Tuesday, September 22, 2020

Trusted CI Webinar: Cybersecurity Maturity Model Certification (CMMC) on Tues Oct 6 @11am Eastern

Trusted CI's Scott Russell is presenting the webinar, Cybersecurity Maturity Model Certification (CMMC), on Tuesday October 6th at 11am (Eastern). 

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The US has historically taken a fairly minimalist approach to cybersecurity regulation, but recent years have evidenced a trend toward increasing regulation. The latest in this trend is the US Department of Defense’s “Cybersecurity Maturity Model Certification” (CMMC). CMMC has garnered quite a bit of attention recently, as it intends to impose cybersecurity compliance requirements on the entire Defense Industrial Base (DIB), over 300,000 organizations (including some universities). CMMC has emerged at a breakneck pace, and there is still a great deal of uncertainty regarding who is impacted, what is required, and how organizations should respond.

This talk will 1) introduce US cybersecurity regulation and compliance generally; 2) provide the background and context leading to CMMC; 3) overview CMMC; and 4) suggest approaches for thinking about cybersecurity compliance moving forward.
Speaker Bio:

Scott Russell is a Senior Policy Analyst at the Indiana University Center for Applied Cybersecurity Research. Scott was previously the Postdoctoral Fellow in Information Security Law & Policy. Scott’s work thus far has emphasized private sector cybersecurity best practices, data aggregation and the First and Fourth Amendments, and cybercrime in international law. Scott studied Computer Science and History at the University of Virginia and received his J.D. from the Indiana University, Maurer School of Law.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Get an early look at a chapter from the Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators

In anticipation of the 2020 NSF Cybersecurity Summit, Trusted CI has released v0.9 of a chapter from the forthcoming Trusted CI Framework Implementation Guide for Research Cyberinfrastructure Operators.  The chapter is focused on Must 15: Organizations must adopt and use a baseline control set. The chapter explains the nature of baseline control sets and the rationale for making adoption an absolute “Must.” It provides Research Cyberinfrastructure Operators (RCOs) a roadmap and advice on addressing this fundamental step toward a mature cybersecurity program. This chapter is the result of Trusted CI’s years of accumulated experience conducting research, training, assessments, consultations, and collaborating closely with the research community. It has been reviewed and vetted by the Framework Advisory Board. 


Read on to learn more. For inquiries, please contact info@trustedci.org. 


About the Trusted CI Framework


The Trusted CI Framework is a tool to help organizations establish cybersecurity programs.  In response to an abundance of cybersecurity guidance focused narrowly on security controls, Trusted CI set out to develop a framework that would empower organizations to confront their own cybersecurity challenges from a mission-oriented and full organizational lifecycle perspective. Within Trusted CI’s mission is to lead development of an NSF Cybersecurity Ecosystem that enables trustworthy science, the Framework fills a gap in emphasizing these programmatic fundamentals.


The Trusted CI Framework is structured around 4 “Pillars” which make up the foundation of a competent cybersecurity program: Mission Alignment, Governance, Resources, and Controls


Within these pillars are 16 “Musts” that identify the concrete, critical elements required for running a competent cybersecurity program. The 4 Pillars and the 16 Musts combined make up the “Framework Core,” which is designed to be applicable in any environment and for any organization and which is unlikely to change significantly over time.


About the forthcoming Framework Implementation Guide


This Framework Implementation Guide is designed for direct use by research cyberinfrastructure operators (RCOs). A “Framework Implementation Guide” (FIG) is an audience-specific deep dive into how an organization would begin implementing the 16 Musts. FIGs provide detailed guidance and recommendations and are expected to be updated much more frequently than the Framework Core.


We define RCOs as organizations that operate on-premises, cloud-based, or hybrid computational and data/information management systems, instruments, visualization environments, networks, and/or other technologies that enable knowledge breakthroughs and discoveries. These include, but are not limited to, major research facilities, research computing centers within research institutions, and major computational resources that support research computing.


Trusted CI will publish v1 of the FIG in early CY2021.


About the Framework Advisory Board


As a product ultimately designed for use in the Research and Higher Education communities, this Framework Implementation Guide is being developed with significant input from stakeholders that represent a cross section of the target audience. The Framework Advisory Board (FAB) includes 19 stakeholders with diverse interests and roles in the research and education communities. Over the course of 2020, Trusted CI’s Framework project team is engaging the FAB on a monthly basis, and the group is providing substantial critique and constructive inputs on draft material. 


The Framework Advisory Board is:

Kay Avila (NCSA); Steve Barnet (IceCube); Tom Barton (University of Chicago); Jim Basney (NCSA); Jerry Brower (NOIRLab, Gemini Observatory); Jose Castilleja (NCAR / UCAR); Shafaq Chaudhry (UCF); Eric Cross (NSO); Carolyn Ellis (Purdue U.); Terry Fleury (NCSA); Paul Howell (Internet2); Tim Hudson (NEON / Battelle / Arctic); David Kelsey (UKRI/WISE); Tolgay Kizilelma (UC Merced); Nick Multari (PNNL); Adam Slagell (ESnet); Susan Sons (IU CACR); Alex Withers (NCSA / XSEDE); Melissa Woo (Michigan State U.)


Thursday, September 17, 2020

Trusted CI Webinar: ACCORD: Integrating CI policy and mechanism to support research on sensitive data on Sep. 28th at 11am (EDT)

University of Virginia's Ron Hutchins, Tho Nguyen, and Neal Magee, are presenting, ACCORD: Integrating CI policy and mechanism to support research on sensitive data, on Monday September 28th at 11am (Eastern). 

Please register here. Be sure to check spam/junk folder for registration confirmation email.
Today, a large number of researchers do not have access to secure, compliance-capable research computing infrastructure at their home institutions. Traditional institutional secure CI only supports “in-house” users. The ACCORD project is set up to address the challenge of scaling institutional secure research computing services to support community users. To accomplish this goal, we are deploying a policy-centric cyberinfrastructure that prioritizes security, compliance, and accessibility. In this presentation, we describe ACCORD’s approach of leveraging the latest CI tools to compartmentalize research environments into reusable containers that can be catalogued and managed. For example, we rely on InCommon federation to streamline user authentication hurdles, COmanage to lessen user onboarding and management difficulties, and containers coupled with a web-driven interface to alleviate the user accessibility burden. The challenge is to, hopefully, hit the right levels of simplicity and security for a variety of users. In this presentation we will also share the current project status, lessons learned, and future goals. Discussion will be welcome.
Speaker Bio:

Dr. Ronald R. Hutchins currently serves as Vice President for Information Technology. In this role, Ron focuses on creating a university-wide strategy in IT for teaching, learning, research, and administrative technologies while honoring the University’s deep culture and tradition. Prior to joining UVA, Ron served as Associate Vice Provost for Research and Technology, Chief Technology Officer at the Georgia Institute of Technology in Atlanta, Georgia.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, September 15, 2020

Trusted CI Begins Engagement with SCiMMA

The Scalable Cyberinfrastructure Institute for Multi-Messenger Astrophysics (SCiMMA), funded under NSF grant #1934752, is a planned collaboration between data scientists, computer scientists, astronomers, astro-particle physicists, and gravitational wave physicists.  Leveraging NSF investments in astronomical and multi-messenger facilities and in advanced cyberinfrastructure, SCiMMA intends to prototype a publish-subscribe system based on Apache Kafka to distribute alerts from gravitational wave, neutrino and electromagnetic observatories to authorized subscribers (initially, public alerts so that all subscribers are authorized, but eventually proprietary alerts).  The system will additionally rely on supporting infrastructure, including: machine learning algorithms to analyze and classify alerts; an AARC2-style federated identity and access management suite; and event databases for richer data mining. The pub/sub prototype will be hosted on cloud resources, including a commercial cloud. Upon award completion, SCiMMA will pursue funding for a sustained distributed institute that will expand the scope and depth of the prototyped system.


To this end, SCiMMA is seeking help on and-or with various components of their prototype cyberinfrastructure. Primarily, they seek to develop a sound IT security program. Through a kick-off meeting and post-discussion, Trusted CI and SCiMMA have defined and prioritized their needs using a subset of tasks, outlining the goals of the engagement, specifically:


  1. Perform a security review of SCiMMA’s cyberinfrastructure using the Trusted CI Security Program Evaluation worksheet in order to assess the target level of cybersecurity needed;

  2. Using information documented in step 1, develop the start of a security program leveraging a master information security policies and procedures document; 

  3. Develop an asset inventory to be used by the security program in step 2, and;

  4. Perform a nascent risk assessment using identified assets with a corresponding residual risk registry.


Upon completion of the engagement, Trusted CI will produce a final, publishable report describing the work performed, potential impact to the open-science community, and areas SCiMMA may find appropriate for future engagements.


Thursday, September 10, 2020

Data Confidentiality Issues and Solutions in Academic Research Computing

Many universities have needs for computing with “sensitive” data, such as data containing protected health information (PHI), personally identifiable information (PII), or proprietary information.  Sometimes this data is subject to legal restrictions, such as those imposed by HIPAA, CUI, FISMA, DFARS, GDPR, or the CCPA, and at other times, data may simply not be sharable per a data use agreement.  It may be tempting to think that such data is typically only in the domain of DOD and NIH funded research, but it turns out that this assumption is far from reality.  While this issue arises in numerous scientific domains, including ones that people might immediately think of, such as medical research, it also arises in numerous others, including economics, sociology, and other social sciences that might look at financial data, student data or psychological records; chemistry and biology particularly that which relates to genomic analysis and pharmaceuticals, manufacturing, and materials; engineering analyses, such as airflow dynamics; underwater acoustics; and even computer science and data analysis, including advanced AI research, quantum computing, and research involving system and network logs.  Such research is funded by an array of sponsors, including the National Science Foundation (NSF) and private foundations.

Few organizations currently have computing resources appropriate for sensitive data.  However, many universities have started thinking about how to enable computing of sensitive data, but may not know where to start.

In order to address the community need for insights on how to start thinking about computing on sensitive data, in 2020, Trusted CI examined data confidentiality issues and solutions in academic research computing.  Its report, “An Examination and Survey of Data Confidentiality Issues and Solutions in Academic Research Computing,” was issued in September 2020.  The report is available at the following URL:

https://escholarship.org/uc/item/7cz7m1ws

The report examined both the varying needs involved in analyzing sensitive data and also a variety of solutions currently in use, ranging from campus and PI-operated clusters to cloud and third-party computing environments to technologies like secure multiparty computation and differential privacy.  We also discussed procedural and policy issues involved in campuses handling sensitive data.

Our report was the result of numerous conversations with members of the community.  We thank all of them and are pleased to acknowledge those who were willing to be identified here and also in the report:

  • Thomas Barton, University of Chicago, and Internet2
  • Sandeep Chandra, Director for the Health Cyberinfrastructure Division and Executive Director for Sherlock Cloud, San Diego Supercomputer Center, University of California, San Diego
  • Erik Deumens, Director of Research Computing, University of Florida
  • Robin Donatello, Associate Professor, Department of Mathematics and Statistics, California State University, Chico
  • Carolyn Ellis, Regulated Research Program Manager, Purdue University
  • Bennet Fauber, University of Michigan
  • Forough Ghahramani, Associate Vice President for Research, Innovation, and Sponsored Programs, Edge, Inc.
  • Ron Hutchins, Vice President for Information Technology, University of Virginia
  • Valerie Meausoone, Research Data Architect & Consultant, Stanford Research Computing Center
  • Mayank Varia, Research Associate Professor of Computer Science, Boston University

For the time being, this report is intended as a standalone initial draft for use by the academic computing community. Later in 2020, this report will be accompanied by an appendix with additional technical details on some of the privacy-preserving computing methods currently available.  

Finally, in late 2020, we also expect to integrate issues pertaining to data confidentiality into a future version of the Open Science Cyber Risk Profile (OSCRP). The OSCRP is a document that was first created in 2016 to develop a “risk profile” for scientists to help understand risks to their projects via threats posed through scientific computing. While the first version included issues in data confidentiality, a revised version will include some of our additional insights gained in developing this report.

As with many Trusted CI reports, both the data confidentiality report and the OSCRP are intended to be living reports that will be updated over time to serve community needs. It is our hope that this new report helps answer many of the questions that universities are asking, but also that begins conversations in the community and results in questions and feedback that will help us to make improvements to this report over time.  Comments, questions, and suggestions about this post, and both documents are always welcome at info@trustedci.org

Going forward, the community can expect additional reports from us on the topics mentioned above, as well as a variety of other topics. Please watch this space for future blog posts on these studies.


Friday, September 4, 2020

Introducing the Law and Policy Student Affiliate Program

The CACR-Maurer Student Affiliate program is a collaboration between the IU Center for Applied Cybersecurity Research (CACR), which leads Trusted CI, and the IU Maurer School of Law, wherein law students with a demonstrated interest in privacy and cybersecurity are given an opportunity to work on real world legal problems. The student affiliates work directly with Scott Russell, who is a Senior Policy Analyst at CACR, Trusted CI team member, and a Maurer graduate, and contribute to law and policy guidance materials produced by Trusted CI.

Previous student affiliates have conducted research relating to Controlled Unclassified Information, the EU General Data Protection Regulation, the California Consumer Privacy Act, US Export Control Laws and Regulations, the DoD Cybersecurity Maturity Model Certification, and Artificial Intelligence & Ethics. Materials developed by these student affiliates have directly contributed to guidance materials Trusted CI has created for the NSF science community, including webinars, live presentations, trainings, blog posts, internal whitepapers, and memorandi


For the Fall 2020 semester, there will be one student affiliate: Madeline Blaney. Madeline is a second year law student at Maurer and the President of the Maurer Cybersecurity and Privacy Law Association. 


The program is managed by Maurer professor Joseph Tomain, who also manages the Maurer Graduate Certificate in Cybersecurity Law and Policy and the Graduate Certificate in Information Privacy Law and Policy. Student affiliates receive 1 credit hour for participating in the program. Participation in the student affiliate program is typically reserved for students pursuing a Maurer Graduate Certificate in Cybersecurity Law and Policy but is also open to non-certificate students with sufficient background in privacy and cybersecurity law. This is CACR’s fourth semester with student affiliates, building on a long history of collaboration between CACR and Maurer.


Wednesday, August 26, 2020

Welcoming Kelli Shute as Trusted CI’s Executive Director

I am happy to announce that Kelli Shute, who joined IU CACR and Trusted CI as a project manager last year, has accepted the role of Executive Director for Trusted CI. During her time, Kelli has demonstrated great leadership in keeping the 30 individuals across six sites that contribute to Trusted CI day-to-day, and our growing set of partners, moving forward in an effective, coordinated manner. Kelli will work closely with myself as the PI and Director, Jim Basney as Trusted CI’s Deputy Director, and the other co-PIs and leadership team.

Please join me in congratulating and welcoming Kelli in her new role.

Von Welch

Trusted CI Director and PI

Tuesday, August 18, 2020

Transition to practice success story: Exploring Unconventional Analog Computing

Designing time-keeping devices that do not require any external power

Shantanu Chakrabartty, Ph.D., is the Clifford Murphy Professor in Electrical and Systems Engineering, Washington University in St. Louis, and the principal investigator and director of the Adaptive Integrated Microsystems (AIM) Laboratory. He is also a Trusted CI TTP Fellow

From his website: Shantanu Chakrabartty's research explores new frontiers in unconventional analog computing techniques using silicon and hybrid substrates. His objective is to approach fundamental limits of energy efficiency, sensing, and resolution by exploiting computational and adaptation primitives inherent in the physics of devices, sensors, and the underlying noise processes. Professor Chakrabartty is using these novel techniques to design self-powered computing devices, analog processors, and instrumentation with applications in biomedical and structural engineering. One such example is the self-powered structural health monitoring technology which is currently being commercialized. 


Our research explores new frontiers in non-conventional analog computing and sensing techniques using silicon, quantum, and biological circuits. We apply these fundamental principles for designing neuromorphic systems, machine learning processors, authentication systems, structural health monitoring sensors, and biomedical instrumentation. 

 

Trusted CI spoke with Chakrabartty about his transition-to-practice journey. We were joined by Florence Hudson, founder and CEO at FDHint and special advisor leading Trusted CI’s Cybersecurity Transition To Practice (TTP) program. 

 

Trusted CI: Tell us about your research interests and how that's translating into your transition to practice journey.  

 

S.C. My research essentially focuses on different aspects of analog computing. When people think about analog, they envision this old clunky thing, not something cool as digital, but one doesn't realize that many naturally occurring processes and phenomena are inherently analog.  

 

My research at a fundamental level tries to first find out these hidden computational gems and then try to exploit them, integrate them, or mimic them on silicon. 

 

The computational models could vary from a very simple dynamical system using only one transistor and one capacitor. In fact, in an analog domain, even that very simple circuit can show a whole wide range of different dynamical behavior. Or it could be a very complex system. 

 

For example, to mimic a part of a human brain, one needs to build a giant neural network with lots of silicon neurons which has billions of transistors. The common theme across all these different research topics is that you start with the fundamental research question first. We don't know if the principle that you think should work, will work, and how well it will work. Effectively, these fundamental questions become the basis for some of the thesis topics for my Ph.D. students.  

 

Then out of those thesis topics, depending on the results we get, there are few which then become a candidate for a transition to practice, maybe further towards commercialization.  

 

Some years back, we looked at a so-called analog phenomenon that exploited some interface physics between the transducers, piezoelectric transducers, and non-volatile memory. We were able to exploit that phenomena to create very energy efficient data loggers. Some of those are now being evaluated in real-world deployments, especially for structural health monitoring. But again, the idea here is that it all depends on the quality of results before we are ready for deployment.  

 

Also, most importantly, it depends on the interest of the student, whether they want to take it to the next level. The platform that we work on uses integrated circuit technology. And that is an inherently mature technology. The challenge comes from doing things in analog rather than doing things digitally. So that's essentially the path that we follow towards transition to practice.  

 

Trusted CI: What kinds of inventions does that translate into?  

S.C. I can give an example relevant to the Trusted CI program. We are looking at a very simple chip-based solution that exploits analog computational primitives in quantum transport of electrons. We are using a phenomenon called Fowler-Nordheim quantum tunneling to design time-keeping devices that do not require any external power to operate. This sounds contradictory, but the idea here is that once we have initialized the device, to run it, it doesn't need any additional power from a battery.  

 

We have been exploring the use of this timer technology for security applications. One example is your credit card which has static numbers on it that could easily be stolen. Applying our technology, one can create a credit card where the numbers keep changing with time and doesn’t require batteries. Hackers cannot probe into the chip without disturbing the property of these timers. So, you can create a secure asset using the technology.  

 

And because it's a platform technology, there may be numerous applications that are possible with this. We are thinking about designing trusted modules for low-resource platforms like IoT devices, medical Fitbit-like devices, and even for secure high-end medical systems which require several layers of protection. In many of these systems, the biggest vulnerability comes from when you are downloading software upgrades. You need to be able to authenticate that module. During those high-value transaction processes, our technology can provide assurance. There are numerous applications. 


This research was started in 2015 when we received an NSF grant (CNS1525476) to investigate the use of these time-keeping devices for authentication. Once we have validated the proof of concept, there are numerous applications that are possible, and so we're exploring that now. And that's also the reason why I was interested in this Trusted CI program to find where exactly and what are the different avenues we could use this fundamental device for. 

 

Trusted CI: How were you introduced to Trusted CI?  

S.C. Florence [Hudson] invited me a few years ago to be a speaker at one of the TTP workshops that she had organized. And since then, we have kept in touch. She has followed up repeatedly asking what progress we're making in terms of transitioning the technology or if we’ve made any improvements to it. Florence also introduced me and my Ph.D. students to several potential stakeholders during some of these workshops’ one-on-one meetings. And it was very interesting to see, at least for me, talking to some of the stakeholders what were the possible applications that might come out of this technology. Something that we hadn't previously thought of. 

 

Also, from the student's point of view, which I think is also very important from an educational point of view, I could see my students see the value in the research that they are doing for a Ph.D. They also see that their research has value in the commercial space as well.  

 

Trusted CI: What's coming up next?  

S.C. The student we are helping to take the technology to the next level is interested in entrepreneurship. After he's done with his Ph.D., he wants to pursue this path where, depending on the feedback that he gets from the market, he can take it to the next level. I have another Ph.D. student working on this. He is working on improving the reliability of the timers. We are looking for some of the physics that we missed on the first iteration that we could exploit. 

 

Our goal in participating in the Trusted CI cohort was to identify those low hanging fruit applications. As I mentioned before, there are numerous applications out there that would work on our platform. We have been approached by several commercial entities that want to evaluate the technology. We need to choose something that is doable, probably within a one- or two-year timeframe, at least two from a deployment point of view, so that we can get some real data.  

 

Trusted CI: What is Trusted CI doing to help Shantanu and his students on their TTP journey? 

F.H. The very experienced researchers like Shantanu want to keep on solving the problems. There's always more to do as the world changes, the applications change, and the device changes. And he can keep going down that path. And the students can enable the transition to a business, perhaps a transition to deployment or open source or whatever they decide to do. So, he's created this very nice complimentary model. We work with Shantanu the professor as our TTP fellow, and his student, Darshit Mehta, joins our calls. When they presented to the IEEE/UL Working Group P2933 on clinical IoT data and device interoperability with TIPPSS – Trust, Identity, Privacy, Protection, Safety and Security for which I am the working group chair, they both presented to a range of industry, government, and academic partners, and we are helping them continue down that path.  

 

Since I've helped introduce a number of people to Shantanu, I try to keep the fires burning a little bit on both sides and find other opportunities for him to pursue potential deployment of the technology and get feedback from users as well.  

 

Trusted CI: Shantanu, tell us a bit more about your journey. 

S.C. The most important aspect for me has been the student. Without the student, if I had to invest my time, it would have been a lot of effort. And given that we have other responsibilities that we also must take care of in academia, students take a lot of the burden in this regard, and especially if they are entrepreneurship-minded students. 

 

Trusted CI: Would you do it again? 

S.C. Yes. 

I see the benefits not just from a translation point of view, but even from my students’ maturity. Whereas before, if they gave a presentation, they would say, ‘I will do the bare minimum possible and be done with it.’ But now, they must be professional. They must put their best foot forward. So, I think for the students, I see a difference between pre-TTP and post-TTP type of experience.  

 

Trusted CI: Anything else that would help your TTP journey? 

S.C. Knowing whether the product fits a market. I want to know what the customer wants, whether they are going to use it. Where is that middle ground? 

We can tweak our technology to meet their needs, but I need to know their needs. And I think that's where that matchmaking definitely helps us.  

 

F.H. One of the things we've talked about in the Trusted CI TTP cohort calls is perhaps linking with the business schools and some of the universities. For example, I think Indiana University's Business School helps with things like that. What Shantanu brings up is the technical researchers are great with the technology. But he needs a partner that can help him do that translation and connect him to the potential client or users, so that he can then harden the asset for that use. And then deploy it through that channel that supports those target users.  

 

I try to help with my business experience. How do we create a partnership for Shantanu? Who's going to do this with them? So we're starting to think through this: should we reach out to the business school and create a little team. Bring in three Ph.D. research students and an MBA student and partner them for the summer. They would work on a problem together and tell a business school: here's the potential market opportunity; here are the market needs; here are the client needs; here's the potential value proposition the research technology brings to the client; here’s the analysis we did. That's the piece that could really help. One of the things we're thinking about is how to create that, probably at the research host institution so there is a local teaming opportunity.  

 

We can do that part-time with mentors like me, but it's not like being in the trenches helping them do it on a day-to-day basis. That's why we have this TTP Fellows program. We're trying to figure out how to make this repeatable and sustainable. 


Tuesday, August 11, 2020

Trusted CI Engagement Application is Open

                 

  Trusted CI Engagement Application Period is Open

                   Applications Due Oct. 2, 2020

            Apply for a one-in-one engagement with Trusted CI for Late 2020.


 Trusted CI is accepting applications for one-on-one engagements to be executed in Jan-June 2021. Applications are due Oct. 2, 2020 (Slots are limited and in demand, so this is a hard deadline!)


To learn more about the process and criteria, and to complete the application form, visit our site:

http://trustedci.org/application


During Trusted CI’s first 5 years, we’ve conducted
 more than 24 one-on-one engagements with NSF-funded projects, Large Facilities, and major science service providers representing the full range of NSF science missions.  We support a variety of engagement types including: assistance in developing, improving, or evaluating an information security program; software assurance-focused efforts; identity management; technology or architectural evaluation; training for staff; and more.  

 As the NSF Cybersecurity Center of Excellence, Trusted CI’s mission is to provide the NSF community a coherent understanding of cybersecurity’s role in producing trustworthy science and the information and know-how required to achieve and maintain effective cybersecurity programs.

 

Friday, August 7, 2020

Chem Compute JupyterHub (1st May, 2020 - 15th July, 2020)

Chem Compute provides free access to computational chemistry software for undergraduate students and for researchers. This is done all without compiling, installing and maintaining software and hardware. Chem Compute also features Jupyter notebooks for students to do data analysis using Python.


Trusted CI partners with Science Gateways Community Institute (SGCI) on SGCI engagements that require cybersecurity expertise. The cybersecurity staff from Trusted CI engaged with Mark Perri from Chem Compute over a period of 2.5 months (May-July 2020) to review its security including servers, services and policies. Recommendations were made around the risks that were identified. The cybersecurity team also made some best practices recommendations for Chem Compute’s JupyterHub. Most of the best practices recommendations were made from the following sources: 

https://jupyterhub.readthedocs.io/en/stable/reference/websecurity.html

https://jupyterhub.readthedocs.io/en/stable/getting-started/security-basics.html


We started the engagement with a kickoff meeting to get an overview of Chem Compute, how the systems are enabled/work and discussed the requirements and expectations from the engagement. Post that, the SGCI cybersecurity team set up weekly meetings amongst themselves to discuss and work on the project. The Cybersecurity team also scheduled meetings with Mark Perri as and when required to provide an update and get some inputs. The final product of the engagement was a 12-page security report containing specific recommendations on how to address the security gaps identified during the engagement.

Overall it was a successful engagement, thanks to Mark Perri’s valuable inputs with quick turnaround time.


Removed language with racial biases

As announced in our June 12 blog post, Trusted CI has joined other organizations in ceasing the use of terms such as “whitelist,” “blacklist,” and similar cybersecurity terms that imply negative and positive attributes and use colors also used to identify people. There simply is no place today for biased language with racial implications. 

In addition to the prior updates to our code of conduct, we have completed a review of the Trusted CI guide and related templates and blog posts and updated instances where found. We recognize the potential use of this language in past presentations and do not intend to rewrite history. No new materials produced will use such language.

We welcome your input on how we can continue to improve, making our community welcoming for all. If we missed any instances of this language, please let us know and we will address it promptly.

Von Welch for Trusted CI

Tuesday, August 4, 2020

Registration is now open for the 2020 NSF Cybersecurity Summit


It is our great pleasure to announce the 2020 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure. The event will take place virtually Tuesday, September 22 through Thursday, September 24, 2020. Attendees will include cybersecurity practitioners, technical leaders, and risk owners from within the NSF Large Facilities and CI community, as well as key stakeholders and thought leaders from the broader scientific and cybersecurity communities.

Registration Complete the online registration form: https://trustedci.org/2020-nsf-summit



Thank you on behalf of the Program and Organizer Committee.

Wednesday, July 29, 2020

Trusted CI begins Engagement with Galaxy

Galaxy is an open-source, web-based application for performing data-intensive biomedical research. It combines common software tools and data workflows to provide researchers without an informatics platform in an accessible, easy to use interface, which abstracts the complexity of interacting with compute resources. Galaxy provides a free, public, internet accessible instance at https://usegalaxy.org, utilizing infrastructure provided by CyVerse at the Texas Advanced Computing Center, with support from the National Science Foundation. Galaxy can also be installed and run locally at sites, or run in the cloud, providing flexibility for deployment, custom security requirements, and compute availability. The Galaxy Project is supported in part by NSF, NHGRI (National Human Genome Research Institute), The Huck Institutes of the Life Sciences, The Institute for CyberScience at Penn State, and Johns Hopkins University. The Galaxy Team is a part of the Center for Comparative Genomics and Bioinformatics at Penn State, the Department of Biology at Johns Hopkins University, and the Computational Biology Program at Oregon Health & Science University

The overall goal is for Trusted CI to work with Galaxy in reviewing the current security practices of the Galaxy project container-based deployments and provide recommendations to ensure safe handling, processing, and storage of data. To that end, Trusted CI will focus on the following activities:

  • Review Galaxy components and their interactions to gain a detailed understanding of the overall security architecture, and data work-flow, while generating updated architecture diagrams.

  • Evaluate Galaxy against NIST 800-53 and determine where controls need to be implemented.

  • Conduct a HIPAA gap analysis to identify any areas needing additional safeguards. Provide guidance on processes and tools needed to fill any gaps identified.

  • Provide guidance on processes and tools required to fill these gaps.

  • Time permitting: Review the architecture and implementation of usegalaxy.org and make recommendations for improving security.

This engagement is a collaboration between the Science Gateway Community Institute’s (SGCI) incubator service and Trusted CI.


The engagement started July 2020 and is scheduled to conclude by the end of December 2020.

Tuesday, July 28, 2020

Trusted CI Webinar: Transitioning Cybersecurity Research to Practice - Aug. 11th at 11am (EDT)


Add caption
Florence Hudson, Ryan Kiser, Patrick Traynor, and S. Jay Yang, are presenting, Transitioning Cybersecurity Research to Practice - Success stories and tools you can use, on Tuesday August 11th at 11am (Eastern). 

Please register here. Be sure to check spam/junk folder for registration confirmation email.
"Transition to practice is really a passion of mine. It is wonderful to write papers and have great ideas. But it is even cooler to get a million people using it." – Professor Patrick Traynor.

Join us to hear exciting Cybersecurity Research success stories, and lessons learned along the way, from Professor Patrick Traynor from the University of Florida who has successfully transitioned his research to practice in a number of ways. One of his technologies, the Skim Reaper, is being used across multiple U.S. states to protect from credit card skimming. We will also share tools that Trusted CI has developed to help you take the Transition To Practice journey as a developer and researcher. Florence Hudson and Ryan Kiser will present the "Trusted CI TTP Playbook" available on the Trusted CI website, with TTP Tools you can use. This includes a TTP Canvas to enable the researcher and developer to clarify their target users, value proposition, and how they will TTP. We also include a TTP Technology Readiness Level (TRL) assessment tool to design your technical journey to mature and transition to practice your valuable research.
Speaker Bios:

Florence D. Hudson is a Special Advisor at Trusted CI, the NSF Cybersecurity Center of Excellence, co-leading the Transition To Practice (TTP) program. She has led TTP at IBM, Internet2 and Trusted CI. She is a former IBM Vice President and Chief Technology Officer, Internet2 Senior Vice President and Chief Innovation Officer, and Aerospace and Mechanical Engineer at Northrop Grumman and NASA. She is Executive Director for the Northeast Big Data Innovation Hub at Columbia University, and Founder and CEO of Advanced Technology and Diversity & Inclusion Consulting Firm FDHint, LLC. She received her BSE in Mechanical and Aerospace Engineering from Princeton University, and completed Executive Education at Harvard Business School and Columbia University.

Ryan Kiser is a Senior Security Analyst at the Indiana University Center for Applied Cybersecurity Research. Ryan has worked on information security projects across a wide variety of domains including leading efforts to assess and improve the security of automotive engine systems, performing risk assessments for university central IT systems, and supporting researchers in efforts to adhere to regulated data requirements such as HIPAA, FISMA, and various CUI requirements. Ryan has been heavily involved in organizations serving information security needs for higher-ed and national research communities. Some of these include the Open Science Grid (OSG) as a member of the OSG Security Team and Trusted CI where he has led engagements to assist NSF-funded research projects in improving their security posture. His current interests involve novel applications of predictive modeling, machine learning, and brazilian jiu-jitsu.

Patrick Traynor is a professor of Computer and Information Science and Engineering (CISE) at the University of Florida. Patrick's research focuses on the security of mobile systems, with a concentration on telecommunications infrastructure and mobile devices. His research has uncovered critical vulnerabilities in cellular networks, developed techniques to find credit card skimmers that have been adopted by law enforcement and created robust approaches to detecting and combating Caller-ID scams. He received a CAREER Award from the National Science Foundation in 2010, was named a Sloan Fellow in 2014, a Fellow of the Center for Financial Inclusion at Accion in 2016 and a Kavli Fellow in 2017. Professor Traynor earned his Ph.D and M.S. in Computer Science and Engineering from the Pennsylvania State University in 2008 and 2004, respectively, and his B.S. in Computer Science from the University of Richmond in 2002. He is also a co-founder of Pindrop Security, CryptoDrop, and Skim Reaper.

Dr. S. Jay Yang received his BS degree in Electronics Engineering from National Chaio-Tung University in Taiwan in 1995, and MS and Ph.D. degrees in Electrical and Computer Engineering from the University of Texas at Austin in 1998 and 2001, respectively. He is currently a Professor and the Department Head for the Department of Computer Engineering at Rochester Institute of Technology. He also serves as the Director of Global Outreach in the Center of Cybersecurity at RIT, and a Co-Director of the Networking and Information Processing (NetIP) Laboratory. His research group has developed several pioneering machine learning, attack modeling, and simulation systems to provide predictive analysis of cyberattacks, enabling anticipatory or proactive cyber defense. His earlier works included FuSIA, VTAC, ViSAw, F-VLMM, and attack obfuscation modeling. More recently, his team is developing a holistic body of work that encompasses ASSERT to provide timely separation and prediction of critical attack behaviors, CASCASE to simulate synthetic cyberattack scenarios that integrates data-driven and theoretically grounded understanding of adversary behaviors, and CAPTURE to forecast cyberattacks before they happen using unconventional signals in the public domain. Dr. Yang has published more than sixty papers and worked on eighteen sponsored research projects. He has served on organizing committees for several conferences and as a guest editor and a reviewer for a number of journals and textbooks. He was invited as a keynote or panel speaker for several venues. He was a recipient of Norman A. Miles Outstanding Teaching Awards, and a key contributor to the development of two Ph.D. programs at RIT and several global partnership programs.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Tuesday, July 21, 2020

Trusted CI Completes a Highly Successful Engagement with UC Berkeley

Handling regulated data is becoming a key requirement for supporting research, especially for high performance computing (HPC) service providers who have not previously been subject to rules and regulations.  While the list of institutions with research cyberinfrastructure approved for critical data such as protected health information (PHI) or Controlled Unclassified Information (CUI) is growing, it still remains woefully short.  Any major university effort to accommodate researchers with regulated data adds to the pool of research enablers, while simultaneously protecting sensitive research data.

For HPC service providers that support research sponsored by the NSF,  pursuing compliance also diverts resources, potentially affecting this support.  External help can be invaluable in reducing the impact, especially for providers tackling compliance for the first time.  

Trusted CI recently concluded a highly successful engagement with UC Berkeley that both validated and bolstered UC Berkeley’s nascent regulated data effort, namely a “Secure Research Data and Compute” (SRDC) platform.   The SRDC platform is expected to have a significant impact on UC Berkeley’s ability to enable and empower a wide range of researchers to conduct research with data subject to rules and regulations in scientific fields as diverse as biology, engineering, computer science, and a broad spectrum of social sciences and professional schools such as business, public health, and law.

According to Ken Lutz, Director of Research Information Technology at UC Berkeley: 

“Our engagement with Trusted CI has been very successful and has been an important part of preparing for the launch of our SRDC Platform. While we had already obtained a commitment by senior leadership to develop the platform, the perspective and expertise provided by the Trusted CI team helped us build trust across our complex network of stakeholders. Our UC Berkeley team especially appreciated the broader higher education experience that the Trusted CI team brought to the engagement. Based on this engagement, we feel confident that we are developing a platform and service that will enable our research community to pursue high impact research involving highly sensitive data.”

Initial engagement objectives included a review of SRDC’s design, security and compliance goals and future vision, a comparison of SRDC security against best practices at peer institutions, gap identification, and recommendations on how to fill those gaps.

The engagement spanned eleven 1-hour meetings and an all-day virtual campus visit. The meetings, submitted artifacts, and other input from UC Berkeley enabled Trusted CI to assess the SRDC security architecture, workflows, and current policies and procedures, evaluate and validate the cybersecurity framework UC Berkeley is developing with help from a commercial third party, and gauge UC Berkeley’s approach to regulated data against what peer institutions are doing.

During the virtual campus visit, Trusted CI met many of the other SRDC stakeholders on campus (including the CISO) and did a presentation for a group of these stakeholders that detailed current regulated research data approaches nationally and how UC Berkeley’s effort fits in.

The final product of the engagement was a 21-page report containing specific, prioritized recommendations on how to address the security gaps identified during the engagement (including HIPAA gaps), adopt best practices, and avoid pitfalls while maintaining a healthy balance between usability and security.  Trusted CI also provided policy templates and guidance on how best to leverage the cybersecurity framework recommended by the third party.

Trusted CI benefited from this engagement as well from working alongside a commercial third party and learning about their approach to compliance, and from the addition of another institution that Trusted CI can refer future seekers of compliance to for guidance and counsel.

The success of this engagement is noteworthy in light of the challenges COVID-19 introduced in the midst of the engagement, including the cancellation of a campus visit and face to face interaction, both of which are typically important to the success of highly collaborative projects.