Monday, January 27, 2020

Trusted CI Concludes SLATE Engagement

In the second half of 2019, Trusted CI and Services Layer at the Edge (SLATE) collaborated in an engagement to address cybersecurity concerns for the SLATE system.

SLATE is funded by an NSF grant managed by the Office of Advanced Cyberinfrastructure (Award #1724821).  SLATE accelerates collaborative scientific computing through a secure container orchestration framework focused on the Science DMZ, enabling creation of advanced multi-institution platforms and novel science gateways.  Similar approaches are already in production supporting LIGO and other scientific collaborations but as yet lack a generalized trust framework.  While innovation of the new trust model is initially occurring in the context of the OSG and the worldwide LHC computing grid (WLCG), trusted federated edge infrastructures enabling operation of advanced computing platforms will be necessary in the future to sustain a wide range of data intensive science disciplines requiring shared, scalable national and international cyberinfrastructure.

In the Trusted CI SLATE engagement, we performed an overall security analysis of the SLATE platform, identified trust relationships and key user/administrator workflows, identified a set of needed security policy documents, and began drafting the security policies. We also evaluated container security tools, explored existing applicable OSG and WLCG security policies, and gathered community input on the SLATE security program, resulting in an initial consensus around the security policies and procedures needed to enable wider adoption of the SLATE platform.

Community-driven work on the SLATE security program continues through the WLCG Federated Operations Security Working Group, which is open to all who are interested. Visit https://trustedci.org/slate for pointers to current status of the working group and https://slateci.io/docs/security-and-policies/ for pointers to current SLATE security policies as they are developed.  Visit https://hdl.handle.net/2142/106019 for the Trusted CI Slate engagement final report.

Friday, January 24, 2020

Invitation to Join Trustworthy Data Working Group

In February 2020, Trusted CI will launch a new Trustworthy Data Working Group. With the recent renewal by NSF, Trusted CI is focusing each year on a new challenge to NSF science, and this working group represents our inaugural effort for 2020. The group will survey science projects to learn about data security concerns and practices. We will analyze the survey results and develop guidance for science projects and cyberinfrastructure developers, including references to existing resources. We will then publish the survey results, along with the analysis and guidance, as a freely-available report by the end of 2020, and we will share the results in a Trusted CI webinar and in other venues.

To form this working group, Trusted CI is collaborating with the four NSF Big Data Innovation Hubs, the NSF CI CoE Pilot, the Ostrom Workshop on Data Management and Information Governance, the NSF Engagement and Performance Operations Center (EPOC), the Indiana Geological and Water Survey, the Open Storage Network, and other interested community members. Participation in the working group is open to all.

To participate:
Any questions/comments? Join the discussion on the mailing list or contact the working group chair (Jim Basney).

Tuesday, January 21, 2020

Trusted CI Webinar Jan 27th at 11am ET: REN-ISAC for Research Facilities/Projects with Kim Milford

Indiana University's Kim Milford is presenting a talk on the REN-ISAC, The Research and Education Networks Information Sharing and Analysis Center, on January 27th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.
The Research and Education Networks Information Sharing and Analysis Center (REN-ISAC) serves members within the higher education and research community by promoting cybersecurity operational protection and response. 
REN-ISAC membership is not just for university security officers! REN-ISAC has multiple membership communities that are applicable to research facilities. Kim will discuss the benefits of REN-ISAC membership that are applicable to research facility/project representatives and will solicit feedback from webinar attendees on future service offerings. 
For example, the REN-ISAC members benefit from Security Event System (SES) threat intelligence and other automated data collection and sharing tools to enable informed decisions about threats and events, as well as peer assessment services to improve the institution’s overall security posture. The REN-ISAC offers members daily cybersecurity news situational awareness, alerts and advisories, analysis reports of cybersecurity threats and mitigation, and an active, interested community of subject matter experts who provide feedback on practices and standards. The REN-ISAC also fosters professional training and development through monthly webinars, regional workshops, and an aggregate purchasing program with the SANS Institute.
Kim Milford serves as Executive Director of the REN-ISAC, working with research and education institutions, partners, and sponsors to provide services and information that allow member institutions to better defend technical environments from cyberthreats. Ms. Milford oversees administration and operations for the REN-ISAC. Ms. Milford served in several roles leading strategic IT initiatives since 2007 at Indiana University. As Chief Privacy Officer, she coordinated privacy-related efforts, chaired the Committee of Data Stewards, and directed the work of the University Information Policy Office and IU's IT incident response team. Prior to joining Indiana University, Ms. Milford worked as Information Security Officer at the University of Rochester. As Information Security Manager at University of Wisconsin-Madison from 1998 - 2005, she assisted in establishing the university's information security department and co-led in the development of an annual security conference. Ms. Milford provides cybersecurity expertise and presentations at national and regional conferences, seminars and consortia, as well as taught courses on Internet security and authored/co-authored many articles on the subject. Ms. Milford has a B.S. in Accounting from Saint Louis University in St. Louis, Missouri and a J.D. from John Marshall Law School in Chicago, Illinois.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Transition to Practice success story: Boston University - Secure multiparty computation and the Boston Women's Workforce Council

We can have security, privacy and confidentiality in pay gap analysis across many companies 

[Want to learn the basics about Transition to Practice? Read an introduction to the Trusted CI Cybersecurity Technology Transition to Practice (TTP) program >>

Boston University (BU) has been working with the Boston Women's Workforce Council (BWWC) since 2014 to help them understand the root causes and range of the gender wage gap and measure progress toward the goal of 100% equal pay for equal work. Secure multiparty computation (secure MPC) was the only way to get this measurement without compromising the privacy of the data, and without the risk and expense of a third-party data arbiter.

There is a lot of value from sharing data, but the more data you have, the more it can be breached, or others can use in ways you don’t want. MPC allows secure collaborative analysis of private data.

To learn more, we spoke with Mayank Varia, a research associate professor in the computer science department at Boston University (BU).

His personal research interests center around cryptography—both innovations within the field of cryptography and connecting it to problems throughout the rest of computer science and beyond such as the social sciences. He is also the co-director of the Center for Reliable Information Systems and Cyber Security (RISCS).

Trusted CI: Please tell us about the scope of your work, and how secure MPC fits into that.

M.V. RISCS is a group of people throughout BU who have either interest in cybersecurity research or interest in research studies dealing with cybersecurity generally. That includes areas like law, economics, philosophy, or areas beyond traditional computer science that are impacted by things like cybercrime, nation-state influencing, legal questions, and so on. Our group wants to see secure multiparty computation deployed around the world.

Trusted CI: What is secure MPC? What do you see as the primary benefits of secure MPC? What value does it bring to users?

M.V. Secure MPC allows organizations, state officials, companies, governments, etc., that each have private data to do collaborative analysis to learn about the data without sharing any of the data with anyone else.

You can do collaborative analysis of data that remains in these organizations’ own systems without it being breached or revealed to any other party. They don't need to find some trusted arbiter who holds the data in order to compute things for them. They can get the benefits of doing collaborative analysis, such as any kind of data science, without sacrificing the privacy or the security of the underlying data.

Trusted CI: Tell us about the use case example with the city of Boston, who the client(s) are, how the connection was made between the researchers and the users, what value they received from secure MPC, how long it took for the project, and whether they still use it.

M.V. BU has been working with the Boston Women's Workforce Council since 2014, but the story starts in 2013. BWWC was created by Mayor Thomas Menino before he retired. Creating it was one of his last big initiatives. His goal was to make Boston the premier city for working women. He brought together lots of people who had been thinking about the gender equity problem.

They wanted to understand root causes of wage gap and address them—what gets measured gets done. The goal was 100% equal pay for equal work.

They also wanted to measure how well they were doing towards that goal. The initial pledge called on any company that signs on to agree to participate in data analysis to determine what the wage gap was across the city of Boston.

When Mayor Menino retired, he met Azer Bestavros here at BU and mentioned they were stuck on the measurement component because the data was sensitive and had to remain private. Azer was familiar with secure MPC. Within a year, they convinced about 90 companies to join the compact.

MPC was the only way to get this measurement to happen. It's much cheaper, safer, easier, and more effective for nobody to have access to the data than for somebody to have access to the data.

Trusted CI: How does secure MPC keep the data secure?

M.V. Each company has their own payroll information. Each company goes to the website (100talent.org) where they can drag and drop a spreadsheet that represents their payroll information. It’s the same format they already use for the Equal Employment Opportunity Commission.

They click a button, sending the data to two different places. Data is being split such that the real data is not going anywhere, but fake encoded data is going to two separate places.

The data is being encoded in such a way that one piece of the data is going to the Boston Women's Workforce Council and one piece of the data is going to Boston University. And these two pieces have the property that individually they look like random garbage. There's no meaning in the data that Boston University gets or that the Boston Women's Workforce Council gets. But the data has the property that the two of us working together can still do an analysis over the data even though each one of us individually has no idea what it says.

Trusted CI: Who would be the broader set of target users for secure MPC? What challenges would they have that secure MPC might solve?

M.V. MPC has value but there are a few constraints for an application to be amenable to MPC. It must have pieces that involve multiple organizations. Or rather, that it crosses privacy silos. It could be even various divisions within one company that are not interested in sharing data with each other. It doesn't have to be a corporate boundary, but there must be a privacy/security boundary that's being crossed.

You'd want scenarios where there's some interesting data analysis that has either commercial or social value—where the result of the calculation is something that is safe to share, safe to make public. It should have social benefit, but the data is sensitive, protected, and can't be revealed. This is when MPC can help.

It takes a while to tease out of the researchers what they really want, as opposed to just the questions they think they can answer. The benefit of MPC is it helps them figure out what is the real question they are after. Social scientists are very good at thinking about those questions. And we can help them with how to go about doing that in a way that doesn't breach privacy and confidentiality.

Trusted CI: What if people want to use the secure MPC assets, how do they access them?

M.V. We have several software packages that are available and are open-source on GitHub (github.com/multiparty) that anyone can use:

1.    web-MPC - very easy to use
2.    JIFF – web-based but more flexible, can do more complicated analysis, but requires more tuning
3.    Conclave - for high-performance data processing at scale, where you have hundreds of gigabytes of data, and can run on the cloud

Trusted CI: Is there any type of support structure?

M.V. We have a group of professional software engineers and we are happy to collaborate with any interested parties. We also have a Collaboratory of many different interested companies. And we're always happy to have new members join. We have a website that's separate from our GitHub repository: multiparty.org.

Trusted CI: Please tell us more about the secure MPC Transition to Practice journey.

M.V. After I joined BU in 2015, I connected with Professor Azer Bestavros who, as previously stated, had learned about Boston’s need through former Mayor Menino. Azer is not a cryptographer, but he knew of MPC, so he started working with our group. It was all very serendipitous.

Since then we've been working with the Boston Women's Workforce Council for the past five years. The goal is to do an analysis every year or every other year to get a longitudinal analysis of whether we are moving rapidly towards a world of equal pay for equal work. The first calculation happened in 2015 once we built the software and started running it. The second one in 2016 and the third one in 2017. They chose not to do one in 2018. The most recent one happened in 2019. All of the 2016-17 data analyses are publicly available on the City of Boston website.

Not only did they have a problem where MPC could help, they tried solving the problem without MPC and failed. But one of the hardest pieces towards getting adoption of MPC is for people to even know that it's possible. If they had found a trusted third party that they were all somehow magically willing to use and that was willing to take the data, then this probably never would have happened.

Trusted CI: What is the chronology of MPC?

M.V. MPC has been researched since the mid-1980s as a theoretical concept, but there have been rapid advances in the last 5 years to make it practical and take it out of the lab, and benefit from faster computers. While BU has been doing theoretical research in MPC for a while, the interaction with the Mayor's office has spurred several tech transition opportunities and catalyzed even more research from our group. We are very grateful to the National Science Foundation for sponsoring all of these recent endeavors under grants #1430145 (SCOPE), #1414119 (MACS), #1718135, #1739000, 1915763 and 1931714.

Trusted CI: Are you creating a business model for transitioning secure MPC to practice, like a services model?

M.V. We are very interested in working with technology transfer partners to deploy this technology. Companies like Red Hat and Honda are interested in partnering with us and giving us grants as a university to continue this development. Because it's a symbiotic relationship, it's in their interest to see these products continue to be developed, to continue to be matured, to continue to be made faster, to be made better. Everything is also open source, so anyone is free to use it.

This work is partially supported by the National Science Foundation under Grants #1430145 (SCOPE), #1414119 (MACS), #1718135, #1739000, 1915763 and 1931714. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Introduction to the Trusted CI Cybersecurity Technology Transition to Practice (TTP) program

Enabling advanced cybersecurity research to bring value to our world

Throughout 2020, we will be posting Transition to Practice success stories. But first, what is Trusted CI’s Cybersecurity Transition to Practice (TTP) program and what are its goals?

The goal of Trusted CI’s Cybersecurity Transition to Practice (TTP) program is to enable collaboration among researchers and practitioners to accelerate the adoption of cybersecurity research into real-world practice in scientific research, academia, industry, government, or open source. The problem historically has been that there are great cybersecurity solutions that real-world practitioners may never hear about. By bringing people together, TTP seeks to help with the technology transfer that translates research into solutions.

The TTP program first seeks to identify key cybersecurity gaps and challenges, then explores NSF-funded research to address the gaps and challenges. Then through matchmaking, workshops, business model coaching, and shared learning, the program enables research, industry, academia, and government collaborations to fill the gaps. TTP builds a dynamic, collaborative, cybersecurity community of practice with researchers and practitioners working together to identify and address cybersecurity needs now and into the future, advancing the state of cybersecurity.

Florence Hudson, founder and CEO at FDHint and special advisor leading Trusted CI’s TTP program, explains: “Many researchers don't want to be president of a company, and they don't often have the opportunity or experience to find or work with practitioners who could help their research come to life. We coach the researchers in identifying their target clients, communicating a clear and compelling value proposition, and networking with potential users of their research to enable deployment in operational environments. In 2020 we added a Technology Readiness Level (TRL) assessment to the TTP program to enable the researcher to progress their research to help make it operations-ready. This can help the researcher and practitioners in real deployment of the research.”

The first Trusted CI Cybersecurity TTP Workshop took place in Chicago in June 2019. It’s a good example of the TTP program in action. Slides from the workshop are available >>

Thursday, January 16, 2020

Announcing the 2019 NSF Community Cybersecurity Benchmarking Survey Report

The third NSF Community Cybersecurity Benchmarking Survey Report is now available:

http://hdl.handle.net/2022/24912

The Community Survey’s purpose is to collect, analyze, and publish useful baseline benchmarking information about the NSF science community’s cybersecurity programs, practices, challenges, and concerns. This year’s survey received responses from 23 institutions, including 14 NSF Major Facilities (previously “Large Facilities”). Notable takeaways from this year’s survey include the continued increase in respondents who use multi-factor authentication (reaching 75%), the continued variability in cybersecurity budgets, a significant increase in respondents who practice residual risk acceptance, and all of the respondents either having already established a cybersecurity program or being in the process of establishing one. We hope the results and analysis provided by this report offer insight and inspire discussion.

Thursday, January 9, 2020

Save the Date: 2020 Cybersummit Sep 22 - 24 in Bloomington, IN

Important update as of May 27, 2020: The 2020 NSF Cybersecurity Summit will be online.

Please mark your calendar for the 2020 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure, planned for September 22-24, 2020 in Bloomington,Indiana
Where: Monroe Convention Center, Bloomington, Indiana, near the Indiana University Campus

Stay tuned for more information by following the Trusted CI Blog (http://blog.trustedci.org/) & Twitter feed:  
https://twitter.com/trustedci/

Information on prior summits is available at 
http://trustedci.org/summit/.