SlideShare a Scribd company logo

Enabling Science with Trust and Security – Guest Keynote

Globus
Globus

The document discusses the importance of trust frameworks and security programs in reducing risk to scientific cyberinfrastructure, enabling research while addressing security obligations, especially for sensitive data. It highlights collaboration between research computing, IT, and legal partners to implement effective security measures, as well as the complexity of managing federated user access across multiple organizations. Additionally, it emphasizes the necessity of aligning cybersecurity practices with federal standards to support secure research environments.

Technology
1 of 38
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Enabling Science with Trust and Security Tom Barton Sr Consultant for Cybersecurity & Data Privacy UChicago & Internet2 GlobusWorld 2019
What I’ll tell you • Security is all about enabling the mission by reducing risk to it • There are security programs designed to reduce risk to research • Trust frameworks reduce risk across complex cyberinfrastructure (CI) ecosystems • Trust frameworks & security enable scientific CI by reducing risk to it • Some practical ways to engage with these 2
The simplest case Human subjects research is perhaps the simplest example of security enabling science. Not that it’s easy! 3
4 Rigorous scientific methods help civic partners achieve the greatest social good per dollar
Liability incurred by contracts and regulation • Sensitive data provided under contract by external agencies • Variety of security obligations in Data Use Agreements • HIPAA Business Associate Agreements • Government contracts with DFARS flow down requirements • Federal security standards, focused on data confidentiality • Also subject to state regulations protecting personal information • Worst case: existential threat to associated research programs 5
Institutional strategy for secure research data • Research Computing, Research Administration, Legal, IT partnership to reduce risk to affected research • Provide security as a service to PIs so they don’t have to figure it out • Elements • Risk assessment in grants & contracts processes • Secure research computing service • Dean and VP Research level policy governance • Broad-based operational governance • Federal security standards: NIST SP 800-53/800-171/CUI • UChicago and many others have one or are moving in that direction 6
UChicago Secure Computing Environment 7
Benefits and dividends • On-going close coordination between research computing and central IT • Identity & access management • Security operations, incident response and risk assessment • Network engineering • Storage/recovery • Systems administration • Central IT learned how to support other sensitive computing needs • Re-usable building blocks of secure computing technologies and procedures • Total institutional cost is reduced with each re-use 8
Can CISOs and Research Computing Directors get along? • Yes! • "Enabling Trustworthy Campus Cyberinfrastructure for Science“ • Workshop by TrustedCI and InCommon, funded by NSF, September 2018 • Chief Information Security Officer and Research Computing Director teams from ~15 universities • Secure research computing needs drive successful partnerships among CISOs, RC Directors, Legal Counsel, Research Administration • Regardless of where RC Director and CISO report, large or small institution, centralized or decentralized 9
Review of the simplest case The scientific CI is in one organization, which makes feasible: • Close, on-going operational collaboration between research computing, central IT, information security • Implementation of Federal/NIST security standards Enables human subjects research programs by providing the help needed to address onerous security obligations 10
Security and risk Must it always be about complying with Federal/NIST security standards? 11
Security Defined by Merriam Webster 1: freedom from danger (safety), freedom from fear or anxiety 4: measures taken to guard against espionage or sabotage, crime, attack, or escape https://www.merriam-webster.com/dictionary/security We should emphasize definition #1, but security practice is traditionally focused on #4 12 slide credit: Von Welch
Data lost System unavailable Data altered Private data exposed Enforced shutdown Ransomware Cyber espionage Weaponization Hactivism Identity theft Mal intent Protective and responsive measures Prevent negative impact Extended disruption Cybersecurity – traditional view 13 CI system in designed state
Protective and responsive measures Data lost System unavailable Data altered Private data exposed Enforced shutdown Ransomware Cyber espionage Weaponization Misconfiguration Flaw in 3rd party component system Overlooked ancillary functions remain active System restored to unplanned state Uncaught data transport error Inadequate incident response capability Lack of operational coordination leaves system in unplanned stateHactivism Identity theft Mal intent Deltas to CI system design state Negative impact Extended disruption Cyber Risk – it’s not just about bad actors 14
Federal security standards address some IT risks 15 IT risk Federal security controls? Misconfiguration Yes Flaw in 3rd party component system Yes Overlooked ancillary functions remain active Yes System restored to unplanned state Yes Lack of operational coordination leaves system in unplanned state No Uncaught data transport error No Inadequate incident response capability Yes
Will Federal security frameworks assimilate all US scientific CI? Yes Appropriate, probably unavoidable, for some secure research Some aspects well suited to both open science and secure research No Needs common executive management, hence hard to apply across organizations Some critical IT risks aren’t addressed TrustedCI is developing alternatives for open science • Open Science Cyber Risk Profile • Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects 16
Lack of operational coordination leaves system in unplanned state Please hold this thought in mind for a few minutes…. 17
A complex case Trust Frameworks and Federation reduce risk in complex, multi- organizational circumstances 18
19 Since 2015, thirteen ESFRI Research Infrastructures from the field of BioMedical Science (BMS RI) joined their scientific capabilities and services to transform the understanding of biological mechanisms and accelerate its translation into medical care. • biobanking & biomolecular resources •curated databases •marine model organisms •systems biology •translational research •functional genomics •screening & medicinal chemistry •microorganisms •clinical trials •structural biology •biological/medical imaging•plant phenotyping •highly pathogenic microorganisms Slide credit: Mikael Linden
Increasing complexity of scientific CI • Bigger data & bigger teams need bigger CI • Beyond the scale a single organization can achieve on its own • Not-bigger funding motivates the concentration of CI investments • Federating or centralizing HPC centers, cloud • Size brings complexity • Federated user access, federated resources • Access management • Data, cache, and network management 20 As scientific CIs integrate more components and organizations, it’s harder to manage, debug, and ascertain the state of the entire system
Federated user access – a global infrastucture faculty, students, staff data sets intellectual property specialized instruments specialized computing 68 countries (March 2019) > 16,700 entities (25% InCommon) > 10,000,000 users connected by global research networks and federation 21
22 Get collaboration ready Release “Research & Scholarship” attributes Basic security for Identity Provider Accurate & complete metdata for good user experience Standard MFA request/response Identity assurance info Enable basic collaboration Support high value resources Protect collaboration resources Reduce risk Identity Providers implement Academic Service Providers implement Each item in the bottom two tiers is associated with a trust framework, as is the federation itself
InCommon progress on metadata (user experience) 23
24 InCommon’s Baseline Expectations program Dimensions ❏ Security ❏ Privacy ❏ Transparency/Accountability ❏ User Experience Participation Agreement requires everyone to adhere to Baseline Expectations Processes ❏ Community Consensus ❏ Community Dispute Resolution Mostly, it consists of tons of communication and help
Baseline Roadmap (under development) 25 1Q18 2Q18 3Q18 4Q18 1Q19 2Q19 3Q19 4Q19 1Q20 2Q20 3Q20 4Q20 1Q21 2Q21 3Q21 4Q21 Create BE processes, redo contracts, metadata quality. errorURL. SIRTFI all entities. R&S and REFEDS MFA for academic OS IdPs. IdPs must use collaboration- ready software/services.
Research & Scholarship attribute release • Name, email, affiliation, persistent identifier • Common need for “research and scholarship” services • Those service providers are “tagged” by their national federation operators as “R&S” • Identity Providers automatically release the R&S attributes to R&S tagged services • Such Identity Providers are also tagged as “R&S” so that services can elect to require R&S attributes in order to provide service • The R&S program contributes to good privacy practice under the European General Data Protection Regulation (GDPR) [ 26 ]
SIRTFI - security incident response trust framework for federated identity 27 Be willing to collaborate in responding to a federated security incident. Apply basic operational security protections to your federated entities in line with your organization’s priorities. Self-assert SIRTFI “tag” so that others will know to trust this about you.
REFEDS Assurance Framework 28 Identity Assurance Authentication Strength Authentication Single-factor authentication (SFA) Multi-factor authentication (MFA) Attributes Affiliation freshness 1 day Affiliation freshness 1 month ID Proofing Medium (eg postal credential delivery) Low (self-asserted) High (eg F2F) Identifiers ID is unique, personal and traceable ePPN is unique, personal and traceable Defines a standard means for service providers to receive information about identity assurance practice and request and receive information about strength of credentials
Review of the complex case & trust frameworks A trust framework is • A standard of behavior that applies to participants and/or components in large, complex, even global systems • Developed in response to identified needs of research and scholarly activities We trust that trust framework adopters reasonably observe the standard of behavior because of our shared mission in Research & Education Federations and other organizations enable and monitor trust framework participation and may operate processes to verify or compel adoption 29
Lack of operational coordination leaves system in unplanned state Systems that integrate components across many organizations can use trust frameworks to reduce the risk posed by intrinsic inability to coordinate operationally 30
Reducing risk to scientific CI Some services and programs you can take advantage of. Some things you might think about doing. 31
ResearchSOC ResearchSOC helps make scientific computing resilient to cyberattacks and capable of supporting trustworthy, productive research. • NSF funded center • Indiana University, Duke University, Pittsburgh Supercomputing Center, University of California San Diego • Security Operations Center • Vulnerability scanning and threat intelligence sharing • Training information security professionals to address challenges of securing research 32
TrustedCI and Internet2 • Direct engagements or partnerships to review or solve problems • Security programs for NSF funded activities • Facility/Site Identity & Access Management • Federated user access • Cloud use • Campus Champions / CaRRC • Science Gateways Community Institute • Hope to translate experience with user federation into resource federation space 33
Globus Connect/High Assurance • Enhanced Connect Server/Personal to meet the security needs of protected environments for secure research • Only authorized identities • Audit trails • Session timeouts • More… • Enhanced Transfer & Auth services backend in AWS • Meets Federal/NIST security standards • Suited to HIPAA and other sensitive research data 34
You – campus research computing staff • Add federated user access tooling to your environment • CILogon, Globus Auth, COmanage, Grouper, others • Help your CISO become your partner • Support Federal security standards for high risk projects, sensible security for low (eg, Open Science Cyber Risk Profile) • Stay abreast of prototype resource federation efforts • Help TrustedCI/Internet2 understand your researchers’ problems and give guidance on good solutions 35
You – platform & gateway developers • Use federated user access tooling • Deep water, don’t roll your own user management!! • Help your information security people to help you • Bake sensible security into your dev and operational processes • Provide sensible security functionality to deployers • Your platforms are sometime implemented in very exposed Science DMZs – focus on securing system integrity, make it hard for bad guys to re-purposed as weapons 36
You - PIs • Involve research computing staff as early as possible in grant formulation process to optimize proposed data processing workflow • If sensitive research data is involved, early engagement will minimize hurdles & hoops, ensure satisfactory proposed data security plan • Demand sensible security – make the IT and security powers that be know that it matters and you need them for it 37
38 Thank you! Questions? tbarton@uchicago.edu

More Related Content

What's hot (20)

PPTX
Data Security: Why You Need Data Loss Prevention & How to Justify It
Marc Crudgington, MBA
 
PPTX
Marc Crudgington Who I Am
Marc Crudgington, MBA
 
PDF
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Ignyte Assurance Platform
 
PPTX
ComResource Agency Solutions
Anthony Dials
 
PDF
What it Takes to be a CISO in 2017
Doug Copley
 
PDF
Cybersecurity Program Assessments
John Anderson
 
PPTX
Information Leakage & DLP
Yun Lu
 
PPTX
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
PPT
Information Leakage - A knowledge Based Approach
Global Business Events - the Heart of your Network.
 
PDF
The Anatomy of a Cloud Security Breach
CloudLock
 
PDF
Cyber Resilience
Ian-Edward Stafrace
 
PDF
Internal Threats: The New Sources of Attack
Mekhi Da ‘Quay Daniels
 
PDF
M&A security - E-crime Congress 2017
EQS Group
 
PDF
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
North Texas Chapter of the ISSA
 
PPTX
How to assess and manage cyber risk
Stephen Cobb
 
PPTX
Risk Management Approach to Cyber Security
Ernest Staats
 
PPT
Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Peter1020
 
PPT
DLP
saurabh.sood
 
PPTX
MYTHBUSTERS: Can You Secure Payments in the Cloud?
Kurt Hagerman
 
PDF
Be Aware Webinar Symantec-Maxímice su prevención hacia la fuga de la información
Symantec LATAM
 
Data Security: Why You Need Data Loss Prevention & How to Justify It
Marc Crudgington, MBA
 
Marc Crudgington Who I Am
Marc Crudgington, MBA
 
Fortifying Cyber Defense: How to Act Now to Protect Global Supply Chains
Ignyte Assurance Platform
 
ComResource Agency Solutions
Anthony Dials
 
What it Takes to be a CISO in 2017
Doug Copley
 
Cybersecurity Program Assessments
John Anderson
 
Information Leakage & DLP
Yun Lu
 
Healthcare and Cyber security
Brian Matteson, CISSP CISA
 
Information Leakage - A knowledge Based Approach
Global Business Events - the Heart of your Network.
 
The Anatomy of a Cloud Security Breach
CloudLock
 
Cyber Resilience
Ian-Edward Stafrace
 
Internal Threats: The New Sources of Attack
Mekhi Da ‘Quay Daniels
 
M&A security - E-crime Congress 2017
EQS Group
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
North Texas Chapter of the ISSA
 
How to assess and manage cyber risk
Stephen Cobb
 
Risk Management Approach to Cyber Security
Ernest Staats
 
Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Peter1020
 
DLP
saurabh.sood
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
Kurt Hagerman
 
Be Aware Webinar Symantec-Maxímice su prevención hacia la fuga de la información
Symantec LATAM
 

Similar to Enabling Science with Trust and Security – Guest Keynote (20)

PDF
Trustworthy Computational Science: A Multi-decade Perspective
Von Welch
 
PPT
2011 lecture ia orientation
2b3d
 
PDF
CTSC+SWAMP: cybersecurity resources for your campus
jbasney
 
PDF
CACR Overview
Von Welch
 
PPT
Cybersecurity R&D briefing
Naba Barkakati
 
PDF
Addressing Cybersecurity and Cybercrime via a co-evolutionary approach to red...
Anna Gomez
 
PDF
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
PPT
Poster jsoe research expo 2009
bdemchak
 
PDF
NIST critical_infrastructure_cybersecurity.pdf
ssuserb3094b
 
PPTX
DOC-20250530-WA0008.pptx.................
salmannawaz6566504
 
PDF
Cybersecurity for Science
Von Welch
 
PDF
Cyber Security Cyber Crime And Cyber Forensics Applications And Perspectives ...
nuwtscsbsv916
 
PDF
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
Cohesive Networks
 
PDF
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
PDF
Cyber security and IT infrastructure protection 1st ed Edition Vacca
esambezaahl
 
PDF
Management CyperSecurity Risk - Management CyperSecurity Risk
bellinipolla
 
PDF
Trustworthy Computational Science: Lessons Learned and Next Steps
Von Welch
 
PPTX
The IT Analysis Paralysis
PYA, P.C.
 
PDF
Cyber security and IT infrastructure protection 1st ed Edition Vacca
flirtysluis
 
PPTX
history_and_development.pptx
MarcosCristianMungua
 
Trustworthy Computational Science: A Multi-decade Perspective
Von Welch
 
2011 lecture ia orientation
2b3d
 
CTSC+SWAMP: cybersecurity resources for your campus
jbasney
 
CACR Overview
Von Welch
 
Cybersecurity R&D briefing
Naba Barkakati
 
Addressing Cybersecurity and Cybercrime via a co-evolutionary approach to red...
Anna Gomez
 
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
Poster jsoe research expo 2009
bdemchak
 
NIST critical_infrastructure_cybersecurity.pdf
ssuserb3094b
 
DOC-20250530-WA0008.pptx.................
salmannawaz6566504
 
Cybersecurity for Science
Von Welch
 
Cyber Security Cyber Crime And Cyber Forensics Applications And Perspectives ...
nuwtscsbsv916
 
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecuri...
Cohesive Networks
 
Nist cybersecurity framework isc2 quantico
Tuan Phan
 
Cyber security and IT infrastructure protection 1st ed Edition Vacca
esambezaahl
 
Management CyperSecurity Risk - Management CyperSecurity Risk
bellinipolla
 
Trustworthy Computational Science: Lessons Learned and Next Steps
Von Welch
 
The IT Analysis Paralysis
PYA, P.C.
 
Cyber security and IT infrastructure protection 1st ed Edition Vacca
flirtysluis
 
history_and_development.pptx
MarcosCristianMungua
 
Ad

More from Globus (20)

PDF
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
PDF
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
PDF
Globus Compute Introduction - GlobusWorld 2024
Globus
 
PDF
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
PDF
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
PDF
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
PDF
First Steps with Globus Compute Multi-User Endpoints
Globus
 
PDF
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
PDF
Understanding Globus Data Transfers with NetSage
Globus
 
PDF
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
PDF
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
PDF
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
PDF
The Department of Energy's Integrated Research Infrastructure (IRI)
Globus
 
PDF
GlobusWorld 2024 Opening Keynote session
Globus
 
PDF
Enhancing Performance with Globus and the Science DMZ
Globus
 
PDF
Extending Globus into a Site-wide Automated Data Infrastructure.pdf
Globus
 
PDF
Globus at the United States Geological Survey
Globus
 
PDF
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
PDF
Globus Compute with Integrated Research Infrastructure (IRI) workflows
Globus
 
PDF
Reactive Documents and Computational Pipelines - Bridging the Gap
Globus
 
Globus Compute wth IRI Workflows - GlobusWorld 2024
Globus
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Globus Compute Introduction - GlobusWorld 2024
Globus
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Understanding Globus Data Transfers with NetSage
Globus
 
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
The Department of Energy's Integrated Research Infrastructure (IRI)
Globus
 
GlobusWorld 2024 Opening Keynote session
Globus
 
Enhancing Performance with Globus and the Science DMZ
Globus
 
Extending Globus into a Site-wide Automated Data Infrastructure.pdf
Globus
 
Globus at the United States Geological Survey
Globus
 
Providing Globus Services to Users of JASMIN for Environmental Data Analysis
Globus
 
Globus Compute with Integrated Research Infrastructure (IRI) workflows
Globus
 
Reactive Documents and Computational Pipelines - Bridging the Gap
Globus
 
Ad

Recently uploaded (20)

PDF
Blockchain Transactions Explained For Everyone
CIFDAQ
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
Predicting the unpredictable: re-engineering recommendation algorithms for fr...
Speck&Tech
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PDF
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
PDF
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
PPTX
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
Blockchain Transactions Explained For Everyone
CIFDAQ
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
Predicting the unpredictable: re-engineering recommendation algorithms for fr...
Speck&Tech
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
Why Orbit Edge Tech is a Top Next JS Development Company in 2025
mahendraalaska08
 
Transcript: New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
HubSpot Main Hub: A Unified Growth Platform
Jaswinder Singh
 
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 

Enabling Science with Trust and Security – Guest Keynote

  • 1. Enabling Science with Trust and Security Tom Barton Sr Consultant for Cybersecurity & Data Privacy UChicago & Internet2 GlobusWorld 2019
  • 2. What I’ll tell you • Security is all about enabling the mission by reducing risk to it • There are security programs designed to reduce risk to research • Trust frameworks reduce risk across complex cyberinfrastructure (CI) ecosystems • Trust frameworks & security enable scientific CI by reducing risk to it • Some practical ways to engage with these 2
  • 3. The simplest case Human subjects research is perhaps the simplest example of security enabling science. Not that it’s easy! 3
  • 4. 4 Rigorous scientific methods help civic partners achieve the greatest social good per dollar
  • 5. Liability incurred by contracts and regulation • Sensitive data provided under contract by external agencies • Variety of security obligations in Data Use Agreements • HIPAA Business Associate Agreements • Government contracts with DFARS flow down requirements • Federal security standards, focused on data confidentiality • Also subject to state regulations protecting personal information • Worst case: existential threat to associated research programs 5
  • 6. Institutional strategy for secure research data • Research Computing, Research Administration, Legal, IT partnership to reduce risk to affected research • Provide security as a service to PIs so they don’t have to figure it out • Elements • Risk assessment in grants & contracts processes • Secure research computing service • Dean and VP Research level policy governance • Broad-based operational governance • Federal security standards: NIST SP 800-53/800-171/CUI • UChicago and many others have one or are moving in that direction 6
  • 8. Benefits and dividends • On-going close coordination between research computing and central IT • Identity & access management • Security operations, incident response and risk assessment • Network engineering • Storage/recovery • Systems administration • Central IT learned how to support other sensitive computing needs • Re-usable building blocks of secure computing technologies and procedures • Total institutional cost is reduced with each re-use 8
  • 9. Can CISOs and Research Computing Directors get along? • Yes! • "Enabling Trustworthy Campus Cyberinfrastructure for Science“ • Workshop by TrustedCI and InCommon, funded by NSF, September 2018 • Chief Information Security Officer and Research Computing Director teams from ~15 universities • Secure research computing needs drive successful partnerships among CISOs, RC Directors, Legal Counsel, Research Administration • Regardless of where RC Director and CISO report, large or small institution, centralized or decentralized 9
  • 10. Review of the simplest case The scientific CI is in one organization, which makes feasible: • Close, on-going operational collaboration between research computing, central IT, information security • Implementation of Federal/NIST security standards Enables human subjects research programs by providing the help needed to address onerous security obligations 10
  • 11. Security and risk Must it always be about complying with Federal/NIST security standards? 11
  • 12. Security Defined by Merriam Webster 1: freedom from danger (safety), freedom from fear or anxiety 4: measures taken to guard against espionage or sabotage, crime, attack, or escape https://www.merriam-webster.com/dictionary/security We should emphasize definition #1, but security practice is traditionally focused on #4 12 slide credit: Von Welch
  • 13. Data lost System unavailable Data altered Private data exposed Enforced shutdown Ransomware Cyber espionage Weaponization Hactivism Identity theft Mal intent Protective and responsive measures Prevent negative impact Extended disruption Cybersecurity – traditional view 13 CI system in designed state
  • 14. Protective and responsive measures Data lost System unavailable Data altered Private data exposed Enforced shutdown Ransomware Cyber espionage Weaponization Misconfiguration Flaw in 3rd party component system Overlooked ancillary functions remain active System restored to unplanned state Uncaught data transport error Inadequate incident response capability Lack of operational coordination leaves system in unplanned stateHactivism Identity theft Mal intent Deltas to CI system design state Negative impact Extended disruption Cyber Risk – it’s not just about bad actors 14
  • 15. Federal security standards address some IT risks 15 IT risk Federal security controls? Misconfiguration Yes Flaw in 3rd party component system Yes Overlooked ancillary functions remain active Yes System restored to unplanned state Yes Lack of operational coordination leaves system in unplanned state No Uncaught data transport error No Inadequate incident response capability Yes
  • 16. Will Federal security frameworks assimilate all US scientific CI? Yes Appropriate, probably unavoidable, for some secure research Some aspects well suited to both open science and secure research No Needs common executive management, hence hard to apply across organizations Some critical IT risks aren’t addressed TrustedCI is developing alternatives for open science • Open Science Cyber Risk Profile • Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects 16
  • 17. Lack of operational coordination leaves system in unplanned state Please hold this thought in mind for a few minutes…. 17
  • 18. A complex case Trust Frameworks and Federation reduce risk in complex, multi- organizational circumstances 18
  • 19. 19 Since 2015, thirteen ESFRI Research Infrastructures from the field of BioMedical Science (BMS RI) joined their scientific capabilities and services to transform the understanding of biological mechanisms and accelerate its translation into medical care. • biobanking & biomolecular resources •curated databases •marine model organisms •systems biology •translational research •functional genomics •screening & medicinal chemistry •microorganisms •clinical trials •structural biology •biological/medical imaging•plant phenotyping •highly pathogenic microorganisms Slide credit: Mikael Linden
  • 20. Increasing complexity of scientific CI • Bigger data & bigger teams need bigger CI • Beyond the scale a single organization can achieve on its own • Not-bigger funding motivates the concentration of CI investments • Federating or centralizing HPC centers, cloud • Size brings complexity • Federated user access, federated resources • Access management • Data, cache, and network management 20 As scientific CIs integrate more components and organizations, it’s harder to manage, debug, and ascertain the state of the entire system
  • 21. Federated user access – a global infrastucture faculty, students, staff data sets intellectual property specialized instruments specialized computing 68 countries (March 2019) > 16,700 entities (25% InCommon) > 10,000,000 users connected by global research networks and federation 21
  • 22. 22 Get collaboration ready Release “Research & Scholarship” attributes Basic security for Identity Provider Accurate & complete metdata for good user experience Standard MFA request/response Identity assurance info Enable basic collaboration Support high value resources Protect collaboration resources Reduce risk Identity Providers implement Academic Service Providers implement Each item in the bottom two tiers is associated with a trust framework, as is the federation itself
  • 23. InCommon progress on metadata (user experience) 23
  • 24. 24 InCommon’s Baseline Expectations program Dimensions ❏ Security ❏ Privacy ❏ Transparency/Accountability ❏ User Experience Participation Agreement requires everyone to adhere to Baseline Expectations Processes ❏ Community Consensus ❏ Community Dispute Resolution Mostly, it consists of tons of communication and help
  • 25. Baseline Roadmap (under development) 25 1Q18 2Q18 3Q18 4Q18 1Q19 2Q19 3Q19 4Q19 1Q20 2Q20 3Q20 4Q20 1Q21 2Q21 3Q21 4Q21 Create BE processes, redo contracts, metadata quality. errorURL. SIRTFI all entities. R&S and REFEDS MFA for academic OS IdPs. IdPs must use collaboration- ready software/services.
  • 26. Research & Scholarship attribute release • Name, email, affiliation, persistent identifier • Common need for “research and scholarship” services • Those service providers are “tagged” by their national federation operators as “R&S” • Identity Providers automatically release the R&S attributes to R&S tagged services • Such Identity Providers are also tagged as “R&S” so that services can elect to require R&S attributes in order to provide service • The R&S program contributes to good privacy practice under the European General Data Protection Regulation (GDPR) [ 26 ]
  • 27. SIRTFI - security incident response trust framework for federated identity 27 Be willing to collaborate in responding to a federated security incident. Apply basic operational security protections to your federated entities in line with your organization’s priorities. Self-assert SIRTFI “tag” so that others will know to trust this about you.
  • 28. REFEDS Assurance Framework 28 Identity Assurance Authentication Strength Authentication Single-factor authentication (SFA) Multi-factor authentication (MFA) Attributes Affiliation freshness 1 day Affiliation freshness 1 month ID Proofing Medium (eg postal credential delivery) Low (self-asserted) High (eg F2F) Identifiers ID is unique, personal and traceable ePPN is unique, personal and traceable Defines a standard means for service providers to receive information about identity assurance practice and request and receive information about strength of credentials
  • 29. Review of the complex case & trust frameworks A trust framework is • A standard of behavior that applies to participants and/or components in large, complex, even global systems • Developed in response to identified needs of research and scholarly activities We trust that trust framework adopters reasonably observe the standard of behavior because of our shared mission in Research & Education Federations and other organizations enable and monitor trust framework participation and may operate processes to verify or compel adoption 29
  • 30. Lack of operational coordination leaves system in unplanned state Systems that integrate components across many organizations can use trust frameworks to reduce the risk posed by intrinsic inability to coordinate operationally 30
  • 31. Reducing risk to scientific CI Some services and programs you can take advantage of. Some things you might think about doing. 31
  • 32. ResearchSOC ResearchSOC helps make scientific computing resilient to cyberattacks and capable of supporting trustworthy, productive research. • NSF funded center • Indiana University, Duke University, Pittsburgh Supercomputing Center, University of California San Diego • Security Operations Center • Vulnerability scanning and threat intelligence sharing • Training information security professionals to address challenges of securing research 32
  • 33. TrustedCI and Internet2 • Direct engagements or partnerships to review or solve problems • Security programs for NSF funded activities • Facility/Site Identity & Access Management • Federated user access • Cloud use • Campus Champions / CaRRC • Science Gateways Community Institute • Hope to translate experience with user federation into resource federation space 33
  • 34. Globus Connect/High Assurance • Enhanced Connect Server/Personal to meet the security needs of protected environments for secure research • Only authorized identities • Audit trails • Session timeouts • More… • Enhanced Transfer & Auth services backend in AWS • Meets Federal/NIST security standards • Suited to HIPAA and other sensitive research data 34
  • 35. You – campus research computing staff • Add federated user access tooling to your environment • CILogon, Globus Auth, COmanage, Grouper, others • Help your CISO become your partner • Support Federal security standards for high risk projects, sensible security for low (eg, Open Science Cyber Risk Profile) • Stay abreast of prototype resource federation efforts • Help TrustedCI/Internet2 understand your researchers’ problems and give guidance on good solutions 35
  • 36. You – platform & gateway developers • Use federated user access tooling • Deep water, don’t roll your own user management!! • Help your information security people to help you • Bake sensible security into your dev and operational processes • Provide sensible security functionality to deployers • Your platforms are sometime implemented in very exposed Science DMZs – focus on securing system integrity, make it hard for bad guys to re-purposed as weapons 36
  • 37. You - PIs • Involve research computing staff as early as possible in grant formulation process to optimize proposed data processing workflow • If sensitive research data is involved, early engagement will minimize hurdles & hoops, ensure satisfactory proposed data security plan • Demand sensible security – make the IT and security powers that be know that it matters and you need them for it 37