Friday, October 11, 2013

Position paper accepted

The CTSC had a position paper accepted for the Workshop on Sustainable Software for Science: Practice and Experiences. Randy Heiland, Betsy Thomas, Von Welch, and Craig Jackson contributed "Toward a Research Software Security Maturity Model". Their paper, along with other accepted papers, can be found at wssspe.researchcomputing.org.uk/contributions/. The workshop will be held November 17 in conjunction with SC13.

Thursday, October 3, 2013

Oct 9 IAM Online Webinar: Passwords and Beyond

Password management is a key usability and security concern for many cyberinfrastructure projects. The October 9 IAM Online Webinar will discuss password best practices, user awareness, and two-factor authentication.

Friday, September 27, 2013

Science Gateway Security Recommendations

Jim Basney is presenting "Science Gateway Security Recommendations" today at the Science Gateway Institute Workshop in Indianapolis. This paper is a joint effort between CTSC and the Science Gateway Security project. We invite discussions and comments in the Trusted CI Forum.

Updated to add: Jim's slides.

Thursday, September 26, 2013

CTSC Year One Project Report published.

CTSC's Year One Project Report has been submitted to NSF and is available at http://trustedci.org/reports/. The Executive Summary follows.

The Center for Trustworthy Scientific Cyberinfrastructure (CTSC) is transforming and improving the practice of cybersecurity and hence the trustworthiness of NSF scientific cyberinfrastructure (CI). CTSC is providing readily available cybersecurity expertise and services, as well as leadership in advancing the state of practice and coordination across a broad range of NSF scientific CI projects via a series of engagements with NSF CI projects and a broader ongoing education, outreach and training effort.
The vision of CTSC is an NSF CI community in which 1) each project knows where it fits in a coherent cybersecurity ecosystem and can assess its own needs; 2) each project has access to the tools and needed help to enact a basic cybersecurity program and tackle the project’s advanced challenges; 3) sharing of experiences and collaboration between projects is the norm; and 4) cybersecurity is greatly benefited by leveraging services, universities, I2, and broader community best practices. 
Towards this vision, CTSC is organized by three thrusts: 1) Engagements with specific communities to address their individual challenges; 2) Education, Outreach and Training, providing the NSF scientific CI community with training, student education, best practice guides, and lessons learned documents; and 3) Cybersecurity Leadership, building towards a coherent, interoperable cybersecurity community and ecosystem.This report covers CTSC’s successful first year, in which it initiated seven engagements, completing three (LTER Network Office, LIGO, Pegasus), is in the process of finalizing three more (DataONE, IceCube, CyberGIS) and initiating a seventh (Globus Online). 
Accomplishments include 1) developing a process for developing NSF CI Cybersecurity programs that incorporates well-known best practices and tackles NSF CI challenges of residing in a complicated, multi-institution ecosystem with unique science instruments and data; 2) re-starting and organizing the NSF Cybersecurity Summit along with an online Trusted CI Forum to foster an ongoing NSF community focused on NSF CI cybersecurity; and 3) delivering seven training sessions by leveraging prior training materials from the University of Wisconsin team and creating two new tutorials. 
Educational activities include 1) creating a new education module on cybersecurity for CI that is being utilized in a class at the University of Illinois this Fall; 2) mentoring of a student in Indiana University’s Summer of Networking program; 3) and the ongoing membership of two graduate students in the CTSC team as research assistants. Our broader impacts include the publication of engagement products and three other papers to define community best practices. 
Year two plans are described that continue the emphasis on these three thrusts and building the community working on cybersecurity with the Trusted CI Forum and a vision for continued CI and Large Facility Cybersecurity Summits.

Monday, September 16, 2013

CTSC publishes its own cybersecurity program

Obviously CTSC takes cybersecurity seriously. To that end it has published its own Cybersecurity Policies and Procedures. Included with the policies and procedures is a set of documents showing the analysis that went into creating them.

These were published both to assure projects CTSC engages with that we take appropriate precautions with their data and to serve as an example to the community.

Wednesday, September 11, 2013

Resources for getting started in Identity and Access Management (IAM)

Recently a NSF project asked CTSC about some resources for getting started in identity and access management. The following was our response:


In terms of some guidance on IAM, the Higher Ed Information Security Guide has a good primer on Identity and Access Management:

And while parts are specific to InCommon, other parts of the CI InCommon Roadmap are more general and would serve you well even if you use, e.g., Google Ids:

In terms of examples from other NSF CI projects, work from OOI and DataONE serves as good examples:

http://mule1.dataone.org/ArchitectureDocs-current/design/Authentication.html

Edited to add...

[9/12] The COmanage project has a IdM Requirements Assessment process for virtual or collaborative organizations (VOs/COs): https://spaces.internet2.edu/display/COmanage/CO+Requirements+Assessment

Wednesday, August 21, 2013

CTSC Presentation on NSF CI Cybersecurity Challenges and CTSC Activities

Earlier this month I had the opportunity to make a presentation at the NSF on cybersecurity challenges facing NSF cyberinfrastructure (CI) and what CTSC and the NSF CI community is doing to tackle those challenges. That presentation is available at http://pres.vonwelch.com/pres/CTSC-NSF-Jul-2013.pdf.

Tuesday, July 23, 2013

Summer of Networking Poster Presentations

For the past several years, Indiana University's InCNTRE has hosted the Summer of Networking, bringing in interns from around the country to learn about networking, cybersecurity and related topics.

This year, CTSC mentored one intern, Betsy Thomas, in exploring how a virtual organization could be used to enhance incident detection across a number a sites. She will be presenting her work during the Summer of Networking poster session this Wednesday from 11:30am-1:30pm ET. If you are in Bloomington that day, please drop by to see the work done by Betsy and the other Summer of Networking interns.

Edited: Poster session is Wednesday, not Thursday.

Friday, June 7, 2013

Pegasus & CTSC complete engagement around security for SSH credentials

CTSC recently completed one of its initial engagements: The Pegasus project is a workflow management system that supports a breadth of computational sciences including astronomy, bioinformatics, ocean science, and many more. Pegasus workflows typically operate across distributed resources and sometimes need to stage data files between compute resources to or from storage resources. Some storage resources support mechanisms that allow Pegasus to delegate to the workflow the ability to access those resources. Other storage resources don’t have this ability - e.g., resources that use secure shell (SSH).


When staging requires SSH, Pegasus currently has no choice but to send a private key with the workflow. The goal of this engagement was to examine this practice and recommend possible improvements from the perspective of cybersecurity. CTSC provided three recommendations to the Pegasus team to improve current practice: (1) If system administrators are willing, have them deploy a mechanism that supports security delegation, such as Kerberos or GSI; (2) provide assistance to users in using SSH’s ability to impose restrictions in the authorized_keys file to limit the privileges of SSH keys used for workflows; and (3) utilize ssh-agent to minimize exposure of SSH credentials in the workflow by avoiding writing those credentials to the filesystem. We also describe alternatives we considered, but do not recommend.  For more information, please see the Pegasus-CTSC Engagement Final Report, available at http://hdl.handle.net/2022/15562.


Many thanks to the Pegasus team, including Ewa Deelman, Karan Vahi, Mats Rynge, and Gideon Juve, for the collaborative effort that made this work possible.


For more about how CTSC helps NSF projects visit http://trustedci.org/howwehelp/.

Tuesday, April 2, 2013

trust-HUB: an online community for hardware security and trust

A colleague pointed out the NSF-funded trust-HUB project to me last week: http://www.trust-hub.org/. trust-HUB, similar to CTSC's trustedci.org website, looks to build an online community working with hardware security and trust.

GSI-OpenSSH Security Advisory: pamuserchange-2013-01.adv

The GSI-OpenSSH team has published a security advisory than impacts deployments that have the PermitPAMUserChange feature enabled (by default it is disable). Default configurations of GSI-OpenSSH are not affected. 

For details, please see http://grid.ncsa.illinois.edu/ssh/pamuserchange-2013-01.adv


Sunday, March 17, 2013

LIGO Wiki Approved for InCommon Research & Scholarship Category

One challenge with federated identity is arranging for attribute release from identity providers, a process that used to involve working with each identity provider (for details see the paper on TeraGrid's federated identity experiences). To address this, InCommon has created the Research and Scholarship Category for service providers. By applying and being approved to be a member of this category, as the LIGO Wiki has done, a service provider gains immediate attribute release from over 40 identity providers in one step. Hence, the Research and Scholarship Category is a key step by InCommon to improve the ease by which cyberinfrastructure can leverage identity federation.


Thursday, March 14, 2013

OSG article on their use of Pakiti to manage patching

An important part of operating a trustworthy cyberinfrastructure software stack is managing security patches for that software. Kevin Hill of the OSG Security team wrote an article in the February OSG Newsletter on OSG's use of Pakiti. Kevin's article follows (republished with permission).

Introducing Patiki

Pakiti is a Web-based application you can set up for your site that summarizes the patching status of machines at your site. Pakiti also knows about security specific updates, and can show which systems need security updates vs. other software updates, as well as link to the relevant CVEs to easily see which vulnerabilities apply to your systems and how critical these vulnerabilities are. CVE (Common Vulnerabilities and Exposure) is a dictionary of publicly known information security vulnerabilities and exposures kept by mitre.org. Pakiti does not install any updates itself.

Pakiti was developed at CERN, and is now available in the OSG v3 software release. The OSG security team has been running a central Pakiti server to monitor a few different hosts at various sites, and now any OSG site can set up their own Pakiti server without making their sites’ vulnerability information available off site. The Pakiti client that is installed on monitored systems is a simple bash script that should not interfere with normal operations. The data sent to your site's Pakiti server is essentially the output of 'rpm -qa', as well as the operating system release version.

The Pakiti homepage is http://pakiti.sourceforge.net. OSG-specific installation instructions are available at: https://twiki.grid.iu.edu/bin/view/Documentation/Release3/PakitiInstallation

~Kevin Hill, OSG Security Team

Friday, March 8, 2013

OSG All Hands Meeting, DOE NGNS PI Meeting, Talk at ISI

I will be at the OSG All Hands Meeting next week presenting the OSG's work in establishing a new public key infrastructure. The following week I'll be at the DOE NGNS PI meeting and then visiting ISI where I'll be giving a talk on CTSC (details to come).

If you'd like to meet with me at any of those venues about CTSC or any of my work, please drop me an email.

                                   - Von

Friday, February 1, 2013

Control systems security at CERN

Interesting article on control systems security at CERN and the steps they have taken with regards to cybersecurity in light of Stuxnet and similar malware.

Friday, January 25, 2013

NSF-Sponsored Workshop to Explore Social Science Contributions to Understanding Cyber Security



There is a call for white papers, due Feb 1, for the NSF-Sponsored Workshop to Explore Social Science Contributions to Understanding Cyber Security. For information see the workshop announcement (pdf).

Monday, January 21, 2013

Software security needs survey and vulnerability handling

Last week, I was part of a panel at the NSF SI2 PI meeting. It was a good meeting discussing a lot of the challenges we are facing with sustainability and engaging the science community. Two presentations I found of particular interest were Neil Chue Hong's presentation on Software Sustaibaility (I'm very happy to have Neil on CTSC's advisory committee) and Jim Herbsleb's presentation on software ecosystems (not posted at this time unfortunately).

My presentation was on things software projects should do in order to handle vulnerabilities, something members of the CTSC team have from being leaders of software projects, from being part of the team running large production infrastructures and doing research into finding software vulnerabilities. For those wanting more information on this topic, I wrote a white paper on it a couple years ago.

I also announced that CTSC has a survey for NSF projects writing software. We'd like to better understand your projects needs, so please take a few minutes to complete it. Or if you prefer, just contact me directly at vwelch@indiana.edu or (812) 856-0363.

Tuesday, January 15, 2013

CTSC and LIGO Collaborate on Interfederation

CTSC and LIGO are working together to enable international access to cyberinfrastructure through interfederation.

By leveraging federated identity, LIGO seeks to streamline electronic collaboration with other gravitational wave, astronomy, and astrophysics projects throughout the world. LIGO is a member of the InCommon Federation, which enables federation with institutions in the United States but does not, at this time, address federation with entities outside the US. Today, federation with entities in Europe, Japan, Australia, and Canada requires LIGO to negotiate peer-to-peer federation individually with each entity.

The CTSC-LIGO collaboration is:
  • Documenting the challenges LIGO faces today when negotiating peer-to-peer federation with individual entities.
  • Setting the stage for LIGO and EGO to federate in the future.
  • Working to enable interfederation for LIGO through InCommon.
  • Investigating and reporting on the likelihood and timescale for federation between LIGO and other entities in Europe via eduGAIN.
  • Assisting LIGO-India with documenting federation use cases and engaging with federation efforts in India.
  • Actively participating in REFEDS, the leading discussion and coordination forum for international interfederation.
To help enable interfederation through InCommon, the CTSC-LIGO collaboration has helped to form the InCommon TAC Interfederation Subcommittee, which is documenting InCommon community interfederation use cases, timelines, plans, issues, and recommendations. All are welcome to join in this InCommon-focused effort — please subscribe to the interfed@incommon.org e-mail list to participate.