Friday, January 7, 2022

Trusted CI, EPOC and University of Arkansas create security resources for Science DMZs

In the 2nd half of 2021 Trusted CI partnered with EPOC at Indiana University to participate in an engagement with University of Arkansas as they worked on the NSF funded project "Data Analytics that are Robust and Trusted" or DART. DART, funded by NSF grant #OIA-1946391 to build an Arkansas wide Science DMZ capability for use by participating institutions of higher education across Arkansas. A Science DMZ is a network architecture for friction free science data transfers that allows very high throughput. Most Science DMZs are modeled around two end points that need to transfer data between each other. The goal of the DART project is to build a statewide network for Arkansas institutions to transfer data between any participating institution.  The DART project applied for an engagement with Trusted CI in order to seek guidance on securing their multi-tenant ScienceDMZ infrastructure, but also to improve the state of security documentation for ScienceDMZs in general.

One of the challenges with Science DMZs is that CISOs and executive leadership at institutions have been resistant to the idea due to the myth that a Science DMZ has no security controls by being placed outside the traditional firewall perimeter. To try to quell these concerns the team wrote a white paper on the security of Science DMZs that is devoted in the first half to introducing the concept of a Science DMZ and explaining the need as well as the high level overview of the alternative security controls used. The audience for this first section is CISOs at universities.  The 2nd half of the document goes into more specific details of implementation, summarizing and referencing many of the recommendations made by various resources in the community as well as providing a few additional recommendations made by Trusted CI. This document is now published at https://scholarworks.iu.edu/dspace/handle/2022/27007.

During the first half of the engagement, Trusted CI and EPOC worked to determine the scope of what could be called the Science DMZ, with a lot of discussion in engagement meetings about what should and should not be on a Science DMZ. There is a natural temptation to place more hosts in the Science DMZ than are necessary and this must be resisted, instead use the data transfer nodes (DTNs) as the focal points on the Science DMZ.

Beyond the end of the engagement, Trusted CI, in partnership with staff from the DART project, plans to leverage this whitepaper to develop additional presentation materials to help other institutions promote and implement Science DMZs. This effort will start in the first half of 2022.