Obviously CTSC takes cybersecurity seriously. To that end it has published its own Cybersecurity Policies and Procedures. Included with the policies and procedures is a set of documents showing the analysis that went into creating them.
These were published both to assure projects CTSC engages with that we take appropriate precautions with their data and to serve as an example to the community.
Monday, September 16, 2013
Wednesday, September 11, 2013
Resources for getting started in Identity and Access Management (IAM)
Recently a NSF project asked CTSC about some resources for getting started in identity and access management. The following was our response:
In terms of some guidance on IAM, the Higher Ed Information Security Guide has a good primer on Identity and Access Management:
And while parts are specific to InCommon, other parts of the CI InCommon Roadmap are more general and would serve you well even if you use, e.g., Google Ids:
In terms of examples from other NSF CI projects, work from OOI and DataONE serves as good examples:
http://mule1.dataone.org/ArchitectureDocs-current/design/Authentication.html
Edited to add...
[9/12] The COmanage project has a IdM Requirements Assessment process for virtual or collaborative organizations (VOs/COs): https://spaces.internet2.edu/display/COmanage/CO+Requirements+Assessment
Edited to add...
[9/12] The COmanage project has a IdM Requirements Assessment process for virtual or collaborative organizations (VOs/COs): https://spaces.internet2.edu/display/COmanage/CO+Requirements+Assessment
Wednesday, August 21, 2013
CTSC Presentation on NSF CI Cybersecurity Challenges and CTSC Activities
Earlier this month I had the opportunity to make a presentation at the NSF on cybersecurity challenges facing NSF cyberinfrastructure (CI) and what CTSC and the NSF CI community is doing to tackle those challenges. That presentation is available at http://pres.vonwelch.com/pres/CTSC-NSF-Jul-2013.pdf.
Labels:
presentations
Tuesday, July 23, 2013
Summer of Networking Poster Presentations
For the past several years, Indiana University's InCNTRE has hosted the Summer of Networking, bringing in interns from around the country to learn about networking, cybersecurity and related topics.
This year, CTSC mentored one intern, Betsy Thomas, in exploring how a virtual organization could be used to enhance incident detection across a number a sites. She will be presenting her work during the Summer of Networking poster session this Wednesday from 11:30am-1:30pm ET. If you are in Bloomington that day, please drop by to see the work done by Betsy and the other Summer of Networking interns.
Edited: Poster session is Wednesday, not Thursday.
This year, CTSC mentored one intern, Betsy Thomas, in exploring how a virtual organization could be used to enhance incident detection across a number a sites. She will be presenting her work during the Summer of Networking poster session this Wednesday from 11:30am-1:30pm ET. If you are in Bloomington that day, please drop by to see the work done by Betsy and the other Summer of Networking interns.
Edited: Poster session is Wednesday, not Thursday.
Labels:
events
Friday, June 7, 2013
Pegasus & CTSC complete engagement around security for SSH credentials
CTSC recently completed one of its initial engagements: The Pegasus project is a workflow management system that supports a breadth of computational sciences including astronomy, bioinformatics, ocean science, and many more. Pegasus workflows typically operate across distributed resources and sometimes need to stage data files between compute resources to or from storage resources. Some storage resources support mechanisms that allow Pegasus to delegate to the workflow the ability to access those resources. Other storage resources don’t have this ability - e.g., resources that use secure shell (SSH).
When staging requires SSH, Pegasus currently has no choice but to send a private key with the workflow. The goal of this engagement was to examine this practice and recommend possible improvements from the perspective of cybersecurity. CTSC provided three recommendations to the Pegasus team to improve current practice: (1) If system administrators are willing, have them deploy a mechanism that supports security delegation, such as Kerberos or GSI; (2) provide assistance to users in using SSH’s ability to impose restrictions in the authorized_keys file to limit the privileges of SSH keys used for workflows; and (3) utilize ssh-agent to minimize exposure of SSH credentials in the workflow by avoiding writing those credentials to the filesystem. We also describe alternatives we considered, but do not recommend. For more information, please see the Pegasus-CTSC Engagement Final Report, available at http://hdl.handle.net/2022/15562.
Many thanks to the Pegasus team, including Ewa Deelman, Karan Vahi, Mats Rynge, and Gideon Juve, for the collaborative effort that made this work possible.
For more about how CTSC helps NSF projects visit http://trustedci.org/howwehelp/.
Tuesday, April 2, 2013
trust-HUB: an online community for hardware security and trust
A colleague pointed out the NSF-funded trust-HUB project to me last week: http://www.trust-hub.org/. trust-HUB, similar to CTSC's trustedci.org website, looks to build an online community working with hardware security and trust.
GSI-OpenSSH Security Advisory: pamuserchange-2013-01.adv
The GSI-OpenSSH team has published a security advisory than impacts deployments that have the PermitPAMUserChange feature enabled (by default it is disable). Default configurations of GSI-OpenSSH are not affected.
For details, please see http://grid.ncsa.illinois.edu/ssh/pamuserchange-2013-01.adv
For details, please see http://grid.ncsa.illinois.edu/ssh/pamuserchange-2013-01.adv
Subscribe to:
Posts (Atom)