Monday, September 24, 2018

Community Produces Security Best Practices for Academic Cloud Resources

A community consisting of members from The Agave Platform (TACC - NSF OAC-SS2-SSI-1450437), Cornell University Center for Advanced Computing (NSF OAC-CC-DNI-1541215), CyVerse (UA - NSF DBI-0735191, DBI-1265383), Jetstream (IU - NSF OAC-1445604) and Trusted CI recently completed an engagement in authoring a set of Security Best Practices for developing in, and operating an academic cloud resource. The culmination of the project, Security Best Practices for Academic Cloud Service Providers, is available at

A "cloud resource" within an academic institution provides a means for R&E users to run virtual machines or containers such that they can have a custom software stack and isolation from other users. The virtual machines or container images can be curated and provided by the cloud resource operator, the user, or a third party. This utility, however, presents a number of challenges in the domain of cloud cybersecurity, e.g., the user's image can run with privileged access, an image can be from unknown provenances, controls to reduce the risk an image may cause to both operator and other guests are limited, and managing security updates to an image is cumbersome.

The engagement's collaborative effort in tackling these unique security risks to academic cloud services was guided by three basic principles, specifically: security is a shared concern between a cloud service provider and a cloud service user, neither can expect the other to fully address security; a clean delineation between cloud service provider and cloud service user of security responsibilities is critical to ensure all responsibilities are met; and the cloud service provider has the responsibility to ensure all security responsibilities are articulated and the cloud service user is educated about how to fulfill their responsibilities.

Through sharing experiences, the community detailed the "use cases" they deemed most important to the utility of academic cloud services. The security concerns of each use case were explored, leading to the identification of security best practices that balanced the needs of the stakeholders with mitigations sufficient to address the risk. This process along with the guiding principles resulted in a product that, unlike canonical security best practices, focused not only on the role of the operators, but also on empowering and encouraging the user to take a more proactive stance in cybersecurity. The use cases discussed in the document, and by association the security best practices for each, are:
  1. Disseminating localized best practices to users
  2. Ensuring user image trustworthiness
  3. Providing methods for users to manage their secrets
  4. Supporting privileged access within images
  5. Trying to empower users with self-service DNS management
  6. Similar to 3, providing methods for users to manage their configurations
  7. Providing service accounts as opposed to just user accounts
  8. Offering monitoring services that users can access
  9. Offering Identity and Access Management-aware Continuous Integration / Continuous Delivery services

The community additionally presented their experiences and findings at the 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure.