Trusted CI Webinar: Leveraging Adaptive Framework for Open Source Data Access Solutions, August 28th @11am EST

Clemson University's Jeremy Grieshop is presenting the talk, Leveraging Adaptive Framework for Open Source Data Access Solutions, on August 28th at 11am Eastern time.

Please register here.

More than a decade ago, Clemson University outlined the requirements needed to integrate several campus-wide enterprise applications in a way that would automate the exchange of data between them, and establish the relationships of that data to the unique identities that represented all users within the system, including faculty, staff, students, alumni and applicants. There would be no direct access of data, except through applications that were approved and had established Memorandum of Understanding (MOU) contracts in place. This project was known as the Clemson Vault. 

Within the Identity Management space, solutions for automating the provisioning of identities are offered by several vendors these days. However, mileage and cost vary when you wish to integrate arbitrary university resources, such as mailing lists, disk storage, building card access, and course registrations. Open source solutions, with all of the above requirements, are non-existent.

At Clemson University, we combined licensed vendor software and in-house apps, scripts and procedures to create a data integration solution that met the original requirements. This implementation has served us well for many years, but many of the drawbacks to the current design prompted us to begin pulling out many of these features into its own project, where we could collaborate on features and enhancements for the future with institutions outside of our own organization. The patterns, interfaces, and source code that emerged from the original vault were extracted out, embellished and migrated into an open source repository known as Adaptive Framework (https://github.com/afw-org/afw).

Clemson University has been working on this project for several years now, and has recently released this open source framework for building data access solutions that provide web service API’s, data transformation tools, real-time data provisioning and an authorization architecture. The framework that has emerged offers a built-in scripting language, pre-compiled server-side applications and an administrative web interface.

Although it was originally designed for the implementation of an open source identity vault, we envision a broader adoption of this framework for other data-driven needs, such as extending databases with metadata, building policy-based authorization systems, and integrating data repositories with a metadata catalog, and varying levels of access control, across federated environments.

Our goal with this project is to gather external support from both commercial and public institutions to help make this framework sustainable moving forward.

Speaker Bio:

Jeremy Grieshop is a software engineer (B.S. Miami University, M.S. Clemson University) and has been employed by Clemson University since 2001. His role has been in software development for the Identity Management team and has been directly involved in the software design and implementation of many of the authentication and provisioning software, along with self service tools that are in place at Clemson University today.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Trusted CI Co-authors Identity Management Cookbook for NSF Major Facilities

Trusted CI’s Josh Drake has co-authored a new document addressing many identity management (IdM) challenges present at NSF Major Facilities. Due to their size and collaborative missions, Major Facilities often have many users, across multiple organizations, all with different access permissions to a diverse collection of CI resources. The Federated Identity Management Cookbook aims to address these challenges by providing time-tested “recipes” for building IdM capabilities, as well as a primer on the topic of IdM itself.

“While operating the IdM working group and CI Compass, we had many opportunities to engage with major facilities on identity and access management issues facing researchers. We were able to explore a variety of options to help researchers integrate federated identities into their cyberinfrastructure,” said Josh Drake. “This cookbook represents the distilled version of months of engagement with the MF community and a primer to identity management concepts that we hope will be of use to research cyberinfrastructure operators everywhere.” Trusted CI’s Ryan Kiser and Adrian Crenshaw also participated in the engagements that contributed to the cookbook.

This work was created in partnership with Erik Scott (RENCI) and CI Compass. CI Compass provides expertise and active support to cyberinfrastructure practitioners at NSF Major Facilities in order to accelerate the data lifecycle and ensure the integrity and effectiveness of the cyberinfrastructure upon which research and discovery depend.

The cookbook is available in the CI Compass Resource Library  and on Zenodo. See CI Compass’s website to read the full press release.

Join Trusted CI at PEARC21, July 19th - 22nd

PEARC21 will be held virtually on July 19th - 22nd, 2021 (PEARC website).

Trusted CI will be hosting two events, our annual workshop and our Security Log Analysis tutorial.

Both events are scheduled at the same time, please note that when planning your agenda.

The details for each event are listed below. 

Workshop: The Fifth Trusted CI Workshop on Trustworthy Scientific Cyberinfrastructure provides an opportunity for sharing experiences, recommendations, and solutions for addressing cybersecurity challenges in research computing.  

Monday July 19th @ 8am - 11am Pacific.

• 8:00 am - Welcome and opening remarks
• 8:10 am - The Trusted CI Framework: A Minimum Standard for Cybersecurity Programs
• Presenters: Scott Russell, Ranson Ricks, Craig Jackson, and Emily Adams; Trusted CI / Indiana University’s Center for Applied Cybersecurity Research
• 8:40 am - Google Drive: The Unknown Unknowns
• Presenter: Mark Krenz; Trusted CI / Indiana University’s Center for Applied Cybersecurity Research
• 9:10 am - Experiences Integrating and Operating Custos Security Services
• Presenters: Isuru Ranawaka, Dimuthu Wannipurage, Samitha Liyanage, Yu Ma, Suresh Marru, and Marlon Pierce; Indiana University
• Dannon Baker, Alexandru Mahmoud, Juleen Graham, and Enis Afgan; Johns Hopkins University
• Terry Fleury, and Jim Basney; University of Illinois Urbana Champaign
• 9:40 am - 10 minute Break
• 9:50 am - Drawing parallels and synergies between NSF and NIH cybersecurity projects
• Presenters: Enis Afgan, Alexandru Mahmoud, Dannon Baker, and Michael Schatz; Johns Hopkins University
• Jeremy Goecks; Oregon Health and Sciences University
• 10:20 am - How InCommon is helping its members to meet NIH requirements for federated credentials
• Presenters: Tom Barton; Internet2
• 10:50 am - Wrap up and final thoughts (10 minutes)

        More detailed information about the presentations is available on our website.


Tutorial: Security Log Analysis: Real world hands-on methods and techniques to detect attacks.  

Monday July 19th @ 8am - 11am Pacific.

A half-day training to tie together various log and data sources and provide a more rounded, coherent picture of a potential security event. It will also present log analysis as a life cycle (collection, event management, analysis, response), that becomes more efficient over time. Interactive demonstrations will cover both automated and manual analysis using multiple log sources, with examples from real security incidents.

Monday July 19th @ 8am - 11am Pacific time

Trusted CI and the CI CoE Pilot Complete Identity Management Engagement with GAGE

 

The Geodetic Facility for the Advancement of Geoscience (GAGE), is operated by UNAVCO and funded by the NSF and NASA. The GAGE project’s mission is to provide support to the larger NSF investigator community for geodesy, earth sciences research, education, and workforce development. During the second half of 2020, GAGE and the Trusted CI/CI CoE Identity Management working group collaborated on an engagement to design a working proof of concept for integrating federated identity into GAGE’s researcher data portal.

The Cyberinfrastructure Center of Excellence Pilot (CI CoE) is a Trusted CI partner, specializing in providing expertise and active support to CI practitioners at the NSF major facilities in order to accelerate the data lifecycle and ensure the integrity and effectiveness of the CI upon which research and discovery depends. The Identity Management working group is a joint effort between the CI CoE and Trusted CI to provide subject matter expertise and advice to major facilities on trust and identity issues, best practices and implementation. The working group's target audience is NSF funded major facilities, but participation in the working group is open to anyone in higher education and IAM.

The engagement began in July 2020 with a month long series of interviews between working group members and GAGE department leadership. GAGE came into the engagement with a series of needs that had arisen from practice and with a request from NSF to collect information on how their research data was being used. The working group used the interviews to identify key systems and areas of impact in order to present GAGE with a design for integrating federated identity into their data portal using elements of InCommon’s Trusted Access Platform.

Over the next three months, the engagement team met with members of GAGE’s software development team, CILogon, and COmanage to finalize and implement the proof of concept design. This design used CILogon to consume federated identities from other InCommon member institutions and then used COmanage registry to store GAGE specific attributes for those identities to grant permission for accessing various data groups, membership in research projects, and home institutions. Identities and attributes stored in COmanage could then be passed to the GAGE data portal using OIDC claim tokens; granting permissions appropriately at the time of access and allowing GAGE to track which identities were requesting what permissions for their data.

The engagement culminated with a 15-page report delivered to GAGE in February 2021 containing detailed observations from interviews, alternate design configurations and tools for the proof of concept, lessons learned through the implementation process, and identification of future opportunities for investment and collaboration in IAM. Additionally, findings from this engagement will be included in an IAM cookbook that the working group plans to release in 2022. The Identity Management working group meets monthly on the second Monday at 2pm Eastern time. For more information about the Identity Management working group, please see the Trusted CI IAM page, the CI CoE working group directory, or join our mailing list to receive updates on working group meetings and products.

GAGE is funded by an NSF award managed by the Division of Earth Sciences (Award #1724794) and is operated by UNAVCO. The CI CoE Pilot is supported by a grant managed by the NSF Office of Advanced Cyberinfrastructure (Award #1842042) and is a collaboration between the University of Southern California, University of North Carolina at Chapel Hill, University of Notre Dame, University of Utah, and Indiana University. The working group would like to thank the following institutions and organizations for the collaboration and contributions to the engagement: Internet2 and InCommon, the CILogon team, the COmanage team, and the Globus team.

Trusted CI Webinar: SciTokens: Federated Authorization for Distributed Scientific Computing Mon Jan 25 @11am Eastern

Members of SciTokens are presenting the talk,

SciTokens: Federated Authorization for Distributed Scientific Computing on Monday January 25th at 11am (Eastern)

Please register here. Be sure to check spam/junk folder for registration confirmation email.

SciTokens (https://scitokens.org/), an NSF CICI project, works to advance the use of bearer tokens and capabilities in distributed scientific infrastructures. It applies the JSON Web Token (JWT) and OAuth standards to the needs of scientific cyberinfrastructure, where widely-distributed computing, data, instruments, and software services are harnessed for scientific workflows, requiring an authorization mechanism that itself is distributed. Typically, JWTs are used in a single web application, with a single token issuer and verifier and OAuth2 deployment scenarios support only one or a few token issuers, using opaque tokens that must be validated by a callback to the corresponding issuer. In contrast, SciTokens supports many token issuers, with signing keys, policies, and endpoint URLs published via OAuth Authorization Server Metadata, using self-describing JWTs rather than opaque tokens, so the tokens can be independently verified by distributed services without requiring a callback to the token issuer.

The use of JWTs with OAuth is now a draft profile of the IETF OAuth working group. OAuth token refresh enables long-lived scientific workflows, and OAuth Token Exchange enables workflow systems to reduce token privileges, effectively implementing least-privilege delegation across the cyberinfrastructure ecosystem.

In this webinar, members of the SciTokens project will discuss progress since their 2019 NSF Summit presentation, including the project's latest open source software releases, interoperability with the WLCG Common JWT Profiles, updates from Fermilab, LIGO, XSEDE, and WLCG (presented at the recent TAGPMA Workshop on Token-Based Authentication and Authorization), and support for SciTokens in CILogon and HTCondor.

Speaker Bios: Jim Basney is a Principal Research Scientist in NCSA's Cybersecurity Division, Brian Bockelman is an Investigator at Morgridge Institute for Research, Todd Tannenbaum is a Researcher in Distributed Computing at University of Wisconsin-Madison, and Derek Weitzel is a Research Assistant Professor at University of Nebraska-Lincoln.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

 

Introducing Trusted CI office hours: Thursday July 23 at 10am Central time

Trusted CI is launching a new monthly office hours project to provide direct assistance to members of our community in an informal setting. Our first session is Thursday July 23rd at 10am Central. Office Hours will be held on our Slack Channel.

Notification of upcoming sessions will be communicated via our Discuss list. Subscribe to the Trusted CI Discuss List. (Posting is limited to subscribers to prevent spam.)

This month's session will be attended by experts in identity and access management (IAM); but we welcome any cybersecurity questions related to your project, or questions regarding services offered by Trusted CI.

Trusted CI offers many opportunities to connect with the open science community. We host webinars, the Trustworthy Data Working Group, and now office hours; all open to the general public. Our Framework Advisory Board, Large Facilities Security Team, IAM working group, and Fellows Program are targeted to more specific audiences. We hope you can find one or more opportunities to connect with us.

CI CoE Pilot - NEON IdM Experiences

The Cyberinfrastructure Center of Excellence (CI CoE) Pilot project, in collaboration with Trusted CI, recently completed an identity and access management engagement with the National Ecological Observatory Network (NEON) to update the NEON Data Portal to use OpenID Connect for user authentication. A paper summarizing this engagement is available.

The goal of the CI CoE Pilot project is to develop a model for a CI CoE that facilitates community building and sharing, and applies knowledge of best practices and innovative solutions for NSF's major multi-user research facilities. One sub-component of the Pilot project is to gain experience with implementing identity management (IdM) solutions for facilities.

NEON was selected as the initial IdM engagee with the intent to assist them with moving the NEON Data Portal away from managing local user credentials and towards leveraging industry standards such as OpenID Connect (OIDC). The implementation involved transitioning to Auth0, which not only imported the existing database of Data Portal users, but also allowed users to log in with third-party OIDC Identity Providers (IdPs) Google and CILogon.

Trusted CI Finishes Engagement with the American Museum of Natural History

The American Museum of Natural History (AMNH) conducts research and education activities spanning multiple branches of science. Through the National Science Foundation's Campus Cyberinfrastructure (CC*) program (NSF OAC-1827153), AMNH developed and installed a Science DMZ to enable high speed transfer of large data sets. Connections were deployed regionally via NYSERnet and nationally via Internet2. Additionally, AMNH's ADFS identity management system was federated with InCommon to give researchers access to Globus data transfer nodes (DTNs).

Trusted CI's engagement with AMNH initially focused on developing an information security program tailored to the new Science DMZ. This effort started by reviewing existing AMNH policies and procedures which might apply to the Science DMZ. After this initial examination, it was decided that the accelerated timeline for installation and configuration of both the Science DMZ and the ADFS federation with InCommon left little time for refinement of a few security policy documents. Instead, effort was focused on fine-tuning system configuration for the Science DMZ by consulting outside expertise from ESnet.

Trusted CI documented the activities of this engagement in a final report. AMNH intends to document the processes of installation and configuration of their Science DMZ and the federation of their ADFS identity management system with InCommon. This documentation may give other similarly sized institutions a good starting point for installation of a Science DMZ or ADFS integration with InCommon.

The Trusted CI-American Museum of Natural History engagement began January 2019 and finished June 2019.

Trusted CI begins engagement with the United States Academic Research Fleet

The United States Academic Research Fleet (ARF, funded by multiple NSF awards) consists of eighteen oceanographic research vessels organized by the University-National Oceanographic Laboratory System (UNOLS) that vary in size and capability from large Global Class vessels to Coastal Class vessels. As a large facility, the ARF is unique because its primary assets (research vessels) are owned by several different agencies and independently operated by fourteen different oceanographic research institutions. The ARF supports seagoing research for scientific disciplines which require access to the sea. It is vital to programs as small as single-PI nearshore projects and as large as global multi-PI expeditions. The ARF provides multi-institutional and multi-disciplinary shared research infrastructure to serve these research projects. This infrastructure helps to advance research and education across a wide variety of disciplines for a diverse community.

The US ARF faces unique cybersecurity challenges due to the remote nature of the platforms and the increasing use of operational technology on research vessels. The fact that the platforms are operated by different institutions with distinct standards and policies further compounds these issues. As the platforms serve the same customers, a unified CI solution that works across institutional requirements would provide a more consistent environment to all personnel coming aboard US ARF ships. The engagement between Trusted CI and ARF will work to establish a unified cyber infrastructure security plan that will both serve the evolving security needs of its community and prepare the ARF for operational cybersecurity requirements due to be enforced by the International Maritime Organization in 2021.  

This engagement began in July 2019 and is scheduled to conclude by the end of December 2019.

Trusted CI Begins Engagement with the American Museum of Natural History

The American Museum of Natural History (AMNH) is home to more than 200 scientists conducting scientific research spanning anthropology, astrophysics, biology, geosciences, and paleontology. Through the National Science Foundation's Campus Cyberinfrastructure (CC*) program (NSF OAC-1827153), AMNH is making major upgrades to its network with a priority on scientific data flows. Improvements include high-speed "science-access" switches for research departments, a new Science DMZ complete with data transfer nodes (DTNs) implementing high-speed transfer via Globus, network performance monitoring with perfSONAR, connections with regional (NYSERNet) and national (Internet2) high-speed networks, deployment of federated login with InCommon, and education and training for scientists and the broader research and education community.

Trusted CI's engagement with AMNH will focus on the following activities.

• Using Trusted CI's Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects, develop an information security program tailored to AMNH's new Science DMZ and associated high-speed connections to NYSERNet and Internet2.
• Address security concerns of the Science DMZ network by consulting with ESnet staff and their extensive Science DMZ documentation.
• Assist with federating the current AMNH IAM implementation with InCommon by configuring ADFS to assert Research & Scholarship attributes and comply with SIRTFI requirements.

Trusted CI will document the activities of this engagement in a final report to be made available to the public. Additionally, AMNH intends to capture implementation and "best practices" security configuration of their new Science DMZ in a "how-to" document which can be used as an exemplar by other institutions of similar size and scope wishing to deploy their own Science DMZ.

The Trusted CI-American Museum of Natural History engagement began January 2019 and is scheduled to conclude by the end of June 2019.

Trusted CI Completes Engagement with the Environmental Data Initiative

The Environmental Data Initiative (EDI) (NSF DBI-1565103, NSF DEB-1629233) is an NSF-funded project accelerating curation and archival of environmental data with emphasis on data from projects funded by the NSF Division of Environmental Biology. Trusted CI's engagement with EDI began August 2018 and concluded December 2018. The engagement report is available at https://hdl.handle.net/2142/101921.

The engagement focused on Identity and Access Management (IAM) issues associated with the data repository API software PASTA+ (Provenance Aware Synthesis Tracking Architecture - Plus). Authenticated access to the data repository is currently performed by binding username and password to an LDAP server. While the current LDAP authentication implementation is functional, authorization is tightly coupled to the user identifier rather than LDAP groups. EDI staff are interested in moving away from the current LDAP authn/authnz implementation toward a more modern solution, with an emphasis on maintaining the current access control rule schema.

With this goal in mind, Trusted CI staff spent considerable effort in examining the current authn/authz implementation and how it could be updated to use current standards such as OAuth 2.0 / OpenID Connect (OIDC). Trusted CI staff concluded the engagement by presenting four available OAuth2/OIDC providers, as well as two potential group management solutions which could be used for authorization. Step-by-step tutorials were written detailing how to configure each solution as well as sample implementation code in several programming languages.

The need for modern, standards-compliant authentication and authorization systems is common across cyberinfrastructure projects, so the tutorials developed during this engagement have been made available at https://trustedci.org/iam for broader community use.

Trusted CI Begins Engagement with the Environmental Data Initiative

The Environmental Data Initiative (NSF DBI-1565103 and DEB-1629233) is an NSF-funded project accelerating curation and archive of environmental data, emphasizing data from projects funded by NSF’s Divisions of Biological Infrastructure and Environmental Biology.  EDI provides support, training, and resources to help archive and publish high-quality data and metadata. They operate a secure data repository and work closely with the Long Term Ecological Research Network (LTER) and DataONE to promote data management best practices.

The goals of this engagement are to review current authentication and authorization mechanisms, identify features and requirements for the future version of the EDI Data Portal and associated backend API, and document currently available authentication and authorization solutions. 

The Trusted CI-Environmental Data Initiative engagement began August 2018 and is scheduled to conclude by the end of December 2018.

Trusted CI begins engagement with SAGE2

SAGE2 is a multi-site collaboration and visualization tool designed for use with tiled display walls. The mission of SAGE2 is to provide an innovative, user-centered, web-based platform for enabling local and/or distributed teams to display, manage, share, and investigate large-scale datasets on tiled display walls to glean insights and discoveries with greater speed, accuracy, comprehensiveness, and confidence. The project achieves this using web-based technologies such as Node.js that are maintained by large user communities. The project provides installation packages for deployment as well as hardware recommendations for new users who are building display walls for the first time. More information about SAGE2 can be found here.

In the last 4 years, institutions have installed over 90 display walls, half of which are in the US and half international, forming an estimated hardware infrastructure investment in excess of $8M. In addition, SAGE2’s user community is growing to include sectors outside of traditional higher-ed and research communities. The diversity and distributed nature of the SAGE2 user base provides a growing set of security concerns. Identity and access management procedures in particular provide unique challenges given the variety of institutions using SAGE2 to collaborate using display walls.

The primary goal of this engagement is to outline Identity and Access Management (IAM) procedures appropriate for SAGE2’s distributed user base. Trusted CI will also seek to identify and prioritize future security goals and additional opportunities to improve the security of SAGE2.

This engagement began in July 2018 and concludes by the end of December 2018.

IAM for Research Organizations at AGU17

CILogon and CTSC are co-organizing a workshop on Identity and Access Management for Research Organizations co-located with the 2017 AGU Fall Meeting. The workshop will provide an overview of identity and access management (IAM) issues including single sign-on (SSO) facing research collaborations and demonstrate IAM solutions available to both large and small collaborations using interactive tutorials. CTSC's Jim Basney and Scott Koranda will present.

The workshop will be held Sunday, December 10 from 9am to 5pm CT at the HIlton New Orleans Riverside. Visit the workshop's Eventbright page to register. There is no registration fee. Space is available for up to 20 attendees.

Workshop topics will include:

• Research Identity Management Process Needs
• Federated Identity for Authentication (SAML and OIDC)
• The Complexities of SAML Federation
• Non-Browser Clients and Federated Identity
• Participant Lifecycle Management
• Application Integration and Provisioning

Please contact jbasney@illinois.edu with any questions about the workshop.

CCoE Webinar March 27th 11am EDT: SDN and IAM Integration at Duke

Duke University's Richard Biever and Charley Kneifel are presenting the talk "SDN and IAM Integration at Duke," on March 27th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation with attached calendar file.

Over the past 4 years, Duke has established SDN bypass networks, an SDN mediated Science DMZ, and other services that rely on identity data about the users and the equipment at Duke.   One such service is the Protected Research and Data Network (PRDN), which makes use of our Identity Management (IDM) services both for Duke researchers and their collaborators at other institutions. 

In this presentation we will discuss the path that Duke took to implement our network, link the various pieces together and the security model used to protect the network and detect unusual activity.  Web based access to services provided inside of our PRDN allow for simple implementation of multi-factor authentication and we will present some novel methods for providing access to both Windows and Linux services inside of a browser.  We will also discuss Plexus, our Ryu based SDN controller, and our plans around the firewall/proxy management application, Locutus, that allows us to support multiple controllers in different spaces of our network (alternative to flow space firewall).  A short discussion of our ability to integrate with GENI/exoGENI sevices, AL2S, and our regional SDN project will be included.

More information about this presentation is on the event page.

Presentations are recorded and include time for questions with the audience.

Join CTSC's discuss mailing list for information about upcoming events. To submit topics or requests to present, contact us here. Archived presentations are available on our site under "Past Events."

October 2015 WISE Workshop

Operators of scientific cyberinfrastructure (CI) and National Research and Education Networks (NRENs) will be meeting October 20-22 in Barcelona to discuss security collaboration at the WISE Workshop ("Wise Information Security for collaborating E-infrastructures"). Participants will discuss evaluating the maturity of security operations using frameworks such as ISO 27000, the Trust Framework for Security Collaboration among Infrastructures (SCI), and the CTSC Guide. Also, participants will discuss security incident handling, including the Security Incident Response Trust Framework for Federated Identity (Sirtfi). Please consider joining us at the workshop. It will be a particularly valuable opportunity for security staff supporting international scientific collaborations to interact with their European counterparts. Registration is now open. If you have any comments, including topics you would like CTSC staff to raise at the workshop, please join the CTSC discussion list or contact CTSC directly.

AARC and CTSC Collaborate on Interfederation

CTSC is starting a collaboration with the European Authentication and Authorisation for Research and Collaboration (AARC) project on use of federated identities for international science. AARC is a two year project that started May 2015. Jim Basney from CTSC joined the June 3-4 AARC kick-off meeting to begin the collaboration.

As the infrastructures for international scientific collaborations migrate from X.509 to SAML for identity management, there is a strong need for interoperability across national SAML federation boundaries. In 2014, the US InCommon federation joined eduGAIN, which connects SAML federations around the world, and now InCommon is engaging with science projects on international interfederation pilots. At the same time, the AARC project in Europe is addressing international adoption of SAML federations by research projects. This represents an opportunity to achieve critical mass around EU-US interfederation activities for science, with CTSC providing needed coordination on the US side.

Specific goals for the CTSC-AARC collaboration include:

1. Training: Develop and disseminate training materials to enable science projects to implement federated access.
2. Pilots: Facilitate US participation in interfederation pilot projects.
3. Incident Response: Establish an operational framework for security and incident response in R&E federations via the SIRTFI working group.
4. Levels of Assurance: Map requirements of cyberinfrastructure providers to an assurance framework that can be implemented in a cost-effective manner by identity federations. 

CTSC will gather input from US cyberinfrastructure (CI) projects for AARC activities, disseminate training and other AARC project outputs to US CI projects, and facilitate EU-US pilot projects.

To participate in the discussion, please join the CTSC Federated Identity Discussion List.

Analyzing authentication events

Part of CTSC's mission is to help educate the NSF community about tools and processes related to cybersecurity. For example, our software assurance team offers tutorials on static analysis tools and to test those tools, they provide benchmark datasets (code). In this article, we describe tools (Python modules) and a benchmark dataset for analyzing authentication data. However, the tools are sufficiently general that they could apply to other types of data related to cybersecurity, e.g. network traffic or more general data flows.

I recently had the pleasure of attending the SIAM Workshop on Network Science where I presented our poster on the analysis of a rather large authentication¹ dataset. The public dataset was made available from Los Alamos National Laboratory (LANL) and represented over 700 million anonymized authentication events over a nine-month period.[1][2]

Our poster submission demonstrated the use of Python to analyze and visualize the data. Since our scripts relied on various Python modules not found in the standard library, we recommended using the Anaconda Python distribution (3.x) which contained those modules (and a lot more). One key module that we used, to perform some of the network analysis, was NetworkX. Another module, to plot results, was matplotlib. We also demonstrated how one could use the IPython Notebook in a browser.

An authentication event was represented as a simple entry: "time,user,computer", where "time" was in seconds offset from the beginning, and "user, computer" were anonymized entries with unique numeric identifiers (e.g. U214,C148). We preprocessed the dataset to generate two files: one containing just the time values, another representing the user-computer information as a global, static graph. This type of graph, with two disjoint sets of nodes (users and computers), is known as a bipartite graph. Since the second file, containing the graph, took about 8 hours to generate, we made it publicly available in case others wanted to experiment. (Generating the first file, with only time values, just took a few minutes using one of our scripts.)

Our first step was to perform a sanity check on the time values for the authentication events. Fig. 1 is a histogram plot of all events over the nine-month period. Using the matplotlib module, we can interactively select a region to zoom into and see general daily and weekly usage patterns. The script to generate this histogram is parameterized so that a user can see more detailed (or coarse) plots.

Fig. 1: A histogram, over time, of all authentication events (top); zooming into a 2 week window (bottom)

Next, we use the NetworkX module to plot the graph and zoom in on particular nodes that seem to be hubs in the network. In the following two figures, the User nodes are colored red and Computer nodes are colored white. Fig. 2 shows C148 as a hub with numerous User nodes connected to it. Fig. 3, in contrast, shows U12 connecting to numerous computers. Obviously, if we had more information about the authentication events, we might be able to determine that certain User hubs were, for example, just the result of system administrators performing maintenance. On the other hand, it may be an indication of questionable user behavior.

Fig. 2: Node C148 as a hub.

Fig. 3: Node U12 as a hub.

In addition to visually inspecting the graph, we can programmatically analyze it to discover certain features, e.g., hubs or connected components. These techniques can be found in our poster and scripts.

Discussing results with LANL's Hagberg (left)

According to LANL's Aric Hagberg, there will likely be another dataset coming sometime this year that will have more metadata.

Our abstract, poster, Python scripts, and additional documentation can be found at https://github.com/rheiland/authpy.

We welcome your comments.

^{1. Authentication, in this context, is the process of verifying the identity of a person connecting to, e.g. logging into, a computer.}

---

[1] A. Hagberg, A. Kent, N. Lemons, and J. Neil. Credential hopping in authentication graphs. In 2014 International Conference on Signal-Image Technology Internet-Based Systems (SITIS). IEEE Computer Society, Nov. 2014.

[2] A. D. Kent, L. M. Liebrock, and J. C. Neil. Authentication graphs: Analyzing user behavior within an enterprise network. Computers & Security, 48:150-166, 2015.

Soliciting input on federated identity/InCommon needs

Hello, Von Welch, CTSC Director and PI here.

 I've recently accepted a one-year advisory term on the InCommon Steering committee. In that role, I will work to see the needs of NSF CI projects and similar research service providers (SPs) are addressed.

 The first thing I'd like to work on is getting all universities of interest to NSF projects to streamline scientific collaboration by sending those projects a user's name and email address when the user authenticates to the project using InCommon federated authentication. The InCommon Research and Scholarship (R&S) program includes only 100 universities that agree to send name and email address, and some of the largest research universities do not participate in the R&S program.

 We would like to change that. The InCommon Steering Committee plans to contact the CIOs at these universities to request their support. Knowing more about NSF funded projects that could benefit from outsourcing authentication to InCommon allows me to prioritize and strengthen those requests. As a starting point, if there is benefit to your project from specific universities supporting federated authentication and releasing a user's name and email address, please let me know who they are. 

 Going forward, I've created the CTSC Federated Identity Discussion List for further discussions around NSF CI projects and InCommon and federated identity. I won't be sending you any more emails directly, please join the list to be included in further discussions. You can find details at http://trustedci.org/ctsc-email-lists/

I welcome hearing any other concerns or suggestions you have about InCommon, now or in the future.

Regards,

Von 
--
Von Welch Director, Director and PI, Center for Trustworthy Scientific Cyberinfrastructure

IDM Best Practice: Self Service Password Reset

Self service password reset is an important capability for any scientific cyberinfrastructure (CI) providers that manage passwords for a large user community. Without it, providers risk being overwhelmed by support requests from users who forgot their password and risk being the victim of social engineering attacks against support staff following ad-hoc, manual password reset procedures.

We differentiate between password change and password reset. Password change is when the user enters both current and new passwords to update the password for an account. Password reset is when the user has forgotten the current password for the account and needs to establish a new password.

CI providers should avoid re-implementing the password reset workflow if possible. Using external identity providers (e.g., InCommon and/or Google) avoids the risks of managing passwords directly, enables users to log in via an account that they use regularly (so users are less likely to forget the password), benefits from available security features such as two factor authentication, and leverages the password recovery support of the external identity provider(s). Alternatively, CI providers could use an existing password reset workflow built-in to their web application framework (e.g., Joomla or Laravel) or identity management (IDM) platform.

However, in our experience CI providers still sometimes find the need to implement password reset in their unique environment. In this article, we provide an example email-based password reset workflow and discuss design choices and risks that CI providers should consider when implementing password reset. The workflow assumes that users have previously registered a contact email address that can be used for password resets.

Password Reset Workflow

The goal of the following workflow is to allow a registered user to reset their password without requiring assistance from support staff.

1. On the "Sign In" page, the user clicks the "Forgot Password?" link.
2. The user is prompted to enter their username or registered email address.
3. The user is prompted to "check your email for a password reset code to enter below".
4. The user enters the password reset code on the web form.
5. The user enters their newly chosen password.
6. The user can now sign in with the newly chosen password.

Behind the Scenes

To implement this workflow, the web application performs the following actions behind the scenes:

When the user enters a username or email address (step #2), the web application checks for a match with a valid user account. As with any input provided by the user, the web application sanitizes the username and email address values before querying back-end databases, to protect against injection attacks. In response to the user's submission, the web application does not indicate whether a match was found, to avoid disclosing the existence of registered accounts to unauthenticated users. Instead, whether a match was found or not, the web application displays, "Please check your email for a password reset code to enter below. If you do not receive an email message, please contact the help desk" (step #3). If the username or email address provided by the user does not match a valid account, no further action is taken.

If the web application finds a valid account matching the user's input, the next step is to generate the password reset code (for example, an 8 digit random number), store a salted hash of the reset code (for example, using bcrypt) with a timestamp and the user's account ID, and send the email message to the user's registered email address. The password reset code is a time-limited, one-time-use random "nonce" value to confirm that the user received the message at the registered email address. The web application removes stored reset code entries immediately after use or after the time limit (for example, 15 minutes) has elapsed.

Next, the user enters the password reset code from the email message on the web form (step #4). The web application hashes the entered reset code and searches for a match among the current stored values. If no match is found, the application displays an error and prompts the user to try again (for example, allowing up to 3 tries before aborting the process). If a match is found, the application prompts the user to enter a new password (twice for confirmation) (step #5) and checks that the new password is sufficiently strong. If it is, the application changes the user's password to the new value, removes the stored reset code entry, and sends a confirmation email to the user's registered email address. The user can now return to the standard "Sign In" page and proceed to log in with the new password (step #6).

Password Reset Email Messages

The above workflow sends two email messages to the user's registered email address: 1) the message containing the password reset code and 2) the message notifying the user that the password reset completed successfully. These messages should follow recommended practices for email communications, including a trustworthy From address (in the correct DNS domain) and no HTML content. The messages should also include instructions for contacting the help desk if the user did not initiate the password reset. The user's password should never be sent in email messages.

Logging and Monitoring

The password reset capability can be a target for attacks and a source of user support issues, so it is especially important to log all system activities related to password resets and monitor for unexpected behavior. Log messages should have accurate timestamps and should include the originating IP address for password reset requests.

Risks

The primary risk for the password reset process is the possibility that an attacker could reset a valid user's password and thereby obtain unauthorized access. Potential attack vectors include:

• Disclosure of reset code via email: Since the password reset code is sent over unsecured email, it could potentially be disclosed via email account compromise or network eavesdropping, allowing an attacker to use the code to change the user's password. Enforcing a short lifetime on the reset code limits the window of vulnerability against this attack.
• Network disclosure of passwords: The web application should follow HTTPS best practices to protect passwords against active and passive man-in-the-middle and phishing attacks.
• Exposure of reset code database: Storing reset codes in hashed (salted) form in the web application protects against disclosure of valid reset codes due to inadvertent disclosure of the reset code database.
• Brute force attacks on reset codes: Generating long, random reset codes, valid for only a short time, makes it infeasible for an attacker to successfully guess a reset code through brute force. Aborting the reset process after 3 failed reset code entries also protects against guessing attacks. However, beware making reset codes so long that they are inconvenient for users to input. (8 random digits is a reasonable length.)
• Compromise of the password reset front-end web application: In a system architecture with a back-end authentication system (LDAP, Kerberos, etc.) that may be shared across multiple front-end systems, enabling a front-end web application to reset passwords introduces the risk that an attacker who compromises the web application could reset many user passwords and gain further unauthorized access. Unlike password change (which requires knowledge of a current valid password prior to making password updates), password reset trusts the web application to update passwords without further validation by the back-end authentication system. Isolating the password reset functionality to a dedicated, well-secured front-end system can help to mitigate this risk, as well as logging and monitoring on the back-end system.

Examples

The "Forgot Password?" links on the XSEDE User Portal and on HUBzero provide illustrative examples of self service password reset functionality similar to what is described above.

Self Service and Exceptional Cases

If all goes well with the above workflow, the user is able to reset their password without assistance from help desk staff, hence "self service". However, the user may still need assistance if (for example) they lose access to a previously registered email address and therefore can not complete the self service workflow. It is important to have documented processes for handling these exceptional cases at the help desk without introducing new risks for social engineering attacks. A phone call from the help desk to a previously registered phone number can help re-establish account ownership. However, when in doubt as to the identity of the account holder, it may be better to ask the user to create a new account rather than risk improperly resetting the password on an existing account.

What do you think about self service password reset? Post your comments below.

For more about how CTSC helps NSF projects visit http://trustedci.org/howwehelp.