Thursday, September 27, 2018

Student Program at the 2018 NSF Cybersecurity Summit

In August we hosted our annual NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure in Alexandria, VA. The Summit included training workshops, plenary talks, and networking opportunities for members of NSF Large Facilities and the CI community.

As Summit attendance and funding grows so has our ability to provide learning opportunities for new members to the community. Last year we launched a student scholarship program to follow through on our goals of outreach and broadening impact. Students apply to the program by sharing their resumes and a brief essay sharing their security interests and what they hope to gain from attending the Summit.

This year we were able to fund the attendance of six students to the Summit. Their names and schools they attend are listed below (see: photo, left to right):
  • Emily Dillon; Master of Science student at Capella University
  • Sanchari Das; PhD student at Indiana University
  • Grant Allard; PhD student at Clemson University
  • Preston Ruff; Bachelor of Science student at New Mexico Institute of Mining and Technology
  • Maggie Ahern; Bachelor of Science student at Lehigh University
  • Leah Dorman; Bachelor of Science student at University of Maine Augusta
We also paired the students with volunteer mentors. We thank them for helping make the students feel welcome at the Summit. Their names and organizations are listed below:
  • Florence Hudson; Trusted CI and Northeast Big Data Innovation Hub
  • Mark Krenz; Trusted CI and Indiana University's CACR
  • Steve Barnet; Wisconsin IceCube Particle Astrophysics Center
  • Susan Sons; Trusted CI and Indiana University's CACR
  • Susan Ramsey; National Center for Atmospheric Research
  • Elisa Heymann; Trusted CI and University of Wisconsin
We asked the students to share some insights into their Summit experience. Their comments are quoted below.

Sanchari Das:

My name is Sanchari and I am a doctoral student in the School of Informatics, Computing, and Engineering at Indiana University Bloomington, specializing in Usable Privacy and Security. I think this summit was a great opportunity to meet researchers and practitioners from other organizations. I thoroughly enjoyed their perspective, and insights in the discipline of cybersecurity and gathered knowledge to pave my future research directions. Given the diverse research areas which was covered, this truly was a golden opportunity to broaden a graduate student's vision, such as myself, understanding more about usable privacy and security.

The NSF cybersecurity summit provided the perfect blend of academicians and those working in industry, who do and preach cybersecurity practices and direct their research accordingly. Given the workshops and talks that was conducted in the summit, it was not limited to discuss cybersecurity infrastructure, but also discussed about the users who are a major part, are affected, and contribute to follow cybersecurity practices. It was one of the gathering where practitioners from the industry likewise joined to discuss around the applications of such research.

As a student I learned about the current challenges in the field of cybersecurity, how usable security and privacy is slowly but surely making its marking where we all aim in not keeping the humans out of the loop but making them aware through simple but informative tools. I also learned how people from different field such as, law (policy makers), software developers, security engineers, academicians can all work together to help build a secure environment to protect data of an organization or individual.

Apart from interesting ideas, I would particularly like to thank my mentor Mark Krenz and Jeannette Dopheide, who made the process smooth and helped me throughout my stay and helped me interact with eminent researchers and practitioners in my field. I enjoyed the workshops I was involved in as well, Susan Son’s insights on the different version controls and monitoring old patches to find loopholes which can be played further was interesting.

I would also like to thank Von Welch, the director of Indiana University’s Center for Applied Cybersecurity Research who is extremely approachable and helps every student to achieve their best in this field through such initiatives.

Grant Allard:

The Trusted CI/NSF 2018 Cybersecurity Summit provides an outstanding opportunity to professionally and scholastically improve my understanding of the key issues in scientific cyberinfrastructure. The Trusted CI leadership team makes you, as a student, feel welcome and helps you to explore the pressing challenges facing the scientific cyberinfrastructure community today. The mentoring initiative associated with the student program is a superb educational tool that helped me put my experience in context and learn from one of the leaders of this field. One of my big takeaways from the week together is the importance that we as students will play to the scientific cyberinfrastructure community as we enter the scientific workforce: cybersecurity is not only a concern for CISOs but for the entire scientific community. The academic community owes a huge debt of gratitude to our CISOs for helping us keep our data secure, accessible, and integral.

I am taking what I learned from this conference and using it to develop a white paper and I identify how I, as an aspiring scholar of public policy, can contribute to the community. This conference also has given me multiple opportunities at my university to meet new people and contribute to new efforts. This experience was exactly how a student program should be--in my opinion--and I highly recommend it to students of all levels or to advisors who are looking to promote their students' growth." 

Preston Ruff:

I enjoyed the close-knit, friendly, and informative experience of the NSF summit. There I was able to test my text parsing skills in a log analysis workshop and I was exposed to the mystery of industrial control systems. Thank you to everyone at Trusted CI for hosting the event. I'm grateful to have met such brilliant people who work to create the cybersecurity systems and policy of tomorrow.

Maggie Ahern:

Attending the NSF 2018 Cybersecurity Summit was a fantastic learning experience. I have always been interested in cybersecurity, but this summit gave insight into the field that I had never been exposed to before. Some of the highlights include Software Engineering Best Practices and Legal Policy on Cybersecurity. I also particularly enjoyed the breakout session we had during lunch where we could discuss different topics of interest. I sat at a table that discussed books with the theme of cybersecurity and I went home with a few recommendations. The Student Program also connected us with a mentor for the duration of the conference. My mentor was incredibly understanding, knowledgeable, and inspiring. She is someone that I really admire and strive to live up to one day. Without this opportunity I probably would not have gotten to meet her, or all the other amazing individuals that I was able to interact with during the summit. All in all, I am incredibly grateful that I was given this opportunity to learn more about this subject and meet new individuals passionate about cybersecurity.

Leah Dorman:

At the NSF Cybersecurity conference, I immediately noticed a coherent understanding of cybersecurity's crucial role in science as well as a collaborative effort to produce trustworthy technology.  The Trusted CI program committee did an excellent job putting on this event and as a student I felt very welcomed and was provided with the information and resources needed to enhance my cybersecurity knowledge and research skills.  The first day was a training day.  I attended Automated Assessment Tools – Theory & Practice which was about injection attacks (one of the most common vulnerabilities) and had hands-on training using source code analysis tools to find code errors and flaws.  Then I attended Security Log Analysis Training which included ideas to improve security logging & monitoring as well as command examples that you can customize on your own logs and how to analyze data and look for patterns.  This hands-on training provided me with valuable experience that would only improve my cybersecurity skills.
The next two days there were several presenters that covered topics such as
  • Security Best Practices for Academic Cloud Service Providers (a big one I took away from this was Identity Access Management-aware Continuous Integration/Continuous Delivery Services)
  • Involving Students in Cybersecurity for CI
  • Silent Librarian (series of phishing attacks)
  • Responding to advanced threats as a global community (building a trust relationship in cybersecurity community)
  • XSEDE lessons learned (importance of multi-factor authentication)
  • Incident Response Communications
  • Password Adventures for a VO
  • A case study on implementing crowdsourced threat intel and active response
Overall, the focus was on being Proactive vs being Reactive; changing the focus of cybersecurity from protecting (specifically against malicious attacks) to enabling - moving beyond the fear of data breach and focusing on how to better enable end users to deal with data theft and how to be ready to respond to events like that.

I am very thankful for the knowledge I gained at this conference. Thank you, Trusted CI, for allowing me to participate as a student and for the engaging conversations and presentations that challenged and enhanced the way I think about cybersecurity.
We were more than impressed with the Student Program this year. Their participation and enthusiasm was a rewarding affirmation of our commitment to community building. We look forward to seeing where their careers take them and sponsoring more students in the future.

Monday, September 24, 2018

Community Produces Security Best Practices for Academic Cloud Resources

A community consisting of members from The Agave Platform (TACC - NSF OAC-SS2-SSI-1450437), Cornell University Center for Advanced Computing (NSF OAC-CC-DNI-1541215), CyVerse (UA - NSF DBI-0735191, DBI-1265383), Jetstream (IU - NSF OAC-1445604) and Trusted CI recently completed an engagement in authoring a set of Security Best Practices for developing in, and operating an academic cloud resource. The culmination of the project, Security Best Practices for Academic Cloud Service Providers, is available at http://hdl.handle.net/2022/22123.

A "cloud resource" within an academic institution provides a means for R&E users to run virtual machines or containers such that they can have a custom software stack and isolation from other users. The virtual machines or container images can be curated and provided by the cloud resource operator, the user, or a third party. This utility, however, presents a number of challenges in the domain of cloud cybersecurity, e.g., the user's image can run with privileged access, an image can be from unknown provenances, controls to reduce the risk an image may cause to both operator and other guests are limited, and managing security updates to an image is cumbersome.

The engagement's collaborative effort in tackling these unique security risks to academic cloud services was guided by three basic principles, specifically: security is a shared concern between a cloud service provider and a cloud service user, neither can expect the other to fully address security; a clean delineation between cloud service provider and cloud service user of security responsibilities is critical to ensure all responsibilities are met; and the cloud service provider has the responsibility to ensure all security responsibilities are articulated and the cloud service user is educated about how to fulfill their responsibilities.

Through sharing experiences, the community detailed the "use cases" they deemed most important to the utility of academic cloud services. The security concerns of each use case were explored, leading to the identification of security best practices that balanced the needs of the stakeholders with mitigations sufficient to address the risk. This process along with the guiding principles resulted in a product that, unlike canonical security best practices, focused not only on the role of the operators, but also on empowering and encouraging the user to take a more proactive stance in cybersecurity. The use cases discussed in the document, and by association the security best practices for each, are:
  1. Disseminating localized best practices to users
  2. Ensuring user image trustworthiness
  3. Providing methods for users to manage their secrets
  4. Supporting privileged access within images
  5. Trying to empower users with self-service DNS management
  6. Similar to 3, providing methods for users to manage their configurations
  7. Providing service accounts as opposed to just user accounts
  8. Offering monitoring services that users can access
  9. Offering Identity and Access Management-aware Continuous Integration / Continuous Delivery services


The community additionally presented their experiences and findings at the 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure.

Friday, September 21, 2018

Trusted CI at Gateways '18

On September 25-27, Gateways '18 will happen in Austin, Texas, and Trusted CI is attending as a bronze-level sponsor. The conference, delivered by Science Gateways Community Institute (SGCI), provides a venue for creators and enthusiasts of science gateways -- typically a web portal or a suite of desktop applications that allow science & engineering communities to access shared resources specific to their disciplines -- to learn, share, connect, and shape the future of gateways as part of a vibrant community with common interests.

This gathering for gateway creators and enthusiasts features hands-on tutorials, demos, keynotes, presentations, panels, posters, and plenty of opportunities to connect with colleagues, as well as a Resource Expo which Trusted CI is proud to be participating in. So, if you attend the conference, please stop by our exhibitor’s table, say hello, and learn about Trusted CI’s current activities and resources available for the Gateways Community.

Monday, September 10, 2018

Trusted CI Webinar September 24th at 11am ET: The SCI Trust Framework

David Kelsey is presenting the talk "The SCI Trust Framework" on Monday September 24th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
E-Infrastructures recognise that controlling information security is crucial for providing continuous and trustworthy services for their user communities. Such infrastructures, including grids and clouds, are subject to many of the same threats and vulnerabilities as each other because of the use of common software and technologies. Users who take part in more than one infrastructure are potential vectors that can spread infection from one infrastructure to another. All infrastructures can benefit from working together and sharing information on security issues.
Security for Collaborating Infrastructures (SCI) is a collaborative activity within the WISE trust community. The aim of the SCI trust framework is to manage cross infrastructure operational security risks. It builds trust between Infrastructures by defining policy standards for collaboration. The SCI group published version 1 of its trust framework in 2013. Two derivative frameworks have also been published; SIRTFI in 2015, and SNCTFI in 2017.
WISE/SCI has more recently produced version 2 of the SCI trust framework, to reflect changes in technology, culture and to cover a broader range of infrastructures. The framework contains numbered requirements in five areas (operational security, incident response, traceability, participant responsibilities and data protection) that each Infrastructure should address as part of promoting trust between Infrastructures. SCI’s updated version 2 was officially endorsed during the TNC 2017 conference by representatives of EGI, EUDAT, GÉANT, GridPP, HBP, PRACE, SURF, WLCG and the USA’s XSEDE e-infrastructure.
The webinar will present the SCI Trust Framework together with current work on a new baseline AUP and a Policy Development Kit. Possible future activities will also be presented.
Speaker Bio:
David Kelsey is head of the particle physics computing group at STFC, UK and has been leading
Grid Security activities in many projects. He founded the Joint (WLCG/EGEE) Security Policy
Group in 2004. He is currently the Chair of the WISE steering committee and was founder of
the SCI activity. He has a Masters degree in Physics (Trinity College, Cambridge) and a PhD in
Physics (University of Birmingham). 

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."