Friday, September 27, 2013

Science Gateway Security Recommendations

Jim Basney is presenting "Science Gateway Security Recommendations" today at the Science Gateway Institute Workshop in Indianapolis. This paper is a joint effort between CTSC and the Science Gateway Security project. We invite discussions and comments in the Trusted CI Forum.

Updated to add: Jim's slides.

Thursday, September 26, 2013

CTSC Year One Project Report published.

CTSC's Year One Project Report has been submitted to NSF and is available at http://trustedci.org/reports/. The Executive Summary follows.

The Center for Trustworthy Scientific Cyberinfrastructure (CTSC) is transforming and improving the practice of cybersecurity and hence the trustworthiness of NSF scientific cyberinfrastructure (CI). CTSC is providing readily available cybersecurity expertise and services, as well as leadership in advancing the state of practice and coordination across a broad range of NSF scientific CI projects via a series of engagements with NSF CI projects and a broader ongoing education, outreach and training effort.
The vision of CTSC is an NSF CI community in which 1) each project knows where it fits in a coherent cybersecurity ecosystem and can assess its own needs; 2) each project has access to the tools and needed help to enact a basic cybersecurity program and tackle the project’s advanced challenges; 3) sharing of experiences and collaboration between projects is the norm; and 4) cybersecurity is greatly benefited by leveraging services, universities, I2, and broader community best practices. 
Towards this vision, CTSC is organized by three thrusts: 1) Engagements with specific communities to address their individual challenges; 2) Education, Outreach and Training, providing the NSF scientific CI community with training, student education, best practice guides, and lessons learned documents; and 3) Cybersecurity Leadership, building towards a coherent, interoperable cybersecurity community and ecosystem.This report covers CTSC’s successful first year, in which it initiated seven engagements, completing three (LTER Network Office, LIGO, Pegasus), is in the process of finalizing three more (DataONE, IceCube, CyberGIS) and initiating a seventh (Globus Online). 
Accomplishments include 1) developing a process for developing NSF CI Cybersecurity programs that incorporates well-known best practices and tackles NSF CI challenges of residing in a complicated, multi-institution ecosystem with unique science instruments and data; 2) re-starting and organizing the NSF Cybersecurity Summit along with an online Trusted CI Forum to foster an ongoing NSF community focused on NSF CI cybersecurity; and 3) delivering seven training sessions by leveraging prior training materials from the University of Wisconsin team and creating two new tutorials. 
Educational activities include 1) creating a new education module on cybersecurity for CI that is being utilized in a class at the University of Illinois this Fall; 2) mentoring of a student in Indiana University’s Summer of Networking program; 3) and the ongoing membership of two graduate students in the CTSC team as research assistants. Our broader impacts include the publication of engagement products and three other papers to define community best practices. 
Year two plans are described that continue the emphasis on these three thrusts and building the community working on cybersecurity with the Trusted CI Forum and a vision for continued CI and Large Facility Cybersecurity Summits.

Monday, September 16, 2013

CTSC publishes its own cybersecurity program

Obviously CTSC takes cybersecurity seriously. To that end it has published its own Cybersecurity Policies and Procedures. Included with the policies and procedures is a set of documents showing the analysis that went into creating them.

These were published both to assure projects CTSC engages with that we take appropriate precautions with their data and to serve as an example to the community.

Wednesday, September 11, 2013

Resources for getting started in Identity and Access Management (IAM)

Recently a NSF project asked CTSC about some resources for getting started in identity and access management. The following was our response:


In terms of some guidance on IAM, the Higher Ed Information Security Guide has a good primer on Identity and Access Management:

And while parts are specific to InCommon, other parts of the CI InCommon Roadmap are more general and would serve you well even if you use, e.g., Google Ids:

In terms of examples from other NSF CI projects, work from OOI and DataONE serves as good examples:

http://mule1.dataone.org/ArchitectureDocs-current/design/Authentication.html

Edited to add...

[9/12] The COmanage project has a IdM Requirements Assessment process for virtual or collaborative organizations (VOs/COs): https://spaces.internet2.edu/display/COmanage/CO+Requirements+Assessment