Wednesday, April 8, 2020

The extra Zoom setting you may not know about to control access for phone-in attendees

What if I told you, that your Zoom meeting password does not apply to users calling in by phone?

Over the past several weeks the rest of the world has found out about the Zoom video conferencing system.  In this time of crisis, it has become essential for work, school, and even play. However, people have also been finding out about the security and privacy issues related to Zoom. I'm now going to share one more with you.

Trusted CI staff have discovered that, by default, meetings that have been protected with a meeting password do not require the password for users calling in by phone. There is an extra setting to control by-phone access and we think that this extra setting may not be not known by many Zoom users. Users who call in using one of the Zoom gateway phone numbers will not normally be prompted for a password. This potentially leaves sensitive meetings vulnerable to eavesdropping. Although this issue isn't a vulnerability in Zoom, it allows the users setting up meetings to create a vulnerability in their own meetings. It is a user interface and security awareness issue.

In order to enable password protection for by-phone users, you must locate the setting "Require password for participants joining by phone" as shown below, which in some interfaces may be located in the advanced settings.

Screenshot of the extra "by phone" setting to consider to protect a meeting
A second closely related issue is that enabling this "Require password for participants by phone" setting does not immediately change the configuration of existing meetings that have already been set up. The owner of the meetings must go into each meeting configuration, edit the meeting, and then save it without making any changes to the meeting. According to our observations, this regenerates the meeting and applies a phone password to the meeting. The phone password will be automatically generated and become part of the meeting invitation. You would then share this new password and meeting invite with your meeting participants who need it.
Trusted CI's test of faking a number

A third issue to be aware of here is that phone number caller id information can be faked. Although this is not new by any means, there has been little to no warning about this in relation to using Zoom. This vulnerability isn't Zoom's fault as the flaw exists in the design of the phone system.

However, because of this, you should not use a phone number in the participants list to authenticate a participant. A malicious user could change their number to that of an authorized user to avoid detection.

During our research into these issues, we found that most of the existing documentation outside of the Zoom website itself does not mention the "Require a phone password" extra setting that must be applied. Similarly, it is not obvious that this must be done when creating a meeting and setting a password, as there is no feedback from the interface that this must be done or that your meeting will not be fully protected.
The Zoom meeting password interface, showing no indicators of an extra by-phone setting.

Several of our security colleagues were also unaware of this extra "Require a password for by-phone users" setting, suggesting that the setting is unknown to most Zoom users.

Our recommendations for Zoom, the company,  is to add some type of indication near the meeting password setting that informs users that there is an additional setting for controlling access by phone and that Zoom should inform their existing install base about these issues.  Alternatively, this option should be enabled by default.

How Trusted CI discovered the issues

On February 26th, 2020, Mark Krenz set up a meeting with a colleague on the COSMIC2 science gateway project and set a meeting password to try to protect the meeting. When the colleague called in by phone, Mark asked the user if they needed a password to get in, which to his surprise, they did not. Mark then performed further testing of the issue with the help of Trusted CI members including Andrew Adams, Shane Filus, Ishan Abhinit, and Scott Russell. It was quickly found that changing the "require password by-phone" setting did not set it on existing meetings and that the existing meetings needed to be edited and re-saved. The team above wrote up a security report to send to Zoom, which was done so on March 6th through the website, which acts as a gateway for submitting such reports to companies. This meant that there was then a 30 day embargo on releasing this information to the public. During this time, the COVID19 crisis began to unfold in the western countries and people started heavily using Zoom. This almost immediately led to many reports of various unwanted incidents within Zoom meetings, so called Zoombombing,  and other vulnerabilities being discovered and announced. During this time we discussed the issue internally, met with Zoom to discuss the issue, and provided our recommendations for a way forward. We also monitored the media for any signs that this was being exploited, but found no direct evidence that it was being exploited. We also looked for these recommendations in news reports that were surfacing over the past month and found none that directly mentioned this issue.

Related links:

Monday, March 23, 2020

Tips for avoiding "Zoombombing"

As COVID-19 has necessitated increased use of telecommuting solutions, there have been instances of public Zoom meetings getting hijacked, or "Zoombombed," by malicious actors. Zoom has posted a blog with many helpful tips to prevent unintended access to your meeting and/or meeting controls.

The most important tip is to prohibit open access to the screen sharing feature during your meeting. You can disable this setting in your account profile:
  • Log into your Zoom account
  • Click the "Settings" tab on the left side of the screen
  • Search for "Screen Sharing"
  • Under "Who can share?" change the setting from "Participants" to "Host Only" (see screenshot below)
  • Save your changes

And when hosting a public meeting, do not use your personal Zoom Meeting ID. Create a separate meeting event for any link you share publicly.

Thursday, March 19, 2020

March 24th at 3pm ET: Trusted CI hosting COVID-19 virtual town hall

In case you missed our town hall on COVID-19, the slides and video have been archived.

Trusted CI is holding a Virtual Town Hall on Tuesday March 24th at 3pm Eastern to discuss the impact of COVID-19 on the NSF open science community. We recently posted a blog discussing recommendations for reducing cybersecurity risk while working remotely and protecting regulated data during the COVID-19 outbreak. In collaboration with NSF CI CoE Pilot and SGCI, we are also offering priority help to projects tackling COVID-19. The purpose of this Town Hall  is to review Trusted CI resources and recommendations, share what institutions are currently doing, and discuss your concerns. This Town Hall will be recorded.

If you'd like to submit a question or topic for discussion, email Jeannette Dopheide.  

Join us on March 24th at 3pm Eastern:

Call coordinates:
Trusted CI is inviting you to a scheduled Zoom@IU meeting.

Topic: Trusted CI COVID-19 Town Hall
Time: Mar 24, 2020 03:00 PM Indiana (East)

Join from computer or mobile:

Meeting ID: 471 923 848

One tap mobile
+13126266799,,471923848# US
+16465588656,,471923848# US 

Dial by your location
        +1 312 626 6799 US
        +1 646 558 8656 US
        +1 253 215 8782 US
        +1 301 715 8592 US
        +1 346 248 7799 US
        +1 669 900 6833 US
Meeting ID: 471 923 848

 IU videoconferencing equipment: 26 471 923 848

Videoconferencing equipment outside of IU:
H.323: (US West) (US East) (China) (India Mumbai) (India Hyderabad) (EMEA) (Australia) (Hong Kong) (Brazil) (Canada) (Japan)

Meeting ID: 471 923 848

Zoom@IU Team | |

Keeping Regulated Data Secure during the COVID-19 Outbreak

The social distancing measures against COVID-19 have resulted in a massive shift of the workforce to home offices. While this has allowed work to continue, it has caused concern among some organizations, especially those without regulatory expertise or resources, who are collecting COVID-19 data or handling other types of regulated research data. We are therefore providing the following guidance to help organizations stay compliant with privacy and security regulations that impact research data, irrespective of whether it is COVID-19 related or other types of data.

[Note: You can also check out our earlier blog post titled “Recommendations for reducing cybersecurity risk while working remotely”.]

1. HIPAA (Health Insurance Portability and Accountability Act) 

First of all, determine if HIPAA is applicable. Not all personally identifiable health information is protected by HIPAA, only protected health information (PHI) created, received, maintained, and transmitted by covered entities (CE) and their business associates (BA). If you are neither, HIPAA may not apply to health data you collect, even if it is personally identifiable. That said, you should still consider it sensitive data and protect it using applicable safeguards below.

Collecting and processing PHI:
  1. Only use tools institutionally approved for PHI. 
  2. Do not use a vendor with whom your institution does not have a HIPAA business associate agreement (BAA). Here is a list of some vendors you might consider if you do not have HIPAA approved systems: 
    1. Qualtrics for surveys 
    2. SFax for e-faxing 
    3. Zoom for teleconferencing 
    4. Box for Healthcare for file sharing 
  3. Protect your workstations and mobile devices as described below. 
Protecting PHI when working from home:
  1. Follow institutional telework and IT policies and procedures. 
  2. Work with your IT professionals. 
  3. Secure your workstation (laptop/desktop). 
    1.  Use a workstation provided and secured by your institution. 
    2.  If you must use a shared workstation (e.g., a home PC), ensure you take the following security measures: 
      1. Do not use the workstation if it has an old and insecure operating system installed (e.g. Windows XP). 
      2. Create a separate account for yourself and password protect it. Access PHI only while logged into this account. 
      3. Do not share the account password. 
      4. Do not download PHI to the workstation. 
      5. Enable and password protect the screen saver. 
      6. Ensure that the firewall and antivirus are enabled. 
      7. Apply the latest patches. 
      8. Connect only to trusted, work-related websites. 
      9. Turn off the “Remember Password” feature in browsers/decline to store passwords to sensitive sites. 
      10. Do not backup the device to your personal cloud storage (e.g. Google or Apple) account. 
      11. Delete the account after you are back at work. 
    3. Secure your mobile device (smartphone/tablet). 
      1. Use a mobile device provided/secured by your institution. 
      2. If you must use a personally owned mobile device, take the following security measures:
        1. Follow your institutional policies/procedures regarding use of personal mobile devices for PHI. 
        2.  Do not download PHI to the device. 
        3.  Enable screen lock or PIN. 
        4. Do not backup the device to your personal cloud storage (e.g. Google or Apple) account. 
    4. Ensure encryption at rest and in transit. 
      1. Ensure that your home WiFi network is using encryption. 
      2. Ensure that the workstation/mobile device is full-disk encrypted.
      3.  Ensure that the URL for sites you visit begins with an https://. 
      4. Use a VPN, especially when using an untrusted network. 
      5. Use institutionally approved, encrypted communication tools for remote meetings. However, as of March 17th, US Dept. of Health and Human Services’ Office for Civil Rights (responsible for enforcing HIPAA) is allowing video chat tools such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype for COVID-19 response. Public facing apps such as Facebook Live, Tiktok, etc. are not allowed. 
      6. Do not record meeting sessions. 
      7. If you are backing up to external media, e.g., a USB disk, ensure that it is encrypted.
    5. Ensure physical security. 
      1. Keep your device and any connected media in a physically secure location. 
      2. Keep conversations private by restricting physical access to the home office space to others during meetings where PHI may be disclosed.  
Breach Notification:
  1. If you suspect an incident or a breach of PHI, immediately follow your institutional incident response process.
For the strictly privacy aspects of HIPAA, please refer to Dept. of Health and Human Service's guidance on HIPAA privacy and coronavirus.

2. GDPR (General Data Protection Regulation) 

COVID-19 related data on European Economic Area (EEA) persons falls under a “special category of personal data” under GDPR. 
  1. Processing this data requires consent from the subject. 
  2. Processing must be necessary for one or more of the following. 
    1. Allow an employer to function. 
    2. Protect the interest of the subject. 
    3. Reasons of substantial public interest. 
    4. Purposes of preventing or occupational medicine. 
    5. Reasons for public interest in the area of public health. 
  3. Records of data processing must be kept. 
3. DFARS 252.204-7012 (Defense Federal Acquisition Regulation Supplement) 

Protecting CUI while working from home: 
  1. Secure your workstation (laptop/desktop). 
    1. Work with your IT professionals. 
    2. If your institution provides it, use a web- or remote desktop-accessible virtual desktop interface (VDI) and a remote CUI enclave. 
    3. Use an institutionally provided and secured workstation. 
    4. Do not use a shared workstation such as a home PC. 
    5. Ensure both the firewall and antivirus are enabled. 
    6. Access CUI only while logged into your own user account. 
    7. Use a strong password. 
    8. Do not share the password. 
    9. Enable 2-factor authentication (e.g., fingerprint sensor) if possible. 
    10. Do not download CUI. 
  2. Mobile devices: 
    1.  Do not use mobile devices to access, store, or process CUI. 
  3. Ensure encryption at rest and in transit. 
    1. Ensure that your home WiFi network is using encryption.
    2. Ensure the workstation has full disk encryption. 
    3. Always use a VPN.
  4. Ensure physical security. 
    1. Keep your device and any connected media in a physically secure location. 
    2. Keep conversations private.  Restrict physical access to the home office space to others during meetings where CUI may be disclosed.  
Breach notification:
  1. If you suspect an incident or a breach, immediately follow your institutional incident response process. 
For more guidance, contact your Contracting Officer.
COVID-19 Phishing, Scams, and Fake News 
  1. Beware of COVID-19 phishing tactics and scams
  2. Avoid COVID-19 fake news and misinformation
Contact us if you need additional help or information.

Tuesday, March 17, 2020

Trusted CI, NSF CI CoE Pilot, and SGCI Offering Priority help to projects tackling COVID-19

The NSF Cyberinfrastructure Center of Excellence Pilot, Trusted CI, and the Science Gateways Community Institute are all available to help the science community tackle research to address the coronavirus disease 2019 (COVID-19) outbreak. If your project could benefit from expert cyberinfrastructure consulting in: 
  • data management and visualization, 
  • workflow management, 
  • use of cloud resources, high-performance clusters, or distributed resources; 
  • science gateway technology, 
  • cybersecurity, or 
  • compliance, 
please contact us for priority assistance. We are here to help.
To request assistance, please send an email to and we will be in contact.
Help with writing proposals related to COVID-19 is also available, but priority will be given to active projects.

[Cross posted to the SGCI Blog and the CI CoE website]

Friday, March 13, 2020

Recommendations for reducing cybersecurity risk while working remotely

You're probably aware of the COVID-19 / coronavirus pandemic. As the pandemic continues to unfold, our research and security communities will be increasingly impacted.  Numerous conferences have been canceled, and it has already been made public that two people who attended the cybersecurity conference, RSA, tested positive for coronavirus. Many institutions are now recommending or even requiring students and employees to work from home. While you may already be prepared to deal with one or two staff members working remotely or being out sick, most organizations are unprepared for the majority of their staff suddenly being in these categories.  Thus, Trusted CI would like to share some critical risks that we think are relevant to this situation and provide recommendations for how to mitigate them over the coming weeks.  Here are some questions to help you consider these risks.

Do you have all the passwords you need?
As people switch to working from home or go on extended leave, they may take passwords with them that other staff do not have. Do they normally keep the superadmin password on a sticky note on their monitor and now can't access it? This is a good opportunity to quickly review who has access and that they will have the necessary credentials for working remotely. We recommend the use of password managers (such as KeePass, 1Password, LastPass, etc.) to keep passwords securely stored and readily accessible through online means.

How will backups be handled?
Backups may require physical presence to change disks or tapes, but may be difficult to manage remotely. Still, these backups are essential for being able to make a proper recovery from a security incident. You may first want to check with your institutional IT group to see if they have the ability to manage these backups for you to reduce the need to travel to work.

Is your regular office environment's physical space being monitored and access controlled?
Reduced staffing at your facility may increase the risk of unauthorized/unmonitored physical access to your systems and information. Locking doors is recommended and checking with your institutional security for their practices will help you understand what is being monitored and how unauthorized access is determined.  Consider letting your custodial staff know your plans as normal security procedures such as locking doors may lapse during crisis mode and become a problem. On the upside, the chances of tailgating happening in the next few weeks is near zero.

Are you leaving unpatched workstations running?
Some staff may need to leave desktop or workstation systems in an unattended office for a long period of time. If these systems are not running services required for normal operation, it is recommended that these systems be turned off to avoid them becoming a liability if a critical vulnerability is released while away. Upon returning to the office, you should enforce an immediate vulnerability scan on these systems and patch as necessary. Check with your local institutional IT staff to make sure this would not interfere with their operations as they may expect systems to be kept running to remotely backup and patch computers.

Do you have enough redundancy of staff?
Redundancy of staffing is always important, but with the coronavirus threat, there is an increased chance of redundant staff being affected as well, leading to lack of coverage. We recommend designating additional staff to be prepared to act in a maintenance or security role, if needed, as an additional redundancy.

Do you have a secure channel to communicate?
When direct interpersonal communications are no longer possible for sharing of sensitive  information, the need for having a secure online communication channel increases. We recommend that identifying a secure channel that can be used (for example, Signal, SMIME, PGP/GPG, or another one recommended by your institution) and testing this channel with your staff in advance of any need to use it.  This becomes especially important when you forgot to share an important password with other staff and have no way of securely communicating it.

Will you be able to meet without your normal teleconferencing?
Demand for videoconferencing is expected to be at an unprecedented high as online classes and meetings begin to utilize it. It is possible that your normal video conferencing meetings will be disrupted or unavailable for a period of time. It is recommended that you identify an auxiliary method of holding such meetings. Also, if you are not doing so already, set a password on your teleconferencing meetings if possible and test that it works to prevent unauthorized access.

Can you perform all the steps in an incident response remotely?
Now would be a good time to review your security incident response plan to ensure that all the steps can be performed remotely, and if not, come up with an alternative approach.

Do you have enough VPN licenses?
One common method of providing remote access for employees is through a virtual private network (VPN).  However, the increased remote activity could mean a shortage of VPN licenses, so now would be a good time to check the number of available licenses and ensure that it matches with the expected load over the next few weeks.

Is there a bastion host you can use for remote access?
Those who use SSH, RDP or similar for accessing servers remotely may want to consider the use of a bastion host to provide a control point. This is a safer alternative than opening up direct remote access ports on internal systems. However, rather than rushing to set up a new bastion server, instead look for an existing one that has been provided by your institutional IT or ask for their recommendations.

Do you have a secure working space at home?
For many, the next couple weeks may mean sharing your working space with family who are also working or attending school remotely. It's important to consider the potential for sensitive information in meetings to be overheard across meetings happening simultaneously. If you haven't already, it would be a good idea to find or setup an isolated space in your home for holding such meetings.

Be aware of new phishing tactics and scams.
There have been reports that attackers are taking advantage of the fear and demand for information about COVID-19 to spread malware. One such attack is the "Coronavirus map", which "had weaponized coronavirus map applications in order to steal credentials such as user names, passwords, credit card numbers and other sensitive information that is stored in the users’ browser".

There are also additional resources that we've found online for raising your awareness about cybersecurity issues during the coronavirus threat that we're including in the list below:

Thursday, March 12, 2020

Transition to Practice success story: Simplifying scientist access to cyberinfrastructure with CILogon

Service provides identity management, so research projects don’t have to.

[Want to learn the basics about Transition to Practice? Read an introduction to the Trusted CI Cybersecurity Technology Transition to Practice (TTP) program >>] 

CILogon enables researchers to log on to cyberinfrastructure (CI). CILogon provides an integrated open source identity and access management platform for research collaborations, combining federated identity management (Shibboleth, InCommon) with collaborative organization management (COmanage).

Jim Basney is a senior research scientist, cybersecurity division, National Center for Supercomputing Applications (NCSA), University of Illinois at Urbana-Champaign. Jim is also deputy director for Trusted CI. We spoke with Jim about CILogon and about its transition to practice.

TRUSTED CI: Please tell us about the scope of your work, and how CILogon fits into that.

I'm here in the security group at NCSA. We are focused on enabling secure access to computational resources for scientists.

One aspect of that is working with Trusted CI. In my role as the deputy director for Trusted CI, I help researchers with their cybersecurity challenges. That includes identity and access management but also cybersecurity policies, data management, and operational security topics -- a wide range of cybersecurity topics.

Outside of my Trusted CI work, I mainly focus on the topic of identity and access management. CILogon is one of the projects that I work on in that context.

I also work on a related project called SciTokens which is about using JSON Web Tokens for access to scientific cyberinfrastructure.

We are integrating the research that's coming out of the SciTokens project into the CILogon service.

TRUSTED CI: How will that help CILogon?

It's going to give researchers more options for authorizing access to the variety of scientific services that they're using. Right now, CILogon is providing ID tokens that identify the researcher. This allows research collaborations to do attribute-based access control and identity-based access control using the researcher’s login.

SciTokens also adds capability-based access control so that you can have a least-privilege access control policy based on a potentially complex set of policy rules to say, “Yes, you are authorized to access this file” or “You're authorized to access this cloud resource or this space on the wiki.” It does not need to be based on your individual identity.

TRUSTED CI: Users can get lots of information on the CILogon website. Tell us in your own words what you see as the primary benefit and what value it brings to users.

Our goal is to enable logon to scientific cyberinfrastructure. We want to make it seamless for researchers to access the cyberinfrastructure that they need to conduct their research and their scientific collaborations.

Part of making that seamless is we want researchers to be able to use their existing identities. In most cases that's a campus identity through their campus identity provider. That could be part of the InCommon Federation or globally part of the eduGAIN interfederation service, in many cases using the open source Shibboleth single sign-on software. But it could also be identities from other providers like Google or GitHub or ORCID.

In addition to enabling that logon, we want to enable the providers of cyberinfrastructure to manage the access to those resources through onboarding and offboarding procedures that control how researchers log on; the duration of the collaboration; the ability to set collaboration-specific attributes, groups, and roles; and to do that in one place so that researchers have a consistent level of access across all the different cyberinfrastructure services that they're using.

Enabling that consistency means that we need to provide a service that supports many APIs and protocols for integrating identity management with the variety of research applications that the scientists need to use.

In CILogon, we support a long list of standards including OpenID Connect, OAuth, JSON Web Tokens, SAML [Security Assertion Markup Language], LDAP, certificates, and public keys.

We provide all these capabilities in a nonprofit, open-source, reliable, hosted software-as-a-service offering from NCSA, which manages our resources, contracting, and subscription process.

The goal of providing it as a service is that we understand that identity and access management software is fairly complex to operate, so we have a team on the CILogon project with the needed operational experience. We provide that as a service to a variety of research projects so they don't have to become experts in the software themselves -- they can just rely on us.

Institutions can make it available to the research projects that their researchers are part of. Because we're using standards like SAML, Shibboleth, and the InCommon Federation, we connect with what the institutions are doing because so many institutions in the US and around the world are part of these academic research and education federations.

We are compatible with the identity and access management services that are already on campus, and we're providing the glue to make that work with research cyberinfrastructure.

TRUSTED CI: Can you give some specific examples or scenarios of the kind of infrastructure you're describing; who might be connecting to that and why?

First, I'll talk about different types of applications.

We see in different science projects that scientists may use a science gateway, which is a web portal that hosts a variety of science applications and data through a web interface. They may be logging in to an HPC cluster to submit a large simulation. They may create a Jupyter Notebook to develop their reproducible workflow for their scientific work. They may be posting results and having discussions on wikis or mailing lists. They might also be developing services and deploying them on Kubernetes. These are some of the services that we get requests to integrate with a common identity and access management system.

LIGO [Laser Interferometer Gravitational-Wave Observatory] is an example of a scientific collaboration that uses many of these services and is a CILogon subscriber. LIGO is an international collaboration making it possible for the researchers that are part of that collaboration to access all of these different applications in a convenient way. This means that they can get access to the signals from the scientific instrument so that they can quickly analyze those results and publish their scientific results in a collaborative and secure way.

We're focused on the academic research and scholarship use case and that's a very broad set of researchers -- thousands of researchers on thousands of campuses across the US and many more globally.

On one end of the scale, we serve the research project that is only one or two investigators with some grad students on one campus. Then on the other end of the scale are international collaborations that may have thousands of participants. By offering a software-as-a-service platform that has these common integration points and is easy to get connected to, we intend to make it easy both for the small projects and larger projects to take advantage of the services.

TRUSTED CI: Do they pay for this service?

We have a free tier and then we have paid tiers that provide additional functionality and that also provide the contracted service-level agreements that especially the larger research projects depend on.

TRUSTED CI: Any restrictions on your target audience? In other words, do you have to be a US facility to be a paid client or a free client or could it be any other country?

It's not restricted to US facilities or just to NSF projects. Our requirement is that you do need to be focused on academic research. We're not serving the commercial research space.

In part, our target audience is meant to be compatible with what's called the REFEDS Research and Scholarship Entity category. That's an internationally recognized identity management policy about information sharing between academic institutions to support research using Federated Identity. That really enables all the work that we do with CILogon.

It's very important for us to stay within the bounds of that policy focused on the academic research use case.

TRUSTED CI: Do you have many international users?

Yes. We currently have about 8,000 active users each month and a significant percentage of those users are international. For example, we have over 100 active users from CERN [the European Organization for Nuclear Research]. We also see users from Germany, the UK, Italy, the Czech Republic, South Korea, Australia, and elsewhere.

TRUSTED CI: Anything else our readers need to know that is not documented on the website?

Everything should be documented on the CILogon website, and users can log in right from there.

TRUSTED CI: Talk a bit more about your support structure and particularly the paid tiers.

We have three tiers that are described on the website where your readers can find more details.

We call the no-charge tier our basic authentication tier. As the name implies, it's just providing our authentication service without any group management or attribute management -- just a basic authentication service with best-effort support.

The first paid tier is called Essential Collaboration Management. That adds the collaboration support -- the onboarding and offboarding, groups, attributes, and roles that are managed through open source software called COmanage. We publish that information into an LDAP directory and a SAML attribute authority providing multiple standard interfaces to the information about the researcher’s role in the collaboration. When a collaboration subscribes to that tier, that gives them the ability to manage that information about their collaboration in our environment.

The full-service tier includes all those capabilities plus it adds the SciTokens capability and adds Grouper for advanced access management and also provides dedicated service instances for more customized capabilities and improved performance.

TRUSTED CI: What is the chronology of CILogon?

CILogon grew out of NSF grants back in 2004 called GridShib for grid computing and Shibboleth. Combining those two technologies, we've built up the capability thanks to several NSF grants over the years, along with a Department of Energy grant. We had our first CILogon award from NSF in 2009 but we built that using software that was developed from the 2004 GridShib award [NSF award 0438385]. CILogon went live in 2010 with the free service tier.

In 2019, we transitioned from grant funding to the subscription funding model. We're now in our second year of subscription funding support.

Except for some core operational support that we get from XSEDE [the Extreme Science and Engineering Discovery Environment], which is really critical for the sustainability of that free tier, we are fully subscriber-funded.

TRUSTED CI: Are there other collaborators that you want to mention?

Scott Koranda is my co-PI. Scott works for a company called Spherical Cow Group. And of course, none of this would be possible without InCommon.

TRUSTED CI: Are there other things you've spawned from CILogon that are adding additional value?

Grouper and COmanage are existing products that we integrated into the CILogon service offering. Out of CILogon, SciTokens is one example where we spun off research building on some of the existing CILogon technology, developed new capabilities, and are bringing it back into the CILogon operational service.

TRUSTED CI: Is the software available to others?

All of our software is open source and published on GitHub.

The service in Europe is an example of offering similar services using our open source software. Other large infrastructure providers can take the software and operate it themselves if they’d like, though we believe there is significant value provided by the CILogon operational team through our software-as-a-service offering.
This material is based upon work supported by the National Science Foundation under grant numbers 0850557, 0943633, 1053575, 1440609, 1547268, and 1548562 and by the Department of Energy under award number DE-SC0008597. CILogon operations is supported by subscribers.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the United States Government or any agency thereof.

Monday, March 9, 2020

Trusted CI Announces The 2020 Fellows

Trusted CI, the NSF Cybersecurity Center of Excellence, is excited to announce the Trusted CI Open Science Cybersecurity Fellows. Six individuals with professional interests in cybersecurity have been selected from a nationally competitive pool.  During the year of their Fellowship, they will receive recognition and cybersecurity professional development including training and travel funding to cybersecurity related events.

The 2020 Trusted CI Open Science Cybersecurity Fellows are:

Songjie Wang
Cyberinfrastructure Engineer, University of Missouri

Songjie provides services to the research community for cloud infrastructure and deployment, technology transformation, system engineering, and application development. He is actively involved in various research projects that concern problems in cloud computing, cybersecurity, mobile edge computing, and machine learning. He is a liaison between the college and the campus high-performance computing center to facilitate research productivity.


Mohamad Qayoom
IT Consultant, Louisiana State University Health Sciences Center New Orleans (LSUHSC-NO)

Mohamad serves LSUHSC-NO’s research community in bridging the gap between research and computing. He possesses a flexible portfolio of information systems management and services developed through hands-on architectural expertise. He is passionate about developing a top-quality IT workforce. He teaches courses in networking, security, and project management, and classes for IT certification exams.

Smriti Bhatt
Assistant Professor of Computer Science, Texas A&M University-San Antonio

Smriti Bhatt, Ph.D., does research in security and privacy in Cloud and Internet of Things (IoT). She focuses on securing authorization, communication, and data flow in the context of Cloud enabled IoT domains such as smart home, smart health, and wearable IoT. Dr. Bhatt is passionate about enhancing diversity and inclusion in computing and serves as a co-advisor for a Women in CyberSecurity student chapter. She is active in Grace Hopper Celebration, CyberW, and San Antonio Women in IT.

Luanzheng “Lenny” Guo
Ph.D. candidate, University of California Merced

Lenny’s research is under the supervision of Professor Dong Li and focuses on system resilience and reliability in high-performance computing (HPC) systems. Lenny has broad research interests at the intersection of HPC systems, data analytics, and cybersecurity. His continuing research goal is to develop cybersecurity solutions for HPC cyberinfrastructures.

Jerry Perez
Director of Cyber Infrastructure Operations, University of Texas at Dallas

Jerry Perez, Ph.D., has over 18 years of experience using and teaching HPC technologies. Dr. Perez is interested in collaborating with other universities to share HPC knowledge; teaching computer science subjects such as programming, systems design, and massive-compute high-throughput computing (compute grids); creating cyberinfrastructure projects to share resources; and promote academic excellence through HPC in the classroom.

Laura Christopherson
Senior Data Scientist, Renaissance Computing Institute (RENCI)
Laura's background is in theater, art, and information science. Her interests include social informatics, language and communication, user-centered design, and research and design ethics. At RENCI, she works with scientists to design and develop cyberinfrastructure to support them in their research. It is important to her to take good care of the scientists she works with and to make their research data safe and secure.

The Fellows will receive training consisting of a Virtual Institute, providing 20 hours of basic cybersecurity training over six months. The training will be delivered by Trusted CI staff and invited speakers. The Virtual Institute will be presented as a weekly series via Zoom and recorded to be publicly available for later online viewing. Travel support is budgeted (during their first year only) to cover fellows’ attendance at the NSF Cybersecurity Summit, PEARC, and one professional development opportunity agreed to with Trusted CI. The Fellows will be added to an email list to discuss any challenges they encounter that will receive prioritized attention from Trusted CI staff. Trusted CI will recognize the Fellows on its website and social media. Fellowships are funded for one year, after which the Trusted CI Fellows will be encouraged to continue participating in Trusted CI activities in the years following their fellowship year. After their training in the Virtual Institute, Fellows, with assistance from the Trusted CI team, are expected to help their science community with cybersecurity and make them aware of Trusted CI for complex needs. By the end of the year, they will be expected to present or write a short white paper on the cybersecurity needs of their community and some initial steps they will take (or have taken) to address these needs. After the Fellowship year Trusted CI will continue to recognize the cohort of Fellows and give them prioritized attention. Over the years, this growing cohort of Fellows will broaden and diversify Trusted CI’s impact.

 About the Trusted CI Fellows Program

Trusted CI serves the scientific community as the NSF Cybersecurity Center of Excellence, providing leadership in and assistance in cybersecurity in the support of research. In 2019, Trusted CI establish an Open Science Cybersecurity Fellows program. This program establish and support a network of Fellows with diversity in both geography and scientific discipline. These fellows will have access to training and other resources to foster their professional development in cybersecurity. In exchange, they will champion cybersecurity for science in their scientific and geographic communities and communicate challenges and successful practices to Trusted CI.

Fellows come from a variety of career stages. They demonstrate a passion for their area, the ability to communicate ideas effectively, and a real interest in the role of cybersecurity in research. Fellows are empowered to talk about cybersecurity to a wider audience, network with others who share a passion for cybersecurity for open science and learn key skills that benefit them and their collaborators.

Trusted CI Webinar Mar 23rd at 11am ET: OnTimeURB with Prasad Calyam

University of Missouri-Columbia's Prasad Calyam is presenting the talk, "OnTimeURB: Multi-cloud Broker Framework for Creation of Secure and High-performance Science Gateways," on March 23rd at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Data-intensive science applications in research fields such as bioinformatics, chemistry, and material science are increasingly becoming multi-domain in nature. To augment local campus CyberInfrastructure (CI) resources, these applications rely on multi-institutional resources that are remotely accessible (e.g., scientific instruments, supercomputers, public clouds). Provisioning of such federated CI resources has been traditionally based on applications’ performance and quality of service (QoS) requirements. This talk will detail our project that aims to augment traditional resource provisioning schemes through novel schemes for formalizing end-to-end security requirements to align security posture across multi-domain resources with heterogeneous policies. We will present our OnTimeURB broker design to foster end-to-end multi-domain security for science gateway applications in bioinformatics and health information sharing that involves defining, formalizing and implementing security specifications along an application's workflow lifecycle stages.
More information about OnTimeURB is available at
Speaker Bio: Prasad Calyam is an Associate Professor in the Department of Electrical Engineering and Computer Science at University of Missouri-Columbia. His research and development areas of interest include: Distributed and Cloud Computing, Cyber Security, Computer Networking, Networked-Multimedia Applications, and Advanced Cyberinfrastructure. He has published over 125 papers in various conference and journal venues. He is a Senior Member of IEEE.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Thursday, February 27, 2020

PEARC20: Trusted CI Call For Proposals at the 4th Workshop on Trustworthy Scientific Cyberinfrastructure

Trusted CI has opened a call for proposals for its fourth Workshop on Trustworthy Scientific Cyberinfrastructure at PEARC20.

The workshop provides an opportunity for sharing experiences, recommendations, and solutions for addressing cybersecurity challenges in research computing. The full-day (6 hour) workshop provides a forum for information sharing and discussion among a broad range of attendees, including cyberinfrastructure operators, developers, and users.

The workshop is organized according to the following goals:
  • Increase awareness of activities and resources that support the research computing community's cybersecurity needs.
  • Share information about cybersecurity challenges, opportunities, and solutions among a broad range of participants in the research computing community.
  • Identify shared cybersecurity approaches and priorities among workshop participants through interactive discussions.
Implementing cybersecurity for open science across the diversity of scientific research projects presents a significant challenge. There is no one-size-fits-all approach to cybersecurity for open science that the research community can adopt. Even NSF Major Facilities, the largest of the NSF projects, struggle to develop effective cybersecurity programs. To address this challenge, practical approaches are needed to manage risks while providing both flexibility for project-specific adaptations and access to the necessary knowledge and human resources for implementation. This workshop brings community members together to further develop a cybersecurity ecosystem, formed of people, practical knowledge, processes, and cyberinfrastructure, that enables research projects to both manage cybersecurity risks and produce trustworthy science.


Program content for the workshop is driven by the community. We invite submissions of proposals for a series of 30-minute workshop presentations (a 20 minute presentation followed by 10 minutes of discussion for each topic) in the form of one-page abstracts submitted by email to Submissions should include name, affiliation, and email for the presenter(s) along with the title and short description of the topic to be presented.

Presentations will be selected by the program committee based on technical quality, novelty, and relevance to PEARC20 attendees. Presentation materials will be published at for dissemination beyond the workshop attendees. Permission will be requested from all presenters to allow redistribution of slides and allow sharing of photos from the event.

Presentations may be submitted to both this workshop and the NSF Cybersecurity Summit ( for broader information sharing to attendees of both events.

Topics of interest for the workshop include but are not limited to:
  • cybersecurity program development for NSF projects and facilities
  • risk assessment results from NSF projects and facilities
  • identity and access management solutions for NSF projects and facilities
  • security challenges/experiences/solutions for science gateways
  • transition to practice of cybersecurity research
  • secure software development practices/experiences for research computing
  • developing compliance programs for research on campus
  • incident response lessons learned in the research computing community
  • new or emerging cybersecurity technologies applicable to research computing
  • cybersecurity outreach, education, and training
  • cybersecurity workforce development

Important Dates

Submission Deadline: June 1, 2020
Notification of Acceptance: June 15, 2020

Program Committee

Jim Basney (NCSA)
Kathy Benninger (PSC)
Dana Brunson (Internet2)
Barton Miller (UW-Madison)
Sean Peisert (LBNL)
Von Welch (Indiana University)

About the Workshop Series

This is the fourth workshop in the series. The workshop has been held previously at PEARC17, PEARC18, and PEARC19. There were 48 attendees at the workshop last year. Please visit for materials from prior workshops.

Tuesday, February 25, 2020

Trusted CI Engagement Application Period is Open

       Trusted CI Engagement Application Period is Open
                      Applications Due April 3, 2020

Apply for a one-in-one engagement with Trusted CI for Late 2020.
 Applications due April 3, 2020

Trusted CI is accepting applications for one-on-one engagements to be executed in July- Dec 2020. Applications are due April 3, 2020 (Slots are limited and in demand, so this is a hard deadline!)

To learn more about the process and criteria, and to complete the application form, visit our site:

During Trusted CI’s first 5 years, we’ve conducted
 more than 24 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.  

As the NSF Cybersecurity Center of Excellence, Trusted CI’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.

Friday, February 21, 2020

Mingling at the Dance (2020 Update): Cybersecurity and Science Cultures

The following is a blog from Von Welch, the full post can be read at EDUCAUSE Security Matters

The National Science Foundation's Cybersecurity Center of Excellence, led by Indiana University, continues to offer educational workshops and provide actionable guidance to help information security professionals have productive discussions about risk and data protection and successfully partner with scientists and researchers.

What has changed in the higher education cybersecurity landscape since my 2016 EDUCAUSE Review Security Matters blog post, and what has stayed largely the same?

Read Von’s EDUCAUSE Security Matters blog post >>

Trusted CI Begins Engagement with UC Berkeley

The Secure Research Data and Compute (SRDC) Platform at UC Berkeley is
funded by executive leadership as a condo-style research computing service. This
institutionally supported foundation for restricted data research will be professionally
managed and supported by Research IT staff from UC Berkeley and Lawrence
Berkeley National Lab, and researchers will contribute computation and storage
hardware to the platform using their research funds.

The SRDC Platform will bring together HPC nodes, virtual machines, and big
data storage for researchers working with highly sensitive data (e.g., PHI and PII)
across a range of domains, many of which are NSF-funded, including biology,
engineering, computer science, and a broad spectrum of social sciences and
professional schools such as business, public health, and law.

Trusted CI will engage with UC Berkeley to guide the design and implementation
of the SRDC Platform and a procedural framework that maintains a healthy balance
between usability and security.  To achieve this, Trusted CI and UC Berkeley will
first inventory the proposed architecture, workflows, and current policies and
procedures. Trusted CI will then analyze them, assess them against other
implementations, and provide recommendations.

The engagement began January 2020 and is scheduled to run to the end of June 2020.

Thursday, February 20, 2020

Trusted CI delivers final engagement report to US Academic Research Fleet

ARF comprises 18 vessels and the supporting infrastructure equipped to serve the needs of the oceanographic research community.  In the second half of 2019, Trusted CI and the US Academic Research Fleet (ARF) collaborated in an engagement to address the cybersecurity needs of ARF’s research vessels.

The engagement began by determining how the engagement should be scoped. ARF identified the most crucial security related issues they would like to address, including establishing  a unified cyberinfrastructure security plan that will both serve the evolving security needs of its community and prepare the ARF for operational cybersecurity requirements due to be enforced by the  International Maritime Organization 2021 cybersecurity regulations.

The first month was spent gathering information from ARF and policies and information from all ships in the fleet.  The Trusted CI engagement team visited four research vessels after the initial data gathering and presented an introduction to cybersecurity to the ARF personnel at the RVTEC meeting.
Trusted CI and ARF on the R/V Robert Gordon Sproul
The engagement culminated with Trusted CI delivering a 40-page final report to the ARF containing collected observations, a set of recommendations ordered by impact, and additional materials that could be used to enhance the budding cybersecurity efforts of the fleet. ARF plans to share this report with stakeholders within their community in order to help improve cybersecurity controls and practices.

During this engagement, Trusted CI staff worked with ARF to review policies and procedures, toured 4 different classes of research vessels, interviewed crew members of ships, and met with research vessel technology specialists at the research vessel technology (RVTEC) meeting in Alaska.

The Academic Research Fleet is funded by multiple NSF grants managed by the division of Ocean Sciences (Award # 1823600, 1824571, 1827383, 1827415, 1827444, 1822574, 1822670, 1824508, 1829214, 1830845, 1823566, 1822532, 1823567, 1823042, 1822954, 1827437, 1822905, 1827654, 1834650) and is a collaboration of multiple institutions.  Trusted CI would like to thank the following institutions and organizations for their collaboration in the engagement: Academic Research Fleet, Columbia University, Louisiana Universities Marine Consortium, Oregon State University, Scripps Institution of Oceanography, Skidaway Institute of Oceanography, University of Alaska Fairbanks, University of HawaiĘ»i, University of Miami, University of Minnesota, University of Rhode Island, University of Washington, University-National Oceanographic Laboratory System, and Woods Hole Oceanographic Institution.

Friday, February 14, 2020

Report on the 2019 NSF Cybersecurity Summit is now available

The Report of the 2019 NSF Cybersecurity Summit for Cyberinfrastructure and Large Facilities, is now available at The report summarizes the annual Summit that was held October 15-17, 2019, in San Diego, CA. The Summit provides a valuable opportunity for cybersecurity training and information exchange among members of the cybersecurity, cyberinfrastructure, and research communities who support NSF science projects. This sharing of challenges and experiences raises the level of cybersecurity awareness and gives Trusted CI important insights into current and evolving issues within the constituent communities.

This year’s Summit workshops, plenary sessions, and table talks reiterated some observations from previous years such as:
  • The high value of community member interaction and knowledge share
  • The threat of social engineering to cybersecurity
Emerging areas of importance to the community were also highlighted. These included
  • Inherent vulnerabilities in AI/ML
  • Maintaining data integrity

Day 1 of the Summit was dedicated to half-day and full-day training workshops. Days 2 and 3 comprised plenary presentations, panels, and keynotes that focused on the security of cyberinfrastructure projects and NSF Large Facilities. This year’s attendance totaled 143 (up from 117 in 2018), representing 84 NSF projects, including 12 of the 20 NSF Large Facilities. Almost half (46%) of the attendees actively participated in the Summit through planning, presenting, responding to the CFP, leading a workshop, and/or leading a lunch table talk. Evaluation and feedback of the 2019 Summit was very positive and constructive. We look forward to the upcoming 2020 NSF Summit that will be held September 22-24, 2020, at the Monroe Convention Center in Bloomington, Indiana.

Tuesday, February 11, 2020

Trusted CI Webinar Feb 24th at 11am ET: FABRIC with Anita Nikolich

Illinois Tech's Anita Nikolich is presenting a talk on FABRIC, the Adaptive programmaBle networked Research Infrastructure for Computer science, on February 24
th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Testbeds can be great for trying out new ideas and not taking down a production network, or they can be useless and impossible to figure out. FABRIC took the best of past testbeds and is creating a new, useful national research infrastructure to enable cutting-edge, exploratory research at-scale in computer networking, security, machine learning, distributed computing and applications.

It will be a nation-wide high-speed (100-1000 Gbps) network interconnecting major research centers and computing facilities that will allow researchers, operators and engineers to develop and experiment with new distributed application, compute and network architectures not possible today. FABRIC nodes can store and process information "in the network" in ways not possible in the current Internet, which will lead to completely new networking protocols, architectures and applications that address pressing problems with performance, security and adaptability in the Internet. Reaching deep into university campuses, FABRIC will connect university researchers and their local compute clusters and scientific instruments to the larger FABRIC infrastructure. The infrastructure will also provide access to public clouds, such as Amazon Web Services, Google Cloud Platform, and Microsoft Azure. This experimental facility will allow multiple experiments to be conducted simultaneously, and is capable of incorporating real traffic and real users into experiments. For more information about FABRIC visit
Anita Nikolich is a Research Professor in Computer Science at Illinois Tech, Fellow at the Cyber Policy Initiative at the Harris School of Public Policy at The University of Chicago, co-organizer of the DEFCON AI Village, and ARIN Advisory Council member. She is Co-Director of FABRIC.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Monday, January 27, 2020

Trusted CI Concludes SLATE Engagement

In the second half of 2019, Trusted CI and Services Layer at the Edge (SLATE) collaborated in an engagement to address cybersecurity concerns for the SLATE system.

SLATE is funded by an NSF grant managed by the Office of Advanced Cyberinfrastructure (Award #1724821).  SLATE accelerates collaborative scientific computing through a secure container orchestration framework focused on the Science DMZ, enabling creation of advanced multi-institution platforms and novel science gateways.  Similar approaches are already in production supporting LIGO and other scientific collaborations but as yet lack a generalized trust framework.  While innovation of the new trust model is initially occurring in the context of the OSG and the worldwide LHC computing grid (WLCG), trusted federated edge infrastructures enabling operation of advanced computing platforms will be necessary in the future to sustain a wide range of data intensive science disciplines requiring shared, scalable national and international cyberinfrastructure.

In the Trusted CI SLATE engagement, we performed an overall security analysis of the SLATE platform, identified trust relationships and key user/administrator workflows, identified a set of needed security policy documents, and began drafting the security policies. We also evaluated container security tools, explored existing applicable OSG and WLCG security policies, and gathered community input on the SLATE security program, resulting in an initial consensus around the security policies and procedures needed to enable wider adoption of the SLATE platform.

Community-driven work on the SLATE security program continues through the WLCG Federated Operations Security Working Group, which is open to all who are interested. Visit for pointers to current status of the working group and for pointers to current SLATE security policies as they are developed.  Visit for the Trusted CI Slate engagement final report.