Tuesday, October 9, 2018

Trusted CI Webinar October 22nd at 11am ET: Urgent Problems and (Mostly) Open Solutions with Jeff Spies

Jeffrey Spies is presenting the talk "Urgent Problems and (Mostly) Open Solutions" on Monday October 22nd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
We're at an important stage in the history of science. The internet has dramatically accelerated the pace and scale of communication and collaboration. We have the computational resources to mine and discover complex relationships within massive datasets from diverse sources. This will usher in a new era of knowledge discovery that will undoubtedly lead to life-saving innovation, and access to content is paramount. But how do we balance transparency and privacy or transparency and IP concerns? How do we protect data from being selectively deleted? How do we decide what to make accessible with limited resources? How do we go from accessible to reusable and then to an ecosystem that fosters inclusivity and diversity?

And what if we no longer own the content we'd like to be made accessible? Such is the case with most journal articles. Skewed incentives have developed around centuries-old publishing practices that reward what is publishable rather than what is rigorous, reproducible, replicable, and reusable. In exchange for publications, we assign our copyrights to publishers, who then lease access back to us and our institutions at ever-increasing prices. And now publishers are turning their eyes--and very large profit margins--towards capturing the rest of the research workflow, including data and analytics. In contrast to the societal-level change that could occur if this research content were in an environment that maximized innovation and reuse, this is very dangerous.

This talk will discuss these urgent problems and the psychology that makes fixing them easier said than done as well as propose a practical, incremental approach to solving them via decentralized technologies, policy, and respect for researcher workflow.

Speaker Bio:
Jeffrey Spies is the founder of 221B LLC, a strategic consulting firm combining expertise in research technology, methodology, and workflow to accelerate projects across higher-ed. Previously, he co-founded and served as the CTO of the Center for Open Science, a non-profit formed to maintain his Open Science Framework. Jeff has a Ph.D. in Quantitative Psychology from the University of Virginia.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Thursday, October 4, 2018

An Open Science Cybersecurity Program Framework

In 2014, Trusted CI published a “Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects,” also known simply as “the Guide”. Since its creation, Trusted CI has received tremendous community feedback attesting to its usefulness, including half of the respondents in the most recent Community Survey adopting it as a form of guidance for shaping their cybersecurity programs. As we observed the open science community’s interaction with the original document, it became apparent that improvements and revisions could make it more maintainable and thus more readily kept up-to-date, more applicable to a wider range of science projects, and more approachable to scientists and PIs, all without losing any of its technical value.
Based on our experience interacting with engagements, lively training sessions, the Summit, and the benchmarking survey, we knew we needed to spell out the basic realities of building a cyber program in a way that addressed the variability we’ve observed in the community. During a substantial revision of the training on the Guide for PEARC’18, it became clear that what was needed was not just a guide, but a framework for establishing and maintaining an open science cybersecurity program at any project scale and stage in a project’s lifecycle. Such a framework would be useful even for projects having significant compliance requirements (e.g., FISMA, HIPAA, NIST SP 800-171) in that it provides a starting point for evolving a cybersecurity program rather than hundreds of pages dense with unprioritized requirements. Work on revising the Guide into a framework and addressing the above goals began in earnest earlier this year and builds on efforts assisting NSF in drafting a cybersecurity section for the Large Facilities Manual. The current schedule calls for a first draft to be available in November 2018, and version 0.9 to be available in January 2019, with the publication of version 1.0 in March 2019. An additional blog posting and announcement will be made at those milestones and community feedback is strongly encouraged. We need your feedback to help us get this right!

Preview of the Framework

Trusted CI’s framework is built around four pillars: Mission Alignment, Governance, Resources, and Controls. Like the pillars supporting any structure, all are vital and required for an efficient and effective cybersecurity program.

Mission Alignment:

Cybersecurity programs ultimately exist to improve productivity by protecting the interests of the project’s mission. The program must center on appropriate protection for the information assets vital to the project’s mission. The information assets that are critical will change over a project’s life cycle, so the accuracy of the information asset inventory is a basic requirement. To simplify understanding the protection requirements of the information assets, an information classification scheme allows for conceptually grouping assets by the kind of protection required. External requirements may also play a role in the level and type of protection.

Governance:

Cybersecurity is not just the responsibility of a few but involves project leadership, administrators responsible for information assets, project personnel, and external users. Policies must clearly define the roles and responsibilities for all these contributors to the cybersecurity program. Additional policies are required to address a range of issues from appropriate use to incident handling. Periodic evaluation of the cybersecurity program is necessary to validate that the allocation of resources to controls is effective and efficient for the appropriate protection of project information resources.

Resources:

People, budgets, tools, and services are all required to operate a cybersecurity program. Finding and retaining people with cybersecurity expertise can be challenging. In addition to technical skills, important traits include the abilities to teach, communicate, and negotiate. Smaller, stand-alone projects without a supporting infrastructure typically spend a higher percentage of the IT budget on cybersecurity due to economies of scale. The actual money might be in a separate cybersecurity budget, but often it is part of some other organizational budget (e.g., the IT budget). Tools and third-party services can help fill gaps in the program but have to be used with care since they can easily place additional strain on both the budget and the need for experienced personnel to effectively use them.

Controls:

Controls are the safeguards and countermeasures to ensure the appropriate protection of an information asset according to the asset’s information classification. Control selection and implementation are ongoing processes in any cybersecurity program due to technical or organizational changes and the dynamic nature of threats and vulnerabilities. The Center for Information Security (CIS) Controls are widely regarded as an authoritative, reasonable, and prioritized. The first six of these controls are the basic, minimal set that each project must either provide or ensure are provided by a supporting infrastructure. Additional controls enhance the protection for mission-critical systems and data, and systems or data requiring specialized controls (e.g., SCADA systems, software repositories, critical or high-speed scientific data flows).

Cyberinfrastructure Vulnerabilities 2018 Q3 Report

The Cyberinfrastructure Vulnerabilities team provides concise announcements on critical vulnerabilities that affect science cyberinfrastructure (CI) of research and education centers, including those threats which may impact scientific instruments. This service is available to all CI community members by subscribing to Trusted CI’s mailing lists (see below).

We monitor a number of sources for software vulnerabilities of interest. For those issues which warrant alerts to the Trusted CI mailing lists, we also provide guidance on how operators and developers can reduce risks and mitigate threats. We coordinate with XSEDE and the NSF supercomputing centers on drafting and distributing alerts to minimize duplication of effort and benefit from community expertise.Some of the sources we monitor for possible threats to CI include:

In 3Q2018 the Cyberinfrastructure Vulnerabilities team issued the following 4 vulnerability alerts to 91 subscribers:

If you wish to subscribe to the Cyberinfrastructure Vulnerability Alerts mailing list you may do so through https://list.iu.edu/sympa/subscribe/cv-announce-l. This mailing list is public and the archives are available at https://list.iu.edu/sympa/arc/cv-announce-l.

If you believe you have information on a cyberinfrastructure vulnerability, let us know by sending us an email at alerts@trustedci.org.

Thursday, September 27, 2018

Student Program at the 2018 NSF Cybersecurity Summit

In August we hosted our annual NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure in Alexandria, VA. The Summit included training workshops, plenary talks, and networking opportunities for members of NSF Large Facilities and the CI community.

As Summit attendance and funding grows so has our ability to provide learning opportunities for new members to the community. Last year we launched a student scholarship program to follow through on our goals of outreach and broadening impact. Students apply to the program by sharing their resumes and a brief essay sharing their security interests and what they hope to gain from attending the Summit.

This year we were able to fund the attendance of six students to the Summit. Their names and schools they attend are listed below (see: photo, left to right):
  • Emily Dillon; Master of Science student at Capella University
  • Sanchari Das; PhD student at Indiana University
  • Grant Allard; PhD student at Clemson University
  • Preston Ruff; Bachelor of Science student at New Mexico Institute of Mining and Technology
  • Maggie Ahern; Bachelor of Science student at Lehigh University
  • Leah Dorman; Bachelor of Science student at University of Maine Augusta
We also paired the students with volunteer mentors. We thank them for helping make the students feel welcome at the Summit. Their names and organizations are listed below:
  • Florence Hudson; Trusted CI and Northeast Big Data Innovation Hub
  • Mark Krenz; Trusted CI and Indiana University's CACR
  • Steve Barnet; Wisconsin IceCube Particle Astrophysics Center
  • Susan Sons; Trusted CI and Indiana University's CACR
  • Susan Ramsey; National Center for Atmospheric Research
  • Elisa Heymann; Trusted CI and University of Wisconsin
We asked the students to share some insights into their Summit experience. Their comments are quoted below.

Sanchari Das:

My name is Sanchari and I am a doctoral student in the School of Informatics, Computing, and Engineering at Indiana University Bloomington, specializing in Usable Privacy and Security. I think this summit was a great opportunity to meet researchers and practitioners from other organizations. I thoroughly enjoyed their perspective, and insights in the discipline of cybersecurity and gathered knowledge to pave my future research directions. Given the diverse research areas which was covered, this truly was a golden opportunity to broaden a graduate student's vision, such as myself, understanding more about usable privacy and security.

The NSF cybersecurity summit provided the perfect blend of academicians and those working in industry, who do and preach cybersecurity practices and direct their research accordingly. Given the workshops and talks that was conducted in the summit, it was not limited to discuss cybersecurity infrastructure, but also discussed about the users who are a major part, are affected, and contribute to follow cybersecurity practices. It was one of the gathering where practitioners from the industry likewise joined to discuss around the applications of such research.

As a student I learned about the current challenges in the field of cybersecurity, how usable security and privacy is slowly but surely making its marking where we all aim in not keeping the humans out of the loop but making them aware through simple but informative tools. I also learned how people from different field such as, law (policy makers), software developers, security engineers, academicians can all work together to help build a secure environment to protect data of an organization or individual.

Apart from interesting ideas, I would particularly like to thank my mentor Mark Krenz and Jeannette Dopheide, who made the process smooth and helped me throughout my stay and helped me interact with eminent researchers and practitioners in my field. I enjoyed the workshops I was involved in as well, Susan Son’s insights on the different version controls and monitoring old patches to find loopholes which can be played further was interesting.

I would also like to thank Von Welch, the director of Indiana University’s Center for Applied Cybersecurity Research who is extremely approachable and helps every student to achieve their best in this field through such initiatives.

Grant Allard:

The Trusted CI/NSF 2018 Cybersecurity Summit provides an outstanding opportunity to professionally and scholastically improve my understanding of the key issues in scientific cyberinfrastructure. The Trusted CI leadership team makes you, as a student, feel welcome and helps you to explore the pressing challenges facing the scientific cyberinfrastructure community today. The mentoring initiative associated with the student program is a superb educational tool that helped me put my experience in context and learn from one of the leaders of this field. One of my big takeaways from the week together is the importance that we as students will play to the scientific cyberinfrastructure community as we enter the scientific workforce: cybersecurity is not only a concern for CISOs but for the entire scientific community. The academic community owes a huge debt of gratitude to our CISOs for helping us keep our data secure, accessible, and integral.

I am taking what I learned from this conference and using it to develop a white paper and I identify how I, as an aspiring scholar of public policy, can contribute to the community. This conference also has given me multiple opportunities at my university to meet new people and contribute to new efforts. This experience was exactly how a student program should be--in my opinion--and I highly recommend it to students of all levels or to advisors who are looking to promote their students' growth." 

Preston Ruff:

I enjoyed the close-knit, friendly, and informative experience of the NSF summit. There I was able to test my text parsing skills in a log analysis workshop and I was exposed to the mystery of industrial control systems. Thank you to everyone at Trusted CI for hosting the event. I'm grateful to have met such brilliant people who work to create the cybersecurity systems and policy of tomorrow.

Maggie Ahern:

Attending the NSF 2018 Cybersecurity Summit was a fantastic learning experience. I have always been interested in cybersecurity, but this summit gave insight into the field that I had never been exposed to before. Some of the highlights include Software Engineering Best Practices and Legal Policy on Cybersecurity. I also particularly enjoyed the breakout session we had during lunch where we could discuss different topics of interest. I sat at a table that discussed books with the theme of cybersecurity and I went home with a few recommendations. The Student Program also connected us with a mentor for the duration of the conference. My mentor was incredibly understanding, knowledgeable, and inspiring. She is someone that I really admire and strive to live up to one day. Without this opportunity I probably would not have gotten to meet her, or all the other amazing individuals that I was able to interact with during the summit. All in all, I am incredibly grateful that I was given this opportunity to learn more about this subject and meet new individuals passionate about cybersecurity.

Leah Dorman:

At the NSF Cybersecurity conference, I immediately noticed a coherent understanding of cybersecurity's crucial role in science as well as a collaborative effort to produce trustworthy technology.  The Trusted CI program committee did an excellent job putting on this event and as a student I felt very welcomed and was provided with the information and resources needed to enhance my cybersecurity knowledge and research skills.  The first day was a training day.  I attended Automated Assessment Tools – Theory & Practice which was about injection attacks (one of the most common vulnerabilities) and had hands-on training using source code analysis tools to find code errors and flaws.  Then I attended Security Log Analysis Training which included ideas to improve security logging & monitoring as well as command examples that you can customize on your own logs and how to analyze data and look for patterns.  This hands-on training provided me with valuable experience that would only improve my cybersecurity skills.
The next two days there were several presenters that covered topics such as
  • Security Best Practices for Academic Cloud Service Providers (a big one I took away from this was Identity Access Management-aware Continuous Integration/Continuous Delivery Services)
  • Involving Students in Cybersecurity for CI
  • Silent Librarian (series of phishing attacks)
  • Responding to advanced threats as a global community (building a trust relationship in cybersecurity community)
  • XSEDE lessons learned (importance of multi-factor authentication)
  • Incident Response Communications
  • Password Adventures for a VO
  • A case study on implementing crowdsourced threat intel and active response
Overall, the focus was on being Proactive vs being Reactive; changing the focus of cybersecurity from protecting (specifically against malicious attacks) to enabling - moving beyond the fear of data breach and focusing on how to better enable end users to deal with data theft and how to be ready to respond to events like that.

I am very thankful for the knowledge I gained at this conference. Thank you, Trusted CI, for allowing me to participate as a student and for the engaging conversations and presentations that challenged and enhanced the way I think about cybersecurity.
We were more than impressed with the Student Program this year. Their participation and enthusiasm was a rewarding affirmation of our commitment to community building. We look forward to seeing where their careers take them and sponsoring more students in future.

Monday, September 24, 2018

Community Produces Security Best Practices for Academic Cloud Resources

A community consisting of members from The Agave Platform (TACC - NSF OAC-SS2-SSI-1450437), Cornell University Center for Advanced Computing (NSF OAC-CC-DNI-1541215), CyVerse (UA - NSF DBI-0735191, DBI-1265383), Jetstream (IU - NSF OAC-1445604) and Trusted CI recently completed an engagement in authoring a set of Security Best Practices for developing in, and operating an academic cloud resource. The culmination of the project, Security Best Practices for Academic Cloud Service Providers, is available at http://hdl.handle.net/2022/22123.

A "cloud resource" within an academic institution provides a means for R&E users to run virtual machines or containers such that they can have a custom software stack and isolation from other users. The virtual machines or container images can be curated and provided by the cloud resource operator, the user, or a third party. This utility, however, presents a number of challenges in the domain of cloud cybersecurity, e.g., the user's image can run with privileged access, an image can be from unknown provenances, controls to reduce the risk an image may cause to both operator and other guests are limited, and managing security updates to an image is cumbersome.

The engagement's collaborative effort in tackling these unique security risks to academic cloud services was guided by three basic principles, specifically: security is a shared concern between a cloud service provider and a cloud service user, neither can expect the other to fully address security; a clean delineation between cloud service provider and cloud service user of security responsibilities is critical to ensure all responsibilities are met; and the cloud service provider has the responsibility to ensure all security responsibilities are articulated and the cloud service user is educated about how to fulfill their responsibilities.

Through sharing experiences, the community detailed the "use cases" they deemed most important to the utility of academic cloud services. The security concerns of each use case were explored, leading to the identification of security best practices that balanced the needs of the stakeholders with mitigations sufficient to address the risk. This process along with the guiding principles resulted in a product that, unlike canonical security best practices, focused not only on the role of the operators, but also on empowering and encouraging the user to take a more proactive stance in cybersecurity. The use cases discussed in the document, and by association the security best practices for each, are:
  1. Disseminating localized best practices to users
  2. Ensuring user image trustworthiness
  3. Providing methods for users to manage their secrets
  4. Supporting privileged access within images
  5. Trying to empower users with self-service DNS management
  6. Similar to 3, providing methods for users to manage their configurations
  7. Providing service accounts as opposed to just user accounts
  8. Offering monitoring services that users can access
  9. Offering Identity and Access Management-aware Continuous Integration / Continuous Delivery services


The community additionally presented their experiences and findings at the 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure.

Friday, September 21, 2018

Trusted CI at Gateways '18

On September 25-27, Gateways '18 will happen in Austin, Texas, and Trusted CI is attending as a bronze-level sponsor. The conference, delivered by Science Gateways Community Institute (SGCI), provides a venue for creators and enthusiasts of science gateways -- typically a web portal or a suite of desktop applications that allow science & engineering communities to access shared resources specific to their disciplines -- to learn, share, connect, and shape the future of gateways as part of a vibrant community with common interests.

This gathering for gateway creators and enthusiasts features hands-on tutorials, demos, keynotes, presentations, panels, posters, and plenty of opportunities to connect with colleagues, as well as a Resource Expo which Trusted CI is proud to be participating in. So, if you attend the conference, please stop by our exhibitor’s table, say hello, and learn about Trusted CI’s current activities and resources available for the Gateways Community.

Monday, September 10, 2018

Trusted CI Webinar September 24th at 11am ET: The SCI Trust Framework

David Kelsey is presenting the talk "The SCI Trust Framework" on Monday September 24th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
E-Infrastructures recognise that controlling information security is crucial for providing continuous and trustworthy services for their user communities. Such infrastructures, including grids and clouds, are subject to many of the same threats and vulnerabilities as each other because of the use of common software and technologies. Users who take part in more than one infrastructure are potential vectors that can spread infection from one infrastructure to another. All infrastructures can benefit from working together and sharing information on security issues.
Security for Collaborating Infrastructures (SCI) is a collaborative activity within the WISE trust community. The aim of the SCI trust framework is to manage cross infrastructure operational security risks. It builds trust between Infrastructures by defining policy standards for collaboration. The SCI group published version 1 of its trust framework in 2013. Two derivative frameworks have also been published; SIRTFI in 2015, and SNCTFI in 2017.
WISE/SCI has more recently produced version 2 of the SCI trust framework, to reflect changes in technology, culture and to cover a broader range of infrastructures. The framework contains numbered requirements in five areas (operational security, incident response, traceability, participant responsibilities and data protection) that each Infrastructure should address as part of promoting trust between Infrastructures. SCI’s updated version 2 was officially endorsed during the TNC 2017 conference by representatives of EGI, EUDAT, G√ČANT, GridPP, HBP, PRACE, SURF, WLCG and the USA’s XSEDE e-infrastructure.
The webinar will present the SCI Trust Framework together with current work on a new baseline AUP and a Policy Development Kit. Possible future activities will also be presented.
Speaker Bio:
David Kelsey is head of the particle physics computing group at STFC, UK and has been leading
Grid Security activities in many projects. He founded the Joint (WLCG/EGEE) Security Policy
Group in 2004. He is currently the Chair of the WISE steering committee and was founder of
the SCI activity. He has a Masters degree in Physics (Trinity College, Cambridge) and a PhD in
Physics (University of Birmingham). 

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, August 29, 2018

NRAO and Trusted CI Complete Comprehensive Cybersecurity Program Assessment

Trusted CI and the National Radio Astronomy Observatory (an NSF Large Facility supported in part by NSF Award # 1647378) have completed a successful engagement focused on assessing and facilitating the continued maturation of NRAO’s information security program.  On an accelerated schedule to dovetail with NRAO’s budgetary cycle, we completed an intensive fact-finding phase and delivered a draft copy of a recommendations report providing specific, prioritized actions that NRAO could take to bolster their security program.  Before the engagement execution ended, NRAO used our recommendations to gain initial approval for a budgetary proposal to their executive team, proposing the internal restructuring of their team, hiring a new full-time security position, investing in tools to improve network visibility, and identifying key assets that require additional protection.

David Halstead, Chief Information Officer for NRAO, states,
The Trusted CI engagement allowed Information Services to take a holistic view of the risk and threat landscape facing the observatory’s CI instead of the more traditional audits which largely ignore the research infrastructure and focus on the financial systems.


Engagement Process

Fact-Finding. Trusted CI gathered information using a variety of methods, including dynamic question and answer sessions with NRAO staff and through review of over one hundred public and private documents obtained from publicly accessible websites and from NRAO’s internal document repository.  NRAO also completed our rigorous survey assessing the current state of their cyberinfrastructure.  During this phase of the engagement, we held seven one-hour conference calls together, focused mainly on building Trusted CI’s understanding of NRAO’s security program.

Site Visit. The Trusted CI and NRAO teams also met for a period of three days onsite in Charlottesville, Virginia, giving us an opportunity to interact face-to-face.  During that time, we performed a physical walkthrough of NRAO’s onsite computing infrastructure, interviewed personnel with security functions, and held detailed discussions on the current status of the security program as well as possible opportunities for maturation.  When a passing blizzard forced NRAO to close its doors for one of those days, the teams refused to be slowed down and instead met virtually, maximizing the amount of time we could dedicate to working together. 


Recommendations Report. The subsequent report that Trusted CI delivered to NRAO first included a set of foundational recommendations.  Recommendations were marked ‘foundational’ if they appeared feasible to begin in the next six months; called for architectural, philosophical, or major resource additions or reallocations; and were expected to generate strong outcomes, particularly in facilitating other impactful actions.  We organized other recommendations by estimated benefit and cost to implement.  Grounded in best practices and community standards, these recommendations frequently referenced the Center for Internet Security (CIS) Controls and the Australian Signal Directorate’s Essential Eight, two evidence-based control sets, as well as Trusted CI’s four pillar framework for developing cybersecurity programs for open science.

Deep Dives. After delivering the final report, we used the remainder of our engagement time to facilitate phone and email discussions focused on implementing these recommendations.  Dr. Jim Basney and Ryan Kiser, Trusted CI subject matter experts in federated identity management and application whitelisting respectively, each joined for a conference call focused on his area of expertise in order to share insights and answer questions posed by NRAO.  Other topics of conversation included inventory and asset management, network visibility, and Trusted CI’s process and tools for self-assessing gaps and actions under the CIS Controls v7.

Reflections and Acknowledgements

NRAO’s effort and openness were critical to the success of this engagement.  Their willingness to share information, including providing access to NRAO’s internal documents, allowed us to tailor our recommendations to their specific level of maturation in each area.  We would like to thank all of the NRAO staff who spent time talking with us and responding to our questions, especially our primary engagees David Halstead and Pat Murphy, as well as Chris Clark, Karyn Roberts, Derek Hart, Josh Malone, Matthew McCleary, Ferzen Manglicmot, Wolfgang Baudler, Warren Richardson, and Guilhem Werbelow.

NRAO’s commitment extended beyond participation and into implementation, as evidenced by how quickly the organization created a plan based on Trusted CI’s recommendations and moved to enact it.  We are excited to see this engagement already having a major impact on the funding, structure, and visibility of their security program.

We would also like to thank Steven Berukoff and Tony Hays from the Daniel K. Inouye Solar Telescope (DKIST) project for permitting us to share one of their internal network diagrams with NRAO.  Steven and Tony had presented this diagram to us during a prior Trusted CI engagement and agreed to let us share it with NRAO.  Their example of “documentation done well” assisted in facilitating a discussion on the kinds of network documentation most useful from a security and operations support standpoint. 

Through interacting with NRAO and learning about their cybersecurity needs, the Trusted CI team continued to refine our understanding of the unique challenges and opportunities involved with securely supporting science.  We look forward to continuing to engage, advise, and grow with the community in this evolving landscape.  For more information on how to work with us, please visit our engagements page.

Monday, August 27, 2018

Apply for a One-on-One Engagement with Trusted CI for Early 2019

Trusted CI is accepting applications for one-on-one engagements to be executed in January - June 2019.  Applications are due October 1, 2018. (Slots are limited and in demand, so this is a hard deadline!)

To learn more about the process and criteria, and to complete the application form, visit our site:


During CTSC’s first 5 years, we’ve conducted more than 24 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.  

As the NSF Cybersecurity Center of Excellence, CTSC’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.

Tuesday, August 14, 2018

Trusted CI Begins Engagement with the Environmental Data Initiative

The Environmental Data Initiative (NSF DBI-1565103 and DEB-1629233) is an NSF-funded project accelerating curation and archive of environmental data, emphasizing data from projects funded by NSF’s Divisions of Biological Infrastructure and Environmental Biology.  EDI provides support, training, and resources to help archive and publish high-quality data and metadata. They operate a secure data repository and work closely with the Long Term Ecological Research Network (LTER) and DataONE to promote data management best practices.

The goals of this engagement are to review current authentication and authorization mechanisms, identify features and requirements for the future version of the EDI Data Portal and associated backend API, and document currently available authentication and authorization solutions. 

The Trusted CI-Environmental Data Initiative engagement began August 2018 and is scheduled to conclude by the end of December 2018.

Monday, August 13, 2018

CCoE Webinar August 27th at 11am ET: NIST 800-171 Compliance Program at U. Connecticut

Jason Pufahl is presenting the talk "NIST 800-171 Compliance Program at University of Connecticut" on Monday August 27th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The Department of Defense established DFARS 252. 204-701 which specifies that any research containing Controlled Unclassified Information (CUI) be protected using NIST 800-171. This presentation will discuss the University of Connecticut's approach to implementing the NIST 800-171 framework, including: Contracting, Faculty Engagement, Infrastructure Implementation, Training and Controls Review. 
The intention of this presentation is to provide a complete picture of what compliance with the NIST Standard requires. I will endeavor to describe the entire compliance process starting from conceptualization of the technology solution through to the post implementation review. The talk will be designed to appeal to compliance staff, technical staff and project managers and will emphasize elements required to build and sustain the compliance program. I will discuss the technology elements of our solution, generally, but will focus on how the technologies chosen met our goals of managing as many of the compliance requirements centrally as practical while providing a flexible solution.
Jason Pufahl is the Chief Information Security Officer for the University of Connecticut. He has 20 years of infrastructure and information security experience and has spent the last 10 years dedicated to information security and privacy. He has responsibility for information security for the institution, encompassing security awareness and training, disaster recovery, risk management, identity management, security policy and regulatory compliance, security analytics, and controls implementation.

Jason works closely with both the administrative and academic areas of the University. He is a member of the University’s Data Governance Committee, Joint Audit and Compliance Committee, and Public Safety Advisory Committee. He is also member of the University IRB with a primary focus of improving data privacy and security practices related to institutional research.

Jason has a Master’s in Education Technology and has a passion for professional development, security training and awareness. He designed and ran an information security and awareness game called HuskyHunt, founded the Connecticut Higher Education Roundtable on Information Security (CHERIS) to provide a quarterly forum for sharing of best practices in the field of information security targeted at higher education institutions in Connecticut and is active in the security community nationally. He is a frequent conference speaker and is a member of the NERCOMP vendor and licensing committee.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, August 8, 2018

Broader Impacts Project Report

In early 2018 Trusted CI undertook an effort to develop and implement a strategy to help meet the cybersecurity needs of a broader set of NSF projects through awareness and outreach; i.e., to broaden the impact of Trusted CI.
The project involved analyzing our existing impact on the NSF community, applying our observations to Trusted CI’s 5-year vision for an NSF cybersecurity ecosystem, and identifying six strategies for broader impacts.

The full report is available online. Some highlights of the report are summarized below.

The analysis portion of the project helped to identify a few major accomplishments for the project thus far:
  • Trusted CI has impacted over 190 NSF projects.
  • Over 150 members of NSF projects attended our NSF Cybersecurity Summit. 
  • Members of 70 NSF projects attended our webinars.
  • Almost 100 of these NSF projects are funded at $1 million or more.
  • 35 engagements have been conducted.
  • Over 250 hours of training seminars have been presented or hosted.

The project concluded with 6 recommendations:
  1. Fill in gaps in our collection of impact statistics (e.g., affiliation of training attendees).
  2. Explore outreach opportunities to the Education and Human Resources (EHR) and Biological Sciences (BIO) Directorates, which are currently underrepresented in our impact metrics.
  3. Increase attention on developing and maintaining the website, highlighting the content and services we are already providing. Our materials are only useful if our stakeholders can discover them. It’s helpful to consider different stakeholder perspectives when updating and reorganizing the website.
  4. Trusted CI should provide more materials addressing availability and integrity concerns from the community, leveraging external expertise.
  5. Trusted CI should document and share its experiences and expertise related to operating a community-focused center of excellence, to benefit other similar organizations.
  6. When implementing our 2019‐2023 vision, Trusted CI should emphasize outreach as an essential component of each strategic objective.
Our role in the NSF community is stable and growing. Trusted CI’s next five years present an exciting challenge to take what we have learned thus far and continue to support the cybersecurity needs of NSF projects.

Thursday, August 2, 2018

2018 NSF Cybersecurity Summit - TRAINING REGISTRATION OPEN

We are happy to announce that the registration for training sessions for the 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure is now open.  The training day sessions will take place on Tuesday, August 21st. If you have not already registered for the Summit, please do so here.

Once you have registered for the summit and if you are planning to attend training day sessions, please use this form to reserve your seat for the available training sessions. A list of training session descriptions is available here.

The deadline for registration for training is Tuesday, August 14th, one week prior to the event.

Wednesday, August 1, 2018

Trusted CI begins engagement with SAGE2


SAGE2 is a multi-site collaboration and visualization tool designed for use with tiled display walls. The mission of SAGE2 is to provide an innovative, user-centered, web-based platform for enabling local and/or distributed teams to display, manage, share, and investigate large-scale datasets on tiled display walls to glean insights and discoveries with greater speed, accuracy, comprehensiveness, and confidence. The project achieves this using web-based technologies such as Node.js that are maintained by large user communities. The project provides installation packages for deployment as well as hardware recommendations for new users who are building display walls for the first time. More information about SAGE2 can be found here.

In the last 4 years, institutions have installed over 90 display walls, half of which are in the US and half international, forming an estimated hardware infrastructure investment in excess of $8M. In addition, SAGE2’s user community is growing to include sectors outside of traditional higher-ed and research communities. The diversity and distributed nature of the SAGE2 user base provides a growing set of security concerns. Identity and access management procedures in particular provide unique challenges given the variety of institutions using SAGE2 to collaborate using display walls.

The primary goal of this engagement is to outline Identity and Access Management (IAM) procedures appropriate for SAGE2’s distributed user base. Trusted CI will also seek to identify and prioritize future security goals and additional opportunities to improve the security of SAGE2.

This engagement began in July 2018 and concludes by the end of December 2018.

Thursday, July 19, 2018

Trusted CI welcomes Engagement and Performance Operations Center as new partner

Trusted CI is happy to welcome the Engagement and Performance Operations Center (EPOC) as a new Trusted CI partner. EPOC was recently established “as a collaborative focal point for operational expertise and analysis and is jointly lead by Indiana University (IU) and the Energy Sciences Network (ESnet). EPOC will enable researchers to routinely, reliably, and robustly transfer data through a holistic approach to understanding the full pipeline of data movement to better support collaborative science.”
Cybersecurity and networking performance often intersect in ways that will benefit from this collaboration. This partnership will allow us to bring expertise together when called for by the community.
EPOC joins a growing list of Trusted CI partners, leading projects and organizations, we collaborate with to serve the open science community:

Wednesday, July 18, 2018

2018 NSF Cybersecurity Summit Agenda is now available

We're happy to announce that we have a tentative agenda for the 2018 NSF Cybersecurity Summit is available from the Summit webpage at https://trustedci.org/2018-nsf-cybersecurity-summit/  In the coming weeks we will be announcing a registration form for training sessions and make more detailed descriptions of plenary talks and training sessions available.

If you have not already registered for the summit, please do so here. You can book your hotel reservation for the conference here or go to the trustedci.org website and click on the link for the 2018 NSF Cybersecurity Summit and click on the link for The Westin Alexandria.  The deadline for the discounted hotel room block is Thursday, July 18th.

Friday, July 13, 2018

Trusted CI 5-year Vision and Strategy

The Trusted CI team is pleased to announce the publication of “The Trusted CI Vision for an NSF Cybersecurity Ecosystem”.  From the introduction:

This document establishes Trusted CI’s vision for a NSF Cybersecurity Ecosystem – a collection of people, knowledge, processes, and cyberinfrastructure – that is necessary to support cybersecurity across the diverse NSF community. Trusted CI is primarily responsible for bringing the vision of a NSF Cybersecurity Ecosystem to fruition. Hence, following Trusted CI’s vision is its mission statement and five-year strategic plan to fulfill that role.

This living document will guide our activities going forward and we welcome community feedback as to its content. As implied in the above paragraph, the vision is broader than any one project can accomplish and we will collaborate with others in the community to achieve this vision.

A full citation for the Vision document follows.  We’ll update the document with subsequent versions as required to keep abreast of progress, suggestions, and changes.

V. Welch, J. Basney, C. Jackson, J. Marsteller, and B. Miller, “The Trusted CI Vision for an NSF Cybersecurity Ecosystem And Five-year Strategic Plan (2019-2023),” Trusted CI, Apr. 2018 [Online]. Available: http://hdl.handle.net/2022/22178.

Wednesday, July 11, 2018

Trusted CI at PEARC`18


PEARC 18 (July 22-26) in Pittsburgh, PA, is just around the corner, and Trusted CI will be have a strong presence there. The conference is an all-inclusive event for scientists, engineers, scholars, artists, and educators who depend on efficient, secure, and reliable digital infrastructure. This year's theme is seamless creativity. 

Trusted CI staff will present workshops on both practical information security for science projects and guidance on building security into the development, packaging, distribution, and management of software in support of science and research. The first, entitled “Practical Cybersecurity Programs for Science Projects and Facilities,” delves into the foundational elements of a cybersecurity program necessary to provide a secure and safe environment for science, focusing on the four pillars of such a program: Alignment to Mission - identification of critical resources and processes; Resources - money, people; Governance - roles and responsibilities, risk management and acceptance, policies; Controls - selecting a good baseline control set, and will include guidance on maintaining and evaluating an established cybersecurity program. The latter, “Software Engineering Practice for Science, Research, and Scientific CI” will introduce the Software Engineering Guide which provides guidance and tools for building security into the development, packaging, distribution, and management of software in support of science and research -- participants will leave with a strategy for improving security in any performance computing or scientific CI project that uses or produces software, and a preview of new tools coming out of the NSF CCoE for software security programs.

Along with the two workshops, Trusted CI’s Von Welch will moderate a panel following Anita Nikolich’s keynote talk, Hacking Academia, that will strive to echo a “fireside question & answers” session with Ms. Nikolich, further exploring key concepts exposed in her keynote that will discuss the necessity of feedback loops between the academic community, cybersecurity operators and underground security researchers.

Finally, Trusted CI is proud to announce that this year it will be participating in PEARC’s Partner Program, and thus, will have a table in the exhibitor’s area to network. So, if you attend the conference, stop by and say hello.

Tuesday, July 10, 2018

CCoE Webinar July 23rd at 11am ET: Trustworthy Computing for Scientific Workflows

Mayank Varia and Andrei Lapets are presenting the talk "RSARC: Trustworthy Computing over Protected Datasets" on Monday July 23rd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
There has been an unprecedented increase in the quantity of research data available in digital form. Combining these information sources within analyses that leverage cloud computing frameworks and big data analytics platforms has the potential to lead to groundbreaking innovations and scientific insights. As developers and operators of the widely used Dataverse repository and the Massachusetts Open Cloud platform, we have been working to advance this innovative revolution by colocating datasets in common platforms, curating and tagging datasets with both functional and legal access policies, offering helper services such as search and easy citation to promote sharing, and providing on-demand computational platforms to ease analytics. Unfortunately, we observe that a certain segment of our scientific user base cannot enjoy the full transformative capacity achievable within our cyberinfrastructure. Due to concerns over the privacy and confidentiality of their data sources, or the potential of commercial exploitation of their raw data sets, these researchers are isolating themselves within siloed data repositories and well-protected computational enclaves rather than sharing their datasets with fellow scientists.

This talk will describe cryptographic technological enhancements that are ready to provide scientific researchers with mechanisms to do collaborative analytics over their datasets while keeping those datasets protected and confidential. Secure multi-party computation (MPC) is a cryptographic technology that allows independent organizations to compute an analytic jointly over their data in such a manner that nobody learns anything other than the desired output. Hence, MPC empowers organizations to make their data available for collective data aggregation and analysis while still adhering to pre-existing confidentiality constraints, legal restrictions, or corporate policies governing data sharing. Our new Conclave framework can connect to many existing backend stacks where the data already live, can automatically analyze a query to identify when a computation must cross data silos, and can leverage MPC in a scalable and usable manner when it is necessary to enable the computation.

In summary, while data sharing cyberinfrastructures today are intended to allow everyone to benefit from the initial cost of having one researcher collect data, privacy concerns (and the resulting breakdown of data sharing) transform this burden into a marginal cost that every researcher who wants access to the data must pay. We will describe how a holistic integration of secure MPC into a scientific computing infrastructure addresses a growing need in research computing: enabling scientific workflows involving collaborative experiments or replication/extension of existing results when the underlying data are encumbered by privacy constraints.
Mayank Varia is a research associate professor of computer science at Boston University and the co-director of the Center on Reliable Information Systems & Cyber Security (RISCS). His research interests span theoretical and applied cryptography and their application to problems throughout and beyond computer science. He currently directs an NSF Frontier project that addresses grand challenges in cloud security, aiming to design an architecture where the security of the system as a whole can be derived in a modular, composable fashion from the security of its components (bu.edu/macs). He received a Ph.D. in mathematics from MIT for his work on program obfuscation.

Andrei Lapets is Associate Professor of the Practice in Computer Science, Director of Research Development at the Hariri Institute for Computing, and Director of the Software & Application Innovation Lab at Boston University. His research interests include cybersecurity, formal methods and domain-specific programming language design, and data science. He holds a Ph.D. from Boston University, and A.B. and S.M. degrees from Harvard University.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."