Tuesday, February 6, 2018

CTSC Engages with Community to Develop Academic Cloud Provider Best Practices


A community of academic cloud service providers in collaboration with CTSC intend to identify and document a set of security best practices for both operators and software developers of academic cloud service providers.  The community that will spearhead this thrust is comprised of various R&E cloud service provider initiatives, including: Agave Platform (TACC - NSF OCA-SS2-SSI-1450437), Cornell University Center for Advanced Computing (NSF CI-1541215), CyVerse (UA - NSF DBI-0735191, DBI-1265383), and Jetstream (IU - NSF 1445604).

A “cloud resource” within an academic institution provides a means for R&E users to run virtual machines or containers such that they can have a custom software stack and isolation from other users. Additionally, virtual machines or container images can be curated and provided by the cloud resource operator, they can be provided by the user, or they can be provided by a third party.  This presents a number of challenges in the domain of cloud cybersecurity, e.g., users’ images are run with privileged access, images can be from unknown provenances, controls to reduce the risk an image may cause to both operator and other guests are limited, and managing security updates to images is cumbersome.

To address these issues, this engagement will, (i) identify issues and concerns geared for academic cloud operators and those developing software for cloud resource operators, (ii) survey existing security recommendations that govern generic cloud computing, (iii) aggregate those principals found in (ii) for the issues and concerns affecting academic cloud service providers or develop new principles for secure operation of a cloud resource, including specific measures to achieve those principles, and (iv) disseminate the set of principles to the NSF community to maximize its impact.

The overarching goal of this engagement is to improve cybersecurity for operators and users of academic clouds.