Thursday, April 27, 2017

OSiRIS Engagement Summary

OSiRIS (Open Storage Research Infrastructure, NSF award #1541335) is a multi-institutional project aimed a providing a distributed storage infrastructure that allows researchers to manage and share data from their home computing facilities with other partner locations. The University of Michigan, Michigan State, Wayne State, and Indiana University are working together to develop the transparent, high-performance storage infrastructure which will be available to connected locations on participating campuses. The project will provide data sharing, archiving, security, and life-cycle management, all implemented and managed with a single distributed service.

In October 2016, CTSC began an analysis of the new OSiRIS Access Assertions (OAA) design. CTSC and OSiRIS staff worked together via a series of weekly phone calls to review the design of the authentication and authorization framework for OSiRIS. As OSiRIS is an open-source project, all design documentation and related code for OAA is available on GitHub.

Since the OAA design was at an early stage, CTSC asked OSiRIS staff to document the various use-case scenarios which would be addressed by OAA. This resulted in a set of requirements needed by scientists (end-users), system administrators, and network administrators.

Next, CTSC began the review of the core OAA system. It was discovered that OAA borrows concepts from OAuth 2.0 (RFC 6749), including JSON Web Tokens (RFC 7519) and the practice of issuing short-lived access tokens and long-lived refresh tokens. The resemblance of OAA to OAuth 2.0 inspired the team to use the OAuth 2.0 Threat Model and Security Considerations (RFC 6819) as an evaluation framework for the OAA system. Over the course of several weeks, the OSiRIS team used recommendations from the OAuth 2.0 Threat Model to make modifications to the evolving OAA design, as noted in the final engagement report.

The above swim lane diagram, produced by the OSiRIS team during the engagement, helped the CTSC team understand the OSiRIS Access Assertions (OAA) design.

After the review of the core OAA design, the review shifted to the integration of OAA with other OSiRIS components including Ceph and NMAL/perfSONAR. As the integration is still in an early phase, CTSC staff reviewed the integration design for potential issues drawing on knowledge of similar analyses in the past.

OSiRIS is using COmanage Registry for managing groups and roles for researchers and administrators. CTSC staff has significant experience with COmanage, so several conference calls were of the question-and-answer variety where OSiRIS staff were able to ask detailed questions about COmanage and how to best leverage the power of the software for their particular scenarios.

CTSC's involvement early in the design and implementation phase enabled the OSiRIS developers to incorporate several security recommendations before development had proceeded to a point where change would have been painful. CTSC identified no significant weaknesses in the resulting design. CTSC encouraged OSiRIS to apply for a follow-on engagement after implementation is complete, to review design changes that may have occurred during implementation and initial deployment.

Edited to add: See also the OSiRIS blog post on our engagement.

Tuesday, April 11, 2017

Announcing: 2017 NSF Cybersecurity Summit Call for Participation and Student Program

It is our great pleasure to announce the 2017 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure. The event will take place Tuesday, August 15th through Thursday, August 17th at the Westin Arlington Gateway near the National Science Foundation Headquarters in Arlington, VA. Attendees will include cybersecurity practitioners, technical leaders, and risk owners from within  the NSF Large Facilities and CI community, as well as key stakeholders and thought leaders from the broader scientific and cybersecurity communities.

Call for Participation (CFP) - Now Open
Program content for the summit is driven by our community. We invite proposals for presentations, breakout and training sessions as well as nominations for student scholarships. The deadline for CFP submissions is June 5th. To learn more about the CFP, please visit:

Student Program - Now Open
Each year, the summit organizers invite several students to attend the summit. Students who are interested in complex cybersecurity needs around and new, efficient, effective ways to protect information assets while supporting science will benefit most from attending. Students may self-nominate or be nominated by a mentor or a teacher. To learn more about the Student Program, please visit:

Monday, April 10, 2017

CCoE Webinar April 24th 11am EDT: HIPAA and FISMA: Computing with Regulated Data

Susan Ramsey and Anurag Shankar are presenting the talk "HIPAA and FISMA: Computing with Regulated Data," on April 24th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.
With cyberattacks and breaches rising exponentially, there is increasing pressure on federally funded scientific and academic institutions to protect regulated data, including identifiable patient data protected by the Health Insurance Portability and Accountability Act (HIPAA), and data collected or processed on behalf of the government, which is subject to the Federal Information Security Modernization Act (FISMA).  Each comes with its own set of cybersecurity requirements, including physical, administrative, technical controls, to be applied using a risk-centric approach.  FISMA specifies the risk methodology to use, namely the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), but still provides considerable latitude in how it can be deployed.  HIPAA leaves the choice entirely to the practitioner. Organizations are also allowed by both regulations to tailor implementation to fit their size, budget, risk tolerance, etc.  This provides great flexibility, but the flexibility comes at a cost. Without prescriptive checklists and tools from the government, interpreting the regulations can be a nightmare, especially for the newly initiated.  Commercial expertise comes at a premium, and may even be beyond reach due to budget. Fortunately, the news is not all bad.  Cybersecurity has seen great improvements in the scientific and academic community in recent years, with a majority of required controls in place already.  Remaining obstacles generally are policies and procedures, risk assessment, mitigation, and, most of all, documentation. While these take time and effort, the bulk is limited to initial implementation, with considerable gains in security and efficiency.  To illustrate this, this webinar will feature two institutions, the National Center for Atmospheric Research (NCAR) and Indiana University (IU).  They will share their stories of how they faced and overcame the FISMA and HIPAA challenges in their research computing environments, and benefited. The webinar will also touch upon the basics of HIPAA and FISMA, the NIST RMF, and how it can be leveraged for HIPAA and FISMA and other types of cyber compliance.
More information about this presentation is on the event page.

Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

CTSC helps CC*DNI awardee tune its cybersecurity practices

CTSC helps CC*DNI awardee tune its cybersecurity practices

The University of New Hampshire Research Computing Center’s (UNH RCC’s) mission is to provide information technology (IT) support for the sponsored research community at UNH and collaborate with higher education, industry, and government to create innovative technologies designed to address important social, environmental, and economic needs. UNH RCC is supported in part by CC*DNI NSF CISE Grant #1541430. CTSC and UNH RCC are conducting an engagement looking at UNH RCC’s existing cybersecurity practices in relation to UNH and the scientists it serves. The engagement has the following related objectives:
  • Produce a report within the next month assessing the current state of UNH RCC’s information security program and make specific prioritized recommendations. 
  • Plan and conduct a period of collaborative work culminating in a 2-4 day CTSC site visit at UNH in early June.  During the site visit, meetings, training sessions, and other activities will leverage the report to build momentum for UNH to implement and sustain the plan's prioritized recommendations. 
This engagement is an opportunity for CTSC to work with a program at an institutional level and positively impact the security of the cyberinfrastructure and trustworthiness of the science it supports.

Thursday, April 6, 2017

CTSC Training at GPN/GWLA Annual Meeting

The Great Plains Network and the Greater Western Library Alliance Annual Meeting will be held in Kansas City on May 31st through June 2nd. CTSC will be providing an Incident Response and Log Analysis workshop during the conference. For more information on the conference please refer to the link below. Details for the workshop are on the Schedule page.

Monday, April 3, 2017

Open Science Cyber Risk Profile Published

In a culmination of efforts, the Center for Trustworthy Scientific Cyberinfrastructurethe NSF Cybersecurity Center of Excellence, and the Department  of Energy’s Energy Sciences Network (ESnet), along with research and education community leaders have published version 1.2 of the Open Science Cyber Risk Profile (OSCRP) -- a living document designed to help principal investigators and their supporting information technology professionals assess cybersecurity risks related to open science projects. A PDF of the OSCRP can be found at