Thursday, December 19, 2019

NSF releases JASON report on research security with CUI finding

NSF recently released the JASON report on research security. Quoting Wikipedia, “JASON is an independent group of elite scientists which advises the United States government on matters of science and technology, mostly of a sensitive nature.“

Much of this report focuses on research integrity, that is the “objectivity, honesty, openness, fairness, accountability, and stewardship” of research. For research with confidentiality needs, cybersecurity has a role to play in research integrity, by protecting research such as intellectual property from being unfairly accessed. For open research, cybersecurity still has a large role in assuring data integrity: “
the assurance of the accuracy and consistency of data over its entire life-cycle” which is a small, but critical, part of research integrity and reproducibility.

In that context, this report contains a finding and discussion on CUI and research security:
8. Universities have mechanisms to handle Controlled Unclassified Information (CUI) under existing categories, such as HIPAA, FERPA, Export control, and Title XIII. CUI protection is difficult, but suited to these tasks, however it is ill-suited to the protection of fundamental research areas.

This finding is further discussed in Section 4.2, which concludes with the following statement:
Given the current state of affairs, JASON cannot recommend adoption of a CUI mechanism to secure additional categories of information generated by U.S. universities, beyond those currently covered by applicable laws designed to protect personal information (e.g., HIPAA, GINA, FERPA, Title 13, etc.). Rather, the general principle of creating high walls, i.e., classification, around narrowly defined areas should be adhered to, minimizing conflicts that might adversely affect U.S. open science practices.

A challenge we know many in the community face is internal pressure for all of research cybersecurity to shift to CUI. Trusted CI believes careful consideration is needed to select appropriate cybersecurity based on science mission, and agrees with the JASON report that CUI is not suitable for all research, including a fair amount of NSF-funded research. Trusted CI suggests approaches such as Trusted CI’s Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects and the emerging Trusted CI Framework are better suited.  We hope this report provides valuable input for ongoing discussions some of you may be having.

Wednesday, December 18, 2019

Trusted CI Webinar Series: Planning for 2020, review of 2019


The 2019 season of the Trusted CI Webinar series has concluded and we are looking forward to the presentations scheduled in the next year.

The following topics and speakers have been booked in 2020 so far:
(Webinars are scheduled the 4th Monday of the month at 11am Eastern time.)
  • February 24: FABRIC: Adaptive programmaBle networked Research Infrastructure for Computer science
  • March 23: End-to-End Performance and Security Driven Federated Data-Intensive Workflow Management
  • April 27: Secure Data Architecture: Assured Mission Delivery Network Framework for Secure Scientific Collaboration
  • May 18: The Tommie Science Network
  • June 22: The Engagement and Performance Operations Center (EPOC)
  • August 24:  Researcher Passport
  • October 26: RDP: Enforcing `Security and Privacy Policies to Protect Research Data
  • December: Data Integrity, with Trusted CI
We are in the process of booking the remaining spots.  See our call for presentations for more information.

In case you missed them, here are the webinars from 2019:
  • January: The Research Security Operations Center (ResearchSOC) with Von Welch and RSOC leadership team (Video)(Slides)
  • February: Anticipatory Cyber Defense via Predictive Analytics, Machine Learning and Simulation by Shanchieh (Jay) Yang (Video)(Slides)
  • March: The NSF CC-DNI SecureCloud Project: Autonomic Cybersecurity for Zero Trust Cloud Computing with Casimer DeCusatis (Video)(Slides)
  • April: REED+: A cybersecurity framework for research data at Purdue University with Preston Smith (Video)(Slides)
  • May: Deployable Internet Routing Security with Amir Herzberg (Video)(Slides)
    June: The Trusted CI Framework: Toward Practical, Comprehensive Cybersecurity Programs with the Trusted CI team (Video)(Slides)
  • July: Ancile: Enhancing Privacy for Ubiquitous Computing with Use-Based Policy with Jason Waterman (Video)(Slides)
  • August: Integrity Protection for Scientific Workflow Data: Motivation and Initial Experiences with Anirban Mandal and Mats Rynge (Video)(Slides)
  • September: Jupyter Security at LLNL with Thomas Mendoza (Video)(Slides)
  • October: Trends in Global Privacy: GDPR One Year Later with Scott Russell (Video)(Slides)
  • December: DDoS Defense in Depth for DNS: Project Overview and Early Results with John Heidemann and colleagues (Video)(Slides)
Join CTSC's announcements mailing list for information about upcoming events. Our complete catalog of webinars and other presentations are available on our YouTube channel.

Monday, December 16, 2019

Trusted CI visits US ARF vessels

The United States Academic Research Fleet (ARF) consists of 18 research vessels organized by University-National Oceanographic Laboratory System (UNOLS). These ships belong to different classes of vessels, from large Global Class vessels to smaller Coastal Class vessels. These ships are owned by NSF and the US Navy; and also by operating institutions. As a part of the Trusted CI engagement with ARF, the five member Trusted CI engagement team traveled to various places where the ships were docked to better understand and observe issues that affect the security of their cyberinfrastructure. Since it was not possible for Trusted CI to visit all the 18 ships, the team decided to see one ship from each vessel class and also took advantage of opportunities that coincided with other travel in order to reduce costs. The observations captured by the team during these trips will be used in their final report to ARF and its stakeholders.



R/V Sikuliaq
Date of Visit: 8th Oct’ 2019
Class: Global Class
Owner: NSF
Operating Institution: 

University of Alaska Fairbanks








R/V Robert Gordon Sproul
Date of Visit: 14th Oct’ 2019
Class: Coastal Class
Owner: University of California
Operating Institution: 

Scripps Institution of Oceanography

R/V Neil Armstrong
Date of Visit: 7th Nov’ 2019
Class: Ocean Class
Owner: Navy
Operating Institution:

Woods Hole Oceanographic Institution

R/V Endeavor
Date of Visit: 8th Nov’ 2019
Class: Ocean Class
Owner: NSF
Operating Institution:

University of Rhode Island













The team would like to thank all of the vessels’ captains, crews, operating institutions and ARF staff for facilitating our visit to the ships. These visits have played a major role in helping us to make recommendations to improve the cybersecurity of the fleet.

Monday, December 9, 2019

Trusted CI Incident Response Report 2019-10-02_01

As I discussed during my presentation at the NSF Cybersecurity Summit in October, Trusted CI inadvertently exposed an embargoed engagee report earlier this year. Our first time doing incident response as a project also revealed some weaknesses in our response planning that could have been problematic for a more serious incident.

With the approval of the impacted engagee, we are now making our internal report on the incident and our plans to improve public. Please find the URL to the report at the bottom of this blog post.

The community’s trust in us is paramount and we hope this transparency helps you maintain that trust in us. We welcome questions and suggestions.

Von Welch, Trusted CI Director


Trusted CI Incident Response Report 2019-10-02_01
Available at http://hdl.handle.net/2022/24845

Report Summary
A Trusted CI engagement report with the Singularity team at Sylabs was inadvertently published prematurely due to miscommunication within the Trusted CI team. A secondary leak was discovered in the resume of a Trusted CI team member and weaknesses were discovered in the incident response process of Trusted CI. This report describes these events and the steps Trusted CI took in responding. An analysis of those events follows along with a set of planned remediations by Trusted CI to avoid a future incident and strengthen Trusted CI’s incident response processes.

Monday, November 25, 2019

Trusted CI Webinar December 9th at 11am ET: DDIDD: Project Overview and Early Results

USC's John Heidemann is presenting the talk, "DDoS Defense in Depth for DNS (DDIDD): Project Overview and Early Results" on December 9th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The DDIDD Project (DDoS Defense in Depth for DNS) is applying existing and developing new defenses against Distributed-Denial-of-Service attacks for operational DNS infrastructure. We are building a defense-in-depth approach to mitigate Distributed Denial-of-Service attacks for DNS servers, with approaches to filter spoofed traffic, identify known-good traffic when possible, and employ cloud-based scaling to handle the largest attacks. We are working with USC's B-Root team to test our approaches as a case study, and are making approaches open source as they become available. This talk will summarize the project and our overall approach, provide details about some of our early filters and filter selection, and describe where we plan to go in the remaining year.
John Heidemann is a principal scientist at the University of Southern California/Information Sciences Institute (USC/ISI) and a research professor at USC in Computer Science. At ISI he leads the ANT (Analysis of Network Traffic) Lab, studying how to observe and analyze Internet topology and traffic to improve network reliability, security, protocols, and critical services. He is a senior member of ACM and fellow of IEEE.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Friday, November 22, 2019

Apply by January 17th, 2020 for the Trusted CI 2020 Fellows Program!

Trusted CI’s inaugural 2019 cohort of Fellows was an amazing success with six Fellows from research technologies, astrophysics, criminal justice, network and combinatorial optimization, and computer engineering. We are now pleased to announce the call for applications for our 2020 Trusted CI Fellows. Another cohort of six fellows will receive training from and work closely with Trusted CI to expand their own understanding of trustworthy science and further empower the NSF community to secure its own research.

The deadline for applications is January 17th, 2020. We’ll be hosting a special Trusted CI webinar on the Fellow application process on December 17th at 10am Eastern time. For more information and to apply, please visit https://trustedci.org/fellows/apply

Register for the webinar here: https://iu.zoom.us/webinar/register/WN_nEfmD78RR1ScWDIrpoCaTg

Monday, November 18, 2019

New at the NSF Cybersecurity Summit this year: Jupyter Security Training

Picture of Matthias Bussonnier teaching about Jupyter security
Matthias Bussonnier - Photo by Emily Sterneman
 This year at the NSF Cybersecurity Summit, Trusted CI expanded upon its training session offerings with a Jupyter security training/workshop on the first day (afternoon session). This training was led by Matthias Bussonnier (Jupyter Developer Team, UC Merced), Rick Wagner (Globus), Mark Krenz (Trusted CI), and Ishan Abhinit (Trusted CI). Twenty-one people attended the workshop, making it one of the more popular training sessions at the summit this year.

The session started with an around-the-room introduction of attendees and their experiences using Jupyter, including what they knew about Jupyter security and what they were hoping to get out of the workshop. Most attendees had little-to-no experience with Jupyter and were curious to learn more about  deploying and securing Jupyter. This was especially valuable information to Matthias to better help the development team understand the different scientific communities using Jupyter. The room seemed to be balanced between attendees from Information Technology and Research, which is a sign that Jupyter is more and more used and deployed at scale in various institutions.

The next 30 minutes were devoted to helping the audience understand Jupyter and its software landscape: notebooks, notebook server, IPython, JupyterHub, etc. This included an overview of Jupyter architecture, nomenclature where things run and how they communicate, the Threat Model, examples of attacks, and how to secure an installation.

This was followed by a hands-on exercise where Rick demonstrated how to access a remote Notebook Server and set up a JupyterHub instance using a default configuration. Then attendees learned to observe and secure components and their interactions one by one. Rick and Matthias ended the session by answering the questions attendees had asked at the beginning, defining Jupyter security best practices, and giving an overview of what can be done to improve security in the Jupyter Community. The slides from the workshop are available here. The group will be looking for ways to provide this training at future events.

According to Matthias, this was the first ever security focused training workshop on Jupyter; and the feedback from the first group of attendees will inform the shape this training will take in future iteration.

Friday, November 15, 2019

Trusted CI activities at SC19

Members of Trusted CI will be attending SC19 (November 17-22) in Denver. SC is the International Conference for High Performance Computing, Networking, Storage, and Analysis. The conference includes a technical program of talks, tutorials, exhibitions, posters, birds of a feather, awards, etc. Below is a list of Trusted CI member activities, booth assignments of Trusted CI organizations, and activities of our partner projects. Stop by and see us!

Trusted CI Member Activities:
  • Barton Miller & Elisa Heymann are presenting a training, "Secure coding practices and automated assessment tools" (description) (preview)
  • Barton Miller is also presenting a paper, "Diogenes: Looking for an Honest CPU/GPU Performance Measurement Tool"
  • Von Welch is presenting at the IU booth 643 Tuesday at 11am
  • Trusted CI Advisory Committee meeting Tuesday
  • Jim Basney at the NCSA booth 714 Wednesday at 10am
  • Dana Brunson is participating in a panel and a BOF, both on research computing
  • Florence Hudson is participating in a panel on computation and health, and in a BOF on HPC education, outreach, and training
Trusted CI Organization Booths at SC19:
SC Activities of our partner projects that may interest you:

Monday, November 11, 2019

Student Program at the 2019 NSF Cybersecurity Summit

In October we hosted our annual NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure in San Diego, CA. The Summit included training workshops, plenary talks, and networking opportunities for members of NSF Large Facilities and the CI community.

As Summit attendance and funding grows so has our ability to provide learning opportunities for new members to the community. Two years ago we launched a student scholarship program to follow through on our goals of outreach and broadening impact. Students apply to the program by writing a brief essay sharing their security interests and what they hope to gain from attending the Summit.

This year we were able to fund the attendance of ten students to the Summit. Their names and schools they attend are listed below (see: photo, left to right):
  • Emma He - MS Computer Science - University of Wisconsin-Madison
  • Shuvra Chakraborty - PhD Computer Science - University of Texas San Antonio
  • Merlin Cherian - BS/MS Computer Science - Drexel University
  • Cameron Ogle - Bachelor Computer Science - Clemson University
  • Minh Nguyen - PhD Student Computer Science - CUNY
  • Alexis Reyes - MS Software in Software Engineering - University of Texas at El Paso
  • Desiree Lester - Bachelor Information Assurance - Norfolk State University
  • Tre' Jeter - Bachelor Computer Science, Bachelor Computer Engineering - Claflin University
  • Roncs Etame-Ese - BS Information Technology - Marymount University
  • Luis Gonzalez - BS Information Technology - Florida International University
We also paired the students with volunteer mentors (two students per mentor). We thank them for helping make the students feel welcome at the Summit. Their names and organizations are listed below:
  • Florence Hudson; Trusted CI
  • Steve Barnet; Wisconsin IceCube Particle Astrophysics Center
  • Susan Ramsey; Amazon
  • Celeste Matarazzo; Lawrence Livermore National Laboratory.
  • David Halstead; National Radio Astronomy Observatory (NRAO)
We asked the students to share some insights into their Summit experience. We list a selection of their statements below.

Shuvra Chakraborty
As a doctoral student, my research works focus on the investigation of novel access control methodologies; development and deployment. I have attended a couple of conferences before: this Summit was a bit different for me. Apart from the usual knowledge hunting, I have got great networking opportunities here. I would specifically mention my colleagues in the student programs and mentors. My mentor was superb: I felt really inspired after meeting her. I liked the training program most: the hands-on training was useful and informative.
Cameron Ogle
By far my favorite thing from the Summit, was the chance to interact with others who share the same passion for technology and learning. I gained some of the most valuable information from speaking with the attending industry experts. I especially appreciated the advice the mentors offered in finding a career and what lessons they had to share. The other students were a blast to explore San Diego with, and I can’t wait until we have the chance to lead the cybersecurity field.
Desiree Lester
The student program was very informative. It exposed all the students to industry work, lab, and research projects. It showed me that the industry it not all about coding, but about fixing a bigger problem. It was about networking with people from all over the world and learning from their experiences. After hearing stories, I have considered applying to a fellowship program. I just would like to that TrustedCI for this amazing opportunity and hope to network in the future.
Tre' Jeter
For me, I learned so much! I got actual experience with security tools in a real world setting in the Web Security Automated Assessment Tools session. I enjoyed speaking further with Dr. Miller about graduate school and I actually scheduled a visit to the University of Wisconsin-Madison. Furthermore, I appreciated being treated like a professional in the field although I am still a student. Being asked the difficult questions and being forced to put things into the perspective of a real world event on the spot was intriguing, challenging, and inspiring. It also showed me that I have much to learn in every aspect of this field! I am much more confident in my degree choices now because I attended this summit and got real feedback and honesty when it came to me asking the right questions, giving the right answers, and even thinking in the correct way in order to be successful in this field. Everything I wanted to get out of this summit was achieved!
Roncs Etame-Ese
This year’s conference was a memorable experience for me as it was my first time out on the West Coast. Prior to arriving at the conference, the thing I was looking forward to the most was meeting other students. The new friendships I made and the bond we all established in that week, are memories that I can never forget. They were all incredibly smart and I was pretty impressed by their academic, professional, and extracurricular achievements. I’m looking forward to all of us succeeding in our endeavors and being the next generation of cybersecurity professionals.
Luis Gonzalez
Being able to attend this summit was a wonderful experience and I would recommend any student interested in Cyber Security to attend. The staff at IU and Trusted CI were very welcoming and gracious. Along with being wonderful to me, they were extremely organized and punctual throughout the summit. You will be able to network with many research individuals in the cybersecurity field. The training session was only 3.5 hours. long each but the presenters did a great job of overloading us with great information and allowing us to do many hands-on exercises in the process. If you have the opportunity to attend this event. I greatly encourage it.
We were more than impressed with the Student Program this year. Their participation and enthusiasm was a rewarding affirmation of our commitment to community building. We look forward to seeing where their careers take them and sponsoring more students in the future.

The students and mentors




Tuesday, November 5, 2019

Remembering Steve Tuecke’s contributions to cybersecurity

I am deeply saddened to learn of the passing of Steve Tuecke last weekend. Steve was a passionate leader in the application of technology to advance science as well as being a great mentor to me during the three years I worked as part of the Globus project and since. While Steve’s contributions to scientific computing and data management are wide-ranging, I worked most closely with him on the topics of cybersecurity and identity management. This post is to remember and reflect on his work in those areas that was foundational to much of cybersecurity in scientific computing today.

When I first met Steve in the late 1990s, he was a driving force behind establishing a flexible security architecture to support distributed science. His ability to grasp the needs for delegating authority and secure communications amongst researchers and infrastructure (fairly novel concepts in those days where the world wide web was just getting started) and his acumen in systems design and software engineering immediately attracted me to him as someone from whom I was eager to learn.

The first project Steve drew me into was solving the challenge of how a researcher delegated credentials to web servers, an unknown concept in the simple client-server model of the web at that time. This original work became MyProxy, a workhorse for credential management in scientific computing to this day, and which led to the important CILogon infrastructure.

I joined the Globus project shortly after and under Steve’s mentorship started working on standardizing Proxy Certificates and developing their implementation in the very nascent Grid Security Infrastructure (GSI). During this period, Steve taught me much about software development and architecture (I will always associate the term “idempotent” with Steve), the role of standards, building  communities, and leadership.

Since my days with Globus, I continued to admire Steve’s leadership in developing Globus Auth, allowing researchers to manage their multiple identities at different sites and services. I enjoyed numerous conversations with Steve on that identity work as well as other topics such as software sustainability. He was a great mentor and friend and will be missed.

Von Welch, Trusted CI Director

Monday, October 28, 2019

The Cybersecurity Maturity Model Certification (CMMC): Implications for Contracting with the Department of Defense

One of the current trends for research organizations is the increasingly prominent role of privacy and cybersecurity compliance regimes, such as NIST 800-171, HIPAA, and GDPR. Historically, these compliance regimes have focused on regulated types of data: CUI, PHI, PII, etc. However, recently the Department of Defense (DoD) has signaled a shift away from these data-specific regulations, and towards a compliance regime that sets requirements for every organization that contracts with them, regardless of data. This new compliance regime, the Cybersecurity Maturity Model Certification (CMMC), is slated to begin as soon as Fall 2020, meaning that organizations that intend to be compliant will want to begin preparing almost immediately.

2019 NSF Cybersecurity Summit wrap-up: Strength in Numbers


The 2019 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure was a resounding success. Presentations have been posted to our website, more will be added as they become available.

Our attendance this year was 143, up from 117 attending last year. Presentation proposals saw an increase as well this year, which allowed us to offer a greater variety of trainings and topics. And, our student program had a significant increase in applications; prompting us to include 10 students, up from 6 students last year. In 2019 we launched our new Fellows program and the Cybersecurity Technology Transition to Practice (TTP) program, both of which were included in the Summit agenda of presentations.

Each year we write a report of the Summit, the highlights, and its findings. We are in the process of drafting the 2019 report and will post it soon.

We thank all the presenters, trainers, attendees, students, Fellows, and the event coordinators who helped make this our most successful Summit to date. And finally, we thank the NSF for their support of Trusted CI and our mission to lead in the development of a cybersecurity ecosystem.

Wednesday, October 23, 2019

PSC Updates

Shane, Kathy, and Andrew at the 2019 NSF Cybersecurity Summit
Following Jim Marsteller's departure from Trusted CI, we are pleased to welcome two new Trusted CI team members from the Pittsburgh Supercomputing Center. Kathy Benninger, PSC's Manager of Networking Research, is our new lead for the Large Facilities Security Team (LFST) and is Trusted CI's new site lead for PSC. Kathy is already actively engaged with Trusted CI leadership and planning for 2020. We also look forward to January when Shane Filus, PSC Security Engineer, will join the Trusted CI team. Kathy and Shane both strengthen our connections to XSEDE.

Lastly, we are grateful for the continued participation in Trusted CI by PSC's Andrew Adams, who is taking on the role of Trusted CI's Chief Information Security Officer (CISO).

Monday, October 14, 2019

Trusted CI Webinar October 28th at 11am ET: Trends in Global Privacy: GDPR One Year Later with Scott Russell

CACR's Scott Russell is presenting the talk, "Trends in Global Privacy: GDPR One Year Later" on October 28th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The past few years have seen a resurgence of privacy laws around the globe, starting with the European Union’s General Data Protection Regulation (GDPR), but leading to proposed laws in South Korea, Brazil, and the United States. These numerous laws may be targeted at enhancing privacy, but their biggest effect has been as a source of fear and confusion for those who are being regulated. This talk will build upon last year’s GDPR webinar, introduce CCPA, and then go on to discuss trends in global privacy more broadly: what’s happening, what’s coming, and what should you do about it.
Scott Russell is a Senior Policy Analyst at the Indiana University Center for Applied Cybersecurity Research (CACR), where his work focuses on privacy and cybersecurity policy. A lawyer and researcher, Scott received his B.A. in Computer Science and History from the University of Virginia, received his J.D. from Indiana University, interned at MITRE, and served as a postdoctoral fellow at CACR.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Wednesday, October 9, 2019

Trusted CI at SFSCon 2019

Group Photo of SFSCon 2019 Participants
On September 27-29, Trusted CI participated in SFSCon 2019, the third annual cybersecurity training and professional development event at Cal Poly Pomona (CPP) for the CyberCorps Scholarship for Service (SFS) students and alumni nationwide. 105 student attendees traveled to California from 42 universities across the country for this event organized by CPP Professor Mohammad Husain. In 2017, Trusted CI helped organize the CPP-CTSC SFS Cyberinfrastructure Security Workshop, the first event in this SFSCon series.

This year, Trusted CI's Barton P. Miller and Elisa Heymann provided a Software Assurance training for the students, and Trusted CI's Jim Basney and John Zage provided an Identity and Access Management training. Ishan Abhinit and Zalak Shah (CACR) also provided a Security Log Analysis training, using training materials developed by Trusted CI.

From 45 student attendees in 2017 to 105 student attendees in 2019, SFSCon is a growing success. It’s great to see the SFS program supporting the development of the next generation cybersecurity workforce. Trusted CI is proud to have the Cal Poly Pomona Scholarship for Service project as one of our partners.

Thursday, October 3, 2019

CI CoE Pilot - NEON IdM Experiences

The Cyberinfrastructure Center of Excellence (CI CoE) Pilot project, in collaboration with Trusted CI, recently completed an identity and access management engagement with the National Ecological Observatory Network (NEON) to update the NEON Data Portal to use OpenID Connect for user authentication. A paper summarizing this engagement is available.

The goal of the CI CoE Pilot project is to develop a model for a CI CoE that facilitates community building and sharing, and applies knowledge of best practices and innovative solutions for NSF's major multi-user research facilities. One sub-component of the Pilot project is to gain experience with implementing identity management (IdM) solutions for facilities.

NEON was selected as the initial IdM engagee with the intent to assist them with moving the NEON Data Portal away from managing local user credentials and towards leveraging industry standards such as OpenID Connect (OIDC). The implementation involved transitioning to Auth0, which not only imported the existing database of Data Portal users, but also allowed users to log in with third-party OIDC Identity Providers (IdPs) Google and CILogon.

Monday, September 30, 2019

Spotlight on Software Assurance and Secure Coding

Bart & Elisa at Cal-Poly Pomona, 09/27/19
Software assurance is the secure design,coding, and assessment of software to ensure it is free from vulnerabilities and works as intended. Since its inception, Trusted CI has dedicated a portion of its engagements and community outreach to software assurance. Much of this work has been led by Profs. Barton P. Miller and Elisa Heymann from the University of Wisconsin-Madison. Through conducting engagements, training events, presenting talks, and building curricula, Bart and Elisa strive to teach programmers, analysts, and managers how to design and program secure software, and how to assess  software to find  flaws and make the software more difficult to be hacked.

Bart and Elisa have conducted numerous engagements for Trusted CI and other organizations. During one engagement for Trusted CI they conducted an in-depth vulnerability assessment of Singularity, an open source container platform optimized for high-performance computing (HPC) and scientific environments. The Open Science Grid engagement involved a vulnerability assessment of OSG's installment of HTCondor, a program that manages jobs submitted to the batch system. In another collaboration outside of Trusted CI, they evaluated Total Soft Bank's (TSB) Terminal Operating System, a system for managing maritime freight shipping, including that manages about 40 percent of container terminals in the world. That work resulted in significant improvements in the security of international shipping, reported in a paper published in Port Technology International.

The pair has conducted workshops for Internet2, Supercomputing, Science Gateways Community Institute (SGCI), IEEE, O’Reilly, the New Jersey FAA; and have traveled to Australia, Germany, South America, and India to give trainings. Much of their work is publicly accessible to broadcast it out to the widest audience possible. And their course, “Introduction to Software Security,” has recently been added to UW-Madison’s Spring 2020 undergrad curriculum. A pilot version of the course had 120 students enrolled, they are optimistic the spring course will be well attended. These training resources focus on real scenarios and hands-on learning to make a lasting impact on students. The training exercises have evolved over time to include different languages and operating systems. It should be noted that, depending on the language, some security problems can be reduced, but they don’t entirely go away.

The future of secure coding relies on as much education as possible. The number of people writing programs has increased at a breathtaking rate. The resources available to them must scale to meet these demands.

Updates about upcoming Trusted CI trainings are regularly posted on our home page. Applications for an engagement with Trusted CI during the early 2020 session are due October 2nd.


Thursday, September 19, 2019

Trusted CI renewed through 2024

We're extremely happy to announce that Trusted CI has been renewed as the NSF Cybersecurity Center of Excellence through 2024 under NSF award 1920430. We thank the community for their support in this endeavor and look forward to our continued collaboration to advance the trustworthy nature of NSF science.

For more information, please see the press releases from Indiana UniversityNCSA and U. of Wisconsin, as well as other press coverage: Indianapolis Business Journal, HPCWire, Indiana Daily Student.

Monday, September 9, 2019

CCoE Webinar September 23rd at 11am ET: Jupyter Security at LLNL with Thomas Mendoza

Thomas Mendoza is presenting the talk "Jupyter Security at Lawrence Livermore National Laboratory" on Monday September 23rd at 11am (Eastern).

Please register here. Check spam/junk folder for registration confirmation email.
Jupyter Notebooks have become tremendously popular for creating, sharing and reproducing science. While they are relatively easy to setup and use, there has (until recently) been little concern regarding the security implications of running these Notebooks. This presentation will cover the developments and practices used at Lawrence Livermore National Laboratory to secure notebooks running in multi-tenant, HPC environments.
Speaker Bio:
Thomas Mendoza is a staff Computer Scientist at LLNL working for Livermore Computing’s HPC center on web architecture and security.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Friday, September 6, 2019

Trusted CI Finishes Engagement with the American Museum of Natural History

The American Museum of Natural History (AMNH) conducts research and education activities spanning multiple branches of science. Through the National Science Foundation's Campus Cyberinfrastructure (CC*) program (NSF OAC-1827153), AMNH developed and installed a Science DMZ to enable high speed transfer of large data sets. Connections were deployed regionally via NYSERnet and nationally via Internet2. Additionally, AMNH's ADFS identity management system was federated with InCommon to give researchers access to Globus data transfer nodes (DTNs).

Trusted CI's engagement with AMNH initially focused on developing an information security program tailored to the new Science DMZ. This effort started by reviewing existing AMNH policies and procedures which might apply to the Science DMZ. After this initial examination, it was decided that the accelerated timeline for installation and configuration of both the Science DMZ and the ADFS federation with InCommon left little time for refinement of a few security policy documents. Instead, effort was focused on fine-tuning system configuration for the Science DMZ by consulting outside expertise from ESnet.

Trusted CI documented the activities of this engagement in a final report. AMNH intends to document the processes of installation and configuration of their Science DMZ and the federation of their ADFS identity management system with InCommon. This documentation may give other similarly sized institutions a good starting point for installation of a Science DMZ or ADFS integration with InCommon.

The Trusted CI-American Museum of Natural History engagement began January 2019 and finished June 2019.

Wednesday, September 4, 2019

Trusted CI begins engagement with SLATE



SLATE accelerates collaborative scientific computing through a secure container orchestration framework focused on the Science DMZ, enabling creation of advanced multi-institution platforms and novel science gateways.  The ATLAS collaboration at the CERN Large Hadron Collider has an R&D program utilizing SLATE to centrally operate a distributed data delivery network having service endpoints at multiple computing facilities in the U.S., CERN, the UK and Germany, and has evaluated a cache deployed using SLATE within the ESnet backbone.  Similar approaches are already in production (the Open Science Grid data federation which is implemented in part using the Pacific Research Platform and Internet2) supporting LIGO and other science domains but as yet lack a generalized trust framework.  While innovation of the  new trust model initially is occurring in the context of the OSG and the worldwide LHC computing grid (WLCG), trusted federated edge infrastructures enabling operation of advanced computing platforms will in future be necessary to sustain a wide range of data intensive science disciplines requiring shared national and international cyberinfrastructure.

The deployment and operation of software through containerized edge services raises issues of trust between many stakeholders with different perspectives. Resource providers require guarantees that services running within their infrastructure are secure and operated within site policies; platform service developers and operators require flexibility to continuously deliver and compose new cyberinfrastructure supporting their scientific collaborations; edge cluster administrators need visibility and operational awareness while delegating some of their traditional deploy and operate responsibilities to centralized platform teams, following a NoOps model; and finally, the application workloads from end-user science communities rely on the foundational capabilities implemented by platform services to realize the full potential of shared cyberinfrastructure.  This engagement will focus on developing SLATE’s cybersecurity program in a way that  balances these needs.

The Trusted CI-SLATE engagement began July 2019 and is scheduled to conclude by the end of December 2019.  For additional information on SLATE, please refer to the paper,  “Building the SLATE Platform,” published in PEARC18.  Trusted CI will document the activities of this engagement in a final report to be made available to the public.

Tuesday, September 3, 2019

Trusted CI co-PI Jim Marsteller heading to Penn State University

With both excitement and sadness, I share with the Trusted CI community that Jim Marsteller, one of Trusted CI’s founders and a long-time leader of the NSF Cybersecurity Summit Program Committee and the Large Facility Security Team, will be leaving Trusted CI as part of moving from PSC to Penn State in September.

We’re excited for Jim in his new role at Penn State and wish him all the best. We are very glad that he is staying in the higher education family that is so important to Trusted CI’s mission of supporting research and look forward to continuing to work with Jim in his new role.

Please stay tuned for more news on how Trusted CI will adapt to this change of leadership.

Von - Trusted CI PI and Director

Monday, August 26, 2019

Spotlight on the Trusted CI partnership with the Science Gateway Community Institute

The Science Gateway Community Institute (SGCI) is an NSF-funded initiative to provide services, resources, community support, and education to those seeking to create and sustain science gateways -- online interfaces that give researchers, educators, and students easy access to specialized, shared resources that are specific to a science or engineering discipline.

Trusted CI began its partnership with SGCI about three years ago. The partnership has developed into two main functions: to provide specialized engagements to gateway developers and operators seeking cybersecurity support, and to present on relevant cybersecurity topics during SGCI focus weeks (formerly called "bootcamps") and related events.

Trusted CI Engagements with Science Gateways

Below are a few examples of Trusted CI's contributions to science gateways
  • GISandbox: Reviewed their operational security and science gateway code
  • 'Ike Wai: Reviewed their identity and access management (IAM) implementation
  • EarthCube Data Discovery Studio: Reviewed the security of the project server and website
  • UC SanDiego's BRAIN Lab: Advised on using the cloud storage service, Box, for one of their projects
  • The Rolling Deck to Repository (R2R): Presented best practices in transferring and archiving data
  • SeedMeLab: Advised the project on using software penetration testing
  • cloudperm: Trusted CI has written an app that checks permissions on Google documents to identify potential sensitive material accessible to the public. This scan has been used by SGCI to review its own documents.

Resources offered by Trusted CI include:

  • Developing a Cybersecurity Program: a tractable method to build policies and procedures for cyberinfrastructure
  • Cybersecurity checkups: a tailored approach to accessing the maturity of a security program
  • Identity and Access Management: a collection of resources to improve authentication and authorization
  • Open Science Cyber Risk Profile: Providing risk profiles for common scientific assets.
  • Training: providing training on cybersecurity via Science Gateway focus weeks and webinars
  • Providing advice to the SGCI team on protecting their own internal information assets.

Upcoming events

The next SGCI focus week is September 9 - 13 in Chicago, IL. According to the website, a few spots are still available.
The Gateways 2019 Conference is September 23 - 25 in San Diego, CA.

Wednesday, August 14, 2019

Trusted CI Engagement Applications Due Oct 2, 2019


Apply for a one-in-one engagement with Trusted CI for Early 2020.
 Applications due Oct 2, 2019.


Trusted CI is accepting applications for one-on-one engagements to be executed in Jan-June 2020.  Applications are due Oct 2, 2019 (Slots are limited and in demand, so this is a hard deadline!)

To learn more about the process and criteria, and to complete the application form, visit our site:


During Trusted CI’s first 5 years, we’ve conducted
 more than 24 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.  

As the NSF Cybersecurity Center of Excellence, Trusted CI’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.


Monday, August 12, 2019

PEARC19 wrap-up: Continuing our Commitment to Open Science

Jim Basney and Von Welch
Trusted CI had another successful presence at PEARC19. As noted in our pre-conference post, we presented our technical paper, a workshop, a panel, a poster, and exhibitor table; as well as attending and contributing to many other PEARC-related events.

A few highlights:
  • Von's panel, "Community Engagement at Scale: NSF Centers of Expertise," was attended at full capacity.
  • Our workshop, "Trustworthy Scientific Cyberinfrascture," was the first public debut of our Fellows. Matias Carrasco Kind, Jay Yang, Aunshul Rege, and Gabriella Perez shared their research backgrounds and discussed their specific cybersecurity needs.
  • Members of the NSF project Services Layer at the Edge (SLATE) met face to face with Trusted CI to discuss their upcoming engagement.
  • A series of lightning talks from Science Gateway operators during the Trusted CI workshop provided four gateway operators a chance to connect with the community on their cybersecurity issues.
  • A random lunch encounter between Trusted CI staff and people in the Jupyter community led to a lively discussion on Jupyter security and is expected to lead to an upcoming collaboration on providing a Jupyter security workshop at a future conference.
  • We presented at the AI4GOOD workshop regarding cybersecurity and ethics of artificial intelligence.
Von's Panel - Not a single open seat!
We thank the PEARC program committee for providing the opportunity to connect with members of our community and look forward to PEARC20.


Trusted CI Fellows at the workshop
Kay Avila, Mark Krenz, Florence Hudson
Anurag Shankar and Andrew Adams at the poster session

CCoE Webinar August 26th at 11am ET: Integrity Protection for Scientific Workflow Data: Motivation and Initial Experiences

Anirban Mandal and Mats Rynge are presenting the talk "Integrity Protection for Scientific Workflow Data: Motivation and Initial Experiences" on Monday August 26th at 11am (Eastern).

Anirban and colleagues are the recent recipient of PEARC's Phil Andrew's Award for most transformative contribution within its area of research.

Please register here. Check spam/junk folder for registration confirmation email.
With the continued rise of scientific computing and the enormous increases in the size of data being processed, scientists must consider whether the processes for transmitting and storing data sufficiently assure the integrity of the scientific data. When integrity is not preserved, computations can fail and result in increased computational cost due to reruns, or worse, results can be corrupted in a manner not apparent to the scientist and produce invalid science results. Technologies such as TCP checksums, encrypted transfers, checksum validation, RAID and erasure coding provide integrity assurances at different levels, but they may not scale to large data sizes and may not cover a workflow from end-to-end, leaving gaps in which data corruption can occur undetected.

In this talk, we will present our findings from the “Scientific Workflow Integrity with Pegasus” (SWIP) project by describing an approach of assuring data integrity - considering either malicious or accidental corruption - for workflow executions orchestrated by the Pegasus Workflow Management System (WMS). A key goal of SWIP is to provide assurance that any changes to input data, executables, and output data associated with a given workflow can be efficiently and automatically detected. Towards this goal, SWIP has integrated data integrity protection into a newly released version of Pegasus WMS by automatically generating and tracking checksums for both when inputs files are introduced and for the files generated during execution. We will describe how we validate our integrity protection approach by leveraging Chaos Jungle - a toolkit providing an environment for validating integrity verification mechanisms by allowing researchers to introduce a variety of integrity errors during data transfers and storage. We will also provide an analysis of integrity errors and associated overheads that we encountered when running production workflows using Pegasus.
Speaker Bios:

Anirban Mandal serves as the Assistant Director for network research and infrastructure group at Renaissance Computing Institute (RENCI), UNC-Chapel Hill. He leads efforts in science cyberinfrastructures. His research interests include resource provisioning, scheduling, performance analysis, and anomaly detection for distributed computing systems, cloud computing, and scientific workflows. Prior to joining RENCI, he earned his PhD degree in Computer Science from Rice University in 2006 and a Bachelor’s degree in Computer Science & Engineering from IIT Mumbai, India in 2000.

Mats Rynge is a computer scientist in the Science Automation Technologies group at the USC Information Sciences Institute. He is a developer on the Pegasus Workflow Management System and related projects. He is also involved in several national cyberinfrastructure deployments such as the Open Science Grid and XSEDE, for which he provides user support, software engineering and system administration. Previously, he was at the Renaissance Computing institute where he was the technical lead on the RENCI Science TeraGrid Gateway and the Open Science Grid Engagement activities. Before that he was a release manager on the NPACI NPACKage and NSF Middleware Initiative projects where he planned, created, and tested software middleware stacks for larger science communities.He also worked on improving grid software as part of Community Driven Improvement of Globus Software (CDIGS) and Coordinated TeraGrid Software and Services (CTSS) efforts.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, July 23, 2019

Trusted CI begins engagement with the United States Academic Research Fleet

The United States Academic Research Fleet (ARF, funded by multiple NSF awards) consists of eighteen oceanographic research vessels organized by the University-National Oceanographic Laboratory System (UNOLS) that vary in size and capability from large Global Class vessels to Coastal Class vessels. As a large facility, the ARF is unique because its primary assets (research vessels) are owned by several different agencies and independently operated by fourteen different oceanographic research institutions. The ARF supports seagoing research for scientific disciplines which require access to the sea. It is vital to programs as small as single-PI nearshore projects and as large as global multi-PI expeditions. The ARF provides multi-institutional and multi-disciplinary shared research infrastructure to serve these research projects. This infrastructure helps to advance research and education across a wide variety of disciplines for a diverse community.

The US ARF faces unique cybersecurity challenges due to the remote nature of the platforms and the increasing use of operational technology on research vessels. The fact that the platforms are operated by different institutions with distinct standards and policies further compounds these issues. As the platforms serve the same customers, a unified CI solution that works across institutional requirements would provide a more consistent environment to all personnel coming aboard US ARF ships. The engagement between Trusted CI and ARF will work to establish a unified cyber infrastructure security plan that will both serve the evolving security needs of its community and prepare the ARF for operational cybersecurity requirements due to be enforced by the International Maritime Organization in 2021.  

This engagement began in July 2019 and is scheduled to conclude by the end of December 2019.

Thursday, July 11, 2019

Registration is now open for the 2019 NSF Cybersecurity Summit

It is our great pleasure to announce registration is now open for  the 2019 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure.  The event will take place Tuesday, October 15 thru Thursday, October 17, 2019, at the Catamaran Hotel, San Diego, CA.  Attendees will include cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community, as well as key stakeholders and thought leaders from the broader scientific and cybersecurity communities.


Complete the online registration form by October 9, 2019: https://trustedci.org/2019-nsf-cybersecurity-summit


Tuesday, July 9, 2019

CCoE Webinar July 22nd at 11am ET: Ancile: Enhancing Privacy for Ubiquitous Computing with Use-Based Privacy

Vassar College's Jason Waterman is presenting the talk "Ancile: Enhancing Privacy for Ubiquitous Computing with Use-Based Privacy" on Monday July 22nd at 11am (Eastern).

Please register here. Check spam/junk folder for registration confirmation email.
The recent proliferation of sensors has created an environment in which human behaviors are continuously monitored and recorded. However, many types of this passively-generated data are particularly sensitive.  For example, locations traces can be used to identify shopping, fitness, and eating habits.  These traces have also been used to set insurance rates and to identify individual users in large, anonymized databases. To develop a trustworthy platform for ubiquitous computing applications, it will be necessary to provide strong privacy guarantees for the data consumed by these applications. Use-based privacy, which re-frames privacy as the prevention of harmful uses, is well-suited to address this problem.

This webinar introduces Ancile, a platform for enforcing use-based privacy for applications. Ancile is a run-time monitor positioned between applications and the data (such as location) they wish to utilize. Applications submit requests to Ancile; each request contains a program to be executed in Ancile’s trusted environment along with credentials to authenticate the application to Ancile.  Ancile fetches data from a data provider, executes the program, and returns any output data to the application if and only if all commands in the program are authorized. We find that Ancile is both expressive and scalable. This suggests that use-based privacy is a promising approach to developing a privacy-enhancing platform for implementing location-based services and other applications that consume passively-generated data.
Speaker Bio:  Jason Waterman is an Assistant Professor of Computer Science at Vassar College.  He received his Ph.D in Computer Science at Harvard University in the area of Coordinated Resource Management in Sensor Networks.  He has also worked as research staff at MIT's Computer Science & Artificial Intelligence Laboratory, where he helped to build a system for monitoring patients in disaster situations.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, July 8, 2019

Trusted CI Completes REED+ Engagement

The Research Ecosystem for Encumbered Data (REED+) at Purdue University (https://www.rcac.purdue.edu/compute/reed), funded under the Office of Advanced Cyberinfrastructure (OAC #1840043), is a vision to implement a cost-effective ecosystem to manage regulated data. Researchers at Purdue, led by Preston Smith, Director of Research Services and Support, developed a strategic framework to address the compliance requirements for Controlled Unclassified Information (CUI) which is appearing in research sectors, e.g., defense and aerospace.

The foundation of the REED+ framework integrates NIST SP 800-171 and other related publications, including NIST’s Cybersecurity Framework (CSF) and the Big Ten Academic Alliance guidelines. It is intended to serve as a standard for campus IT to align with security regulations and best practices. Leveraging the framework, a single process for intake and contracting can be followed by the university’s Sponsored Programs Office (SPS), Human Research Protection Program (which oversees the IRB), Export Controls and Research Information Assurance (EC/IAO), and Information Technology at Purdue (ITaP) Research Computing division (formally the Rosen Center for Advanced Computing, or RCAC). Moreover, the framework also facilitates a tractable mapping of controlled research to cyberinfrastructure (CI) resources. The overarching goal of the REED+ framework is to enable researchers, administrators, and campus IT to better understand complicated data security regulations affecting research projects.

To assist in developing the framework, Trusted CI engaged with the REED+ team at Purdue from January through June of 2019. The initial step in the engagement was a review of existing documents and processes, followed by exploring proposed policies. Trusted CI found the flow of REED+ framework sound, and soon switched to working with Preston’s team in focusing on specific aspects of the process, e.g., providing controlled research ‘use cases’. The engagement proved especially rewarding, as both the REED+ researchers and Trusted CI came away from the engagement with a greater understanding in the nascent and vanguard processes involved in handling CUI compliance in the domain of research and education.