Trusted CI Webinar: JSON Web Tokens for Science: Hands on Jupyter Notebook tutorial, Monday August 26th @10am Central

SciAuth's Jim Basney and Derek Weitzel are presenting the talk, JSON Web Tokens for Science: Hands on Jupyter Notebook tutorial, on August 26th at 10am, Central time.

Please register here.

NSF cyberinfrastructure is undergoing a security transformation: a migration from X.509 user certificates to IETF-standard JSON Web Tokens (JWTs). This migration has facilitated a re-thinking of authentication and authorization among cyberinfrastructure providers: enabling federated authentication as a core capability, improving support for attribute, role, and capability-based authorization, and reducing reliance on prior identity-based authorization methods that created security and usability problems. In this webinar, members of the SciAuth project (https://sciauth.org/ - NSF award #2114989) will provide a short, hands-on tutorial for cyberinfrastructure professionals to learn about JWTs, including SciTokens (https://scitokens.org/ - NSF award #1738962). Participants will use Jupyter Notebooks to validate the security of JWTs and experiment with JWT-based authentication and authorization. Participants will gain an understanding of JWT basics suitable for understanding their security and troubleshooting any problems with their use.

Speaker Bios: 

Dr. Jim Basney is a principal research scientist in the cybersecurity group at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign. He is the Director and PI of Trusted CI. Jim received his PhD in computer sciences from the University of Wisconsin-Madison.

Dr. Derek Weitzel is a research assistant professor in the School of Computing at the University of Nebraska - Lincoln. He has been providing distributed computing solutions to the national cyberinfrastructures since 2009. He is a member of the OSG’s production operations team and leads the operations of the National Research Platform. His current areas of research involve distributed data management for shared and opportunistic storage, secure credential management, and network monitoring and analytics.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Trusted CI Wraps Up Engagement with Jupyter Security Coordinators

Project Jupyter is an open-source project consisting of several products, including Jupyter Notebook/Server, Jupyter Hub, and JupyterLab, which are used throughout the NSF community. This Trusted CI engagement was originally motivated by a Jupyter Security Best Practices Workshop tentatively scheduled for April 2022. Due to the ongoing pandemic, the workshop has been canceled, and alternative avenues for discussion of Jupyter security topics are being pursued. 

Regardless, the engagees agreed that there was value in continuing the original engagement tasks, which include the following.

• Perform a high-level survey of existing Jupyter documentation with a focus on the security aspects of installation and configuration. Identify gaps and suggest recommendations for improvement.
• Identify common Jupyter deployment use-cases as targets for Jupyter Security Best Practices documentation.
• Write security documentation for as many of these use-cases as time permits.
  

Three documents were produced from these engagement tasks.

• A summary of all existing Jupyter documentation focused on security aspects of deployment and configuration. This survey was presented to the Jupyter community via Jupyter's Discourse.
• Suggestions for revisions to Jupyter Notebook documentation related to security of a single-user (e.g., laptop) installation.
• Suggestions for revisions to JupyterHub documentation related to security of a single-server / multi-user (e.g., small scientific project) installation.
  

All documentation produced during this engagement has been published to a GitHub repository. 

Concurrent with this Trusted CI engagement, the Jupyter Security Coordination Team began working with the Jupyter Steering Council to address security issues across the Jupyter project as a whole. This effort led to the following milestones.

• Create a high-level Jupyter Security page on the Jupyter.org site.
• Establish a Jupyter Security Subproject, with bi-weekly meetings open to Jupyter community members interested in the various security-related aspects of the project.
• Create a Jupyter Security GitHub repository.
• Start a proposal for a NumFOCUS security committee.
  

This engagement represents the start of a bigger conversation focused on Jupyter security concerns. It is our hope that the documentation produced by this engagement will be incorporated by Jupyter developers into their project documentation to assist administrators and users in securing their deployments.

Trusted CI Begins Engagement with Jupyter Security Coordinators

Project Jupyter is an open-source project which supports interactive data science and scientific computing across multiple programming languages. Project Jupyter has developed several interactive computing products including Jupyter Notebook, JupyterLab, and JupyterHub, which are used throughout the NSF community. This Trusted CI engagement is motivated by an upcoming Jupyter Security Best Practices Workshop funded by NumFOCUS as part of the Community Workshop series. The workshop is tentatively scheduled to be held April 2022 at the Ohio Supercomputer Center.

The goals of this engagement include the following tasks.

• Review existing Jupyter deployment documentation related to security, identify gaps, and create recommendations for improvements.
• Identify Jupyter deployment use-cases as targets for Jupyter Security Best Practices documentation. Example use-cases include DOE supercomputing centers, campus research clusters, workshops, small scientific projects, etc. Prioritize these use-cases based on which audiences would benefit most from new security documentation.
• Write Jupyter Security Best Practices documentation for high priority use-cases identified above. Work through other use-cases as time permits.
  

The Jupyter Security Best Practices documentation produced by this engagement will be shared with Project Jupyter for inclusion in their documentation, and also presented at the workshop.

To read Jupyter's blog post about the engagement, click here.

New at the NSF Cybersecurity Summit this year: Jupyter Security Training

Matthias Bussonnier - Photo by Emily Sterneman

 This year at the NSF Cybersecurity Summit, Trusted CI expanded upon its training session offerings with a Jupyter security training/workshop on the first day (afternoon session). This training was led by Matthias Bussonnier (Jupyter Developer Team, UC Merced), Rick Wagner (Globus), Mark Krenz (Trusted CI), and Ishan Abhinit (Trusted CI). Twenty-one people attended the workshop, making it one of the more popular training sessions at the summit this year.

The session started with an around-the-room introduction of attendees and their experiences using Jupyter, including what they knew about Jupyter security and what they were hoping to get out of the workshop. Most attendees had little-to-no experience with Jupyter and were curious to learn more about  deploying and securing Jupyter. This was especially valuable information to Matthias to better help the development team understand the different scientific communities using Jupyter. The room seemed to be balanced between attendees from Information Technology and Research, which is a sign that Jupyter is more and more used and deployed at scale in various institutions.

The next 30 minutes were devoted to helping the audience understand Jupyter and its software landscape: notebooks, notebook server, IPython, JupyterHub, etc. This included an overview of Jupyter architecture, nomenclature where things run and how they communicate, the Threat Model, examples of attacks, and how to secure an installation.

This was followed by a hands-on exercise where Rick demonstrated how to access a remote Notebook Server and set up a JupyterHub instance using a default configuration. Then attendees learned to observe and secure components and their interactions one by one. Rick and Matthias ended the session by answering the questions attendees had asked at the beginning, defining Jupyter security best practices, and giving an overview of what can be done to improve security in the Jupyter Community. The slides from the workshop are available here. The group will be looking for ways to provide this training at future events.

According to Matthias, this was the first ever security focused training workshop on Jupyter; and the feedback from the first group of attendees will inform the shape this training will take in future iteration.

CCoE Webinar September 23rd at 11am ET: Jupyter Security at LLNL with Thomas Mendoza

Thomas Mendoza is presenting the talk "Jupyter Security at Lawrence Livermore National Laboratory" on Monday September 23rd at 11am (Eastern).

Please register here. Check spam/junk folder for registration confirmation email.

Jupyter Notebooks have become tremendously popular for creating, sharing and reproducing science. While they are relatively easy to setup and use, there has (until recently) been little concern regarding the security implications of running these Notebooks. This presentation will cover the developments and practices used at Lawrence Livermore National Laboratory to secure notebooks running in multi-tenant, HPC environments.

Speaker Bio:
Thomas Mendoza is a staff Computer Scientist at LLNL working for Livermore Computing’s HPC center on web architecture and security.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."