to a wider audience, network with others who share a passion for cybersecurity for open science and learn key skills that benefit them and their collaborators.