Trusted CI Webinar: Trusted Volunteer Edge-Cloud Computing for Scientific Workflows, Monday February 24th @10am Central

Mizzou's Prasad Calyam is presenting the talk, Trusted Volunteer Edge-Cloud Computing for Scientific Workflows, on Monday February 24th at 10am, Central time.

Please register here.

The unprecedented growth in networked edge devices (e.g., scientific instruments, sensors) has caused a data deluge in scientific application communities. The data processing is increasingly relying on distributed computing to cope with the heterogeneity, scale, and velocity of the data. At the same time, there is an abundance of low-cost computation resources that can be used for “volunteer edge-cloud computing” (VEC), where collaborators in a community (e.g., bioinformatics, manufacturing) contribute their resources to form a distributed infrastructure to execute scientific workflows. In this talk, a VEC management reference architecture and a related framework implementation will be presented for support of trusted resource allocation in VEC environments for scientific data-intensive workflows. We demonstrate how our novel scheduling approach optimizes task allocation on VEC nodes by balancing workflow requirements and resource preferences, improving latency, task completion times, and resource utilization efficiency. Lastly, we outline our recent efforts to ensure privacy-preservation of the scientific workflow execution in VEC environments by adopting principles from the confidential computing paradigm.

Speaker Bio: 

Prasad Calyam is a Curators’ Distinguished Professor and the Greg L. Gilliom Professor of Cybersecurity in the Department of Electrical Engineering and Computer Science at University of Missouri-Columbia, and Director of the Center for Cyber Education, Research and Infrastructure (Mizzou CERI). His research and development areas of interest include: Cloud Computing, Machine Learning, Artificial Intelligence, Cyber Security, and Advanced Cyberinfrastructure. He has published over 235 peer-reviewed papers in various conference and journal venues. As the Principal Investigator, he has successfully led teams of graduate, undergraduate and postdoctoral fellows in Federal, State, University and Industry sponsored R&D projects sponsored by National Science Foundation, Department of Energy, National Security Agency and others. His basic research and software on multi-domain network measurement and monitoring has been commercialized as ‘Narada Metrics’.

---

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Open Science Cyber Risk Profile (OSCRP) Updated with Science DMZ, Software Assurance, Operational Technology, and Cloud Computing Elements

 Trusted CI has released an updated version of the Open Science Cyber Risk Profile (OSCRP), with additions based on insights from its 2021 study of scientific software assurance:

Andrew Adams, Kay Avila, Elisa Heymann, Mark Krenz, Jason R. Lee, Barton Miller, and Sean Peisert. “The State of the Scientific Software World: Findings of the 2021 Trusted CI Software Assurance Annual Challenge Interviews,” September 2021.  https://hdl.handle.net/2022/26799

Andrew Adams, Kay Avila, Elisa Heymann, Mark Krenz, Jason R. Lee, Barton Miller, and Sean Peisert. “Guide to Securing Scientific Software,” December 2021. DOI: 10.5281/zenodo.5777646

…and its 2022 study on scientific operational technology:

Emily K. Adams, Daniel Gunter, Ryan Kiser, Mark Krenz, Sean Peisert, Susan Sons, and John Zage. “Findings of the 2022 Trusted CI Study on the Security of Operational Technology in NSF Scientific Research,” July 13, 2022. DOI: 10.5281/zenodo.6828675

A new section on risk profiling of  cloud computing was also added.  The full reference for the OSCRP is:

Sean Peisert, Von Welch, Andrew Adams, RuthAnne Bevier, Michael Dopheide, Rich LeDuc, Pascal Meunier, Steve Schwab, and Karen Stocks. Open Science Cyber Risk Profile (OSCRP), Version 1.3.3. October 2022. DOI: 10.5281/zenodo.7268749

The OSCRP is a document, initially released in 2017, designed to help principal investigators and their supporting information technology professionals assess cybersecurity risks related to open science projects. The OSCRP was the culmination of extensive discussions with research and education community leaders, and has since become a widely-used resource, including numerous references in recent National Science Foundation (NSF) solicitations.

The OSCRP is a living document and will continue to be refreshed as technology and threats change, and as new insights are acquired.

Comments, questions, and suggestions about this post, and both documents are always welcome at [email protected].

CCoE Webinar March 25th at 11am ET: The NSF CC-DNI SecureCloud Project

Casimer DeCusatis is presenting the talk "The NSF CC-DNI SecureCloud Project: Autonomic Cybersecurity for Zero Trust Cloud Computing" on Monday March 25th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.

Cyberinfrastructure is undergoing a radical transformation as traditional data centers are replaced by cloud computing. Cloud hosted applications tend to have a poorly defined network perimeter, large attack surfaces, and pose significant challenges for network visibility, segmentation, and authentication.  We discuss research from the NSF SecureCloud project, which addresses the unique requirements of cloud security using an autonomic, zero trust architecture. We have created and tested original software using a first-of-a-kind cybersecurity test bed constructed at the New York State Cloud Computing & Analytic Center, Marist College. We developed the first honeypot for software defined network (SDN) controllers , and created honeypots for graph database APIs, SSH, and other applications.  These honeypots collect raw data telemetry, which is processed into actionable threat intelligence using our Lightweight Cloud Analytics for Real Time Security (LCARS), an SIEM that includes the G-Star graph database and hive plot visualizer.  We have built a threat intelligence database including attack patterns and orchestrated response recipes. We demonstrate dynamic reconfiguration using REST APIs for network appliances, while we cloak high risk applications using a combination of Transport Layer Access Control and First Packet Authentication.  Use cases include reconfiguration of trust levels in response to distributed denial of service (DDoS) and other attacks.

Speaker bio:

Casimer DeCusatis is an Assistant Professor at Marist College.  He is a Cisco Distinguished Speaker, Fellow of IEEE, OSA, SPIE, and recipient of the following awards: IEEE Kiyo Tomiyasu, IEEE R1 Cybersecurity Education, Sigma Xi Walston Chubb, Mensa Copper Black, PSU Outstanding Alumnus, and IEEE/HKN OYEE.  He received his M.S.(1988) & Ph.D.(1990) from RPI and his B.S. from Penn State (1986).

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Trusted CI Webinar December 10th at 11am ET: Security Best Practices for Academic Cloud Service Providers with Rion Dooley

Rion Dooley is presenting the talk "Security Best Practices for Academic Cloud Service Providers" on Monday December 10th at 11am (Eastern).

Please register here. Be sure to check spam/junk folder for registration confirmation email.

A “cloud resource” provides a hosted, self-service means for users to run virtual machines or containers such that they can have a custom software stack and isolation from other users. Virtual machines or container images can be curated and provided by the cloud resource operator, provided by the user, or provided by third parties.

Operating a cloud resource involves addressing security requirements of multiple stakeholders: those of the resource operator and those of the resource user.  These parties may have different incentives related to security as well as different levels of acumen. Operators may at times run images whose trustworthiness is not established and grant users privileged access within their running image that would be uncommon on non-virtualized computing resources.  Moreover, users, with their elevated privileges, can misconfigure services, expose sensitive data or choose protocols/solutions that offer less security for the sake of installation or operating costs. These factors can lead to an environment that, by its nature, is difficult to secure.

A community consisting of The Agave Platform, Cornell University Center for Advanced Computing, CyVerse, Jetstream and Trusted CI collaborated in authoring a set of Security Best Practices for developing in, and operating an academic cloud resource.  

In this webinar, we will discuss the nine use cases they deemed most important to academic cloud services.

This webinar will be relevant to cloud users, evangelists, and providers. All are encouraged to join and contribute to the conversation.

The full white paper is available online at http://hdl.handle.net/2022/22123.

Speaker Bio:
Rion Dooley is the Director of Platform Services and Solutions at Data Machines Corp. He has 15 years experience integrating emerging tech with HCP environments to build solutions that make it easier to conduct open, digital science. His prior research includes projects in the areas of cloud computing and security. He serves as PI for the Agave Project, and is active in the Open Source community.

Presentations are recorded and include time for questions with the audience.

Join Trusted CI's announcements mailing list for information about upcoming events. To submit topics or requests to present, see our call for presentations. Archived presentations are available on our site under "Past Events."

Community Produces Security Best Practices for Academic Cloud Resources

A community consisting of members from The Agave Platform (TACC - NSF OAC-SS2-SSI-1450437), Cornell University Center for Advanced Computing (NSF OAC-CC-DNI-1541215), CyVerse (UA - NSF DBI-0735191, DBI-1265383), Jetstream (IU - NSF OAC-1445604) and Trusted CI recently completed an engagement in authoring a set of Security Best Practices for developing in, and operating an academic cloud resource. The culmination of the project, Security Best Practices for Academic Cloud Service Providers, is available at http://hdl.handle.net/2022/22123.

A "cloud resource" within an academic institution provides a means for R&E users to run virtual machines or containers such that they can have a custom software stack and isolation from other users. The virtual machines or container images can be curated and provided by the cloud resource operator, the user, or a third party. This utility, however, presents a number of challenges in the domain of cloud cybersecurity, e.g., the user's image can run with privileged access, an image can be from unknown provenances, controls to reduce the risk an image may cause to both operator and other guests are limited, and managing security updates to an image is cumbersome.

The engagement's collaborative effort in tackling these unique security risks to academic cloud services was guided by three basic principles, specifically: security is a shared concern between a cloud service provider and a cloud service user, neither can expect the other to fully address security; a clean delineation between cloud service provider and cloud service user of security responsibilities is critical to ensure all responsibilities are met; and the cloud service provider has the responsibility to ensure all security responsibilities are articulated and the cloud service user is educated about how to fulfill their responsibilities.

Through sharing experiences, the community detailed the "use cases" they deemed most important to the utility of academic cloud services. The security concerns of each use case were explored, leading to the identification of security best practices that balanced the needs of the stakeholders with mitigations sufficient to address the risk. This process along with the guiding principles resulted in a product that, unlike canonical security best practices, focused not only on the role of the operators, but also on empowering and encouraging the user to take a more proactive stance in cybersecurity. The use cases discussed in the document, and by association the security best practices for each, are:

1. Disseminating localized best practices to users
2. Ensuring user image trustworthiness
3. Providing methods for users to manage their secrets
4. Supporting privileged access within images
5. Trying to empower users with self-service DNS management
6. Similar to 3, providing methods for users to manage their configurations
7. Providing service accounts as opposed to just user accounts
8. Offering monitoring services that users can access
9. Offering Identity and Access Management-aware Continuous Integration / Continuous Delivery services

The community additionally presented their experiences and findings at the 2018 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure.

CTSC Engages with Community to Develop Academic Cloud Provider Best Practices

A community of academic cloud service providers in collaboration with CTSC intend to identify and document a set of security best practices for both operators and software developers of academic cloud service providers.  The community that will spearhead this thrust is comprised of various R&E cloud service provider initiatives, including: Agave Platform (TACC - NSF OCA-SS2-SSI-1450437), Cornell University Center for Advanced Computing (NSF CI-1541215), CyVerse (UA - NSF DBI-0735191, DBI-1265383), and Jetstream (IU - NSF 1445604).

A “cloud resource” within an academic institution provides a means for R&E users to run virtual machines or containers such that they can have a custom software stack and isolation from other users. Additionally, virtual machines or container images can be curated and provided by the cloud resource operator, they can be provided by the user, or they can be provided by a third party.  This presents a number of challenges in the domain of cloud cybersecurity, e.g., users’ images are run with privileged access, images can be from unknown provenances, controls to reduce the risk an image may cause to both operator and other guests are limited, and managing security updates to images is cumbersome.

To address these issues, this engagement will, (i) identify issues and concerns geared for academic cloud operators and those developing software for cloud resource operators, (ii) survey existing security recommendations that govern generic cloud computing, (iii) aggregate those principals found in (ii) for the issues and concerns affecting academic cloud service providers or develop new principles for secure operation of a cloud resource, including specific measures to achieve those principles, and (iv) disseminate the set of principles to the NSF community to maximize its impact.

The overarching goal of this engagement is to improve cybersecurity for operators and users of academic clouds.