This presentation was given at the 2019 GlobusWorld Conference in Chicago, IL by Tom Barton from University of Chicago and Internet2.

1. Enabling Science with Trust and Security
Tom Barton
Sr Consultant for Cybersecurity & Data Privacy
UChicago & Internet2
GlobusWorld 2019

2. What I’ll tell you
• Security is all about enabling the mission by reducing risk to it
• There are security programs designed to reduce risk to research
• Trust frameworks reduce risk across complex cyberinfrastructure (CI)
ecosystems
• Trust frameworks & security enable scientific CI by reducing risk to it
• Some practical ways to engage with these
2

3. The simplest case
Human subjects research is perhaps the simplest example of security
enabling science.
Not that it’s easy!
3

4. 4
Rigorous scientific methods
help civic partners achieve
the greatest social good
per dollar

5. Liability incurred by contracts and regulation
• Sensitive data provided under contract by external agencies
• Variety of security obligations in Data Use Agreements
• HIPAA Business Associate Agreements
• Government contracts with DFARS flow down requirements
• Federal security standards, focused on data confidentiality
• Also subject to state regulations protecting personal information
• Worst case: existential threat to associated research programs
5

6. Institutional strategy for secure research data
• Research Computing, Research Administration, Legal, IT partnership to
reduce risk to affected research
• Provide security as a service to PIs so they don’t have to figure it out
• Elements
• Risk assessment in grants & contracts processes
• Secure research computing service
• Dean and VP Research level policy governance
• Broad-based operational governance
• Federal security standards: NIST SP 800-53/800-171/CUI
• UChicago and many others have one or are moving in that direction
6

7. UChicago Secure Computing Environment
7

8. Benefits and dividends
• On-going close coordination between research computing and central IT
• Identity & access management
• Security operations, incident response and risk assessment
• Network engineering
• Storage/recovery
• Systems administration
• Central IT learned how to support other sensitive computing needs
• Re-usable building blocks of secure computing technologies and procedures
• Total institutional cost is reduced with each re-use
8

9. Can CISOs and Research Computing
Directors get along?
• Yes!
• "Enabling Trustworthy Campus Cyberinfrastructure for Science“
• Workshop by TrustedCI and InCommon, funded by NSF, September 2018
• Chief Information Security Officer and Research Computing Director teams from ~15
universities
• Secure research computing needs drive successful partnerships among
CISOs, RC Directors, Legal Counsel, Research Administration
• Regardless of where RC Director and CISO report, large or small
institution, centralized or decentralized
9

10. Review of the simplest case
The scientific CI is in one organization, which makes feasible:
• Close, on-going operational collaboration between research
computing, central IT, information security
• Implementation of Federal/NIST security standards
Enables human subjects research programs by providing the help
needed to address onerous security obligations
10

11. Security and risk
Must it always be about complying with Federal/NIST security
standards?
11

12. Security Defined by Merriam Webster
1: freedom from danger (safety), freedom from fear or anxiety
4: measures taken to guard against espionage or sabotage,
crime, attack, or escape
https://www.merriam-webster.com/dictionary/security
We should emphasize definition #1, but security practice is
traditionally focused on #4
12
slide credit: Von Welch

13. Data lost
System
unavailable
Data altered
Private data
exposed
Enforced
shutdown
Ransomware
Cyber espionage
Weaponization
Hactivism
Identity theft
Mal intent
Protective and
responsive measures
Prevent negative
impact
Extended
disruption
Cybersecurity – traditional view
13
CI system in designed state

14. Protective and
responsive measures
Data lost
System
unavailable
Data altered
Private data
exposed
Enforced
shutdown
Ransomware
Cyber espionage
Weaponization
Misconfiguration
Flaw in 3rd party component
system
Overlooked ancillary functions
remain active
System restored to unplanned
state
Uncaught data transport error
Inadequate incident response
capability
Lack of operational coordination
leaves system in unplanned stateHactivism
Identity theft
Mal intent Deltas to CI system design state Negative impact
Extended
disruption
Cyber Risk – it’s not just about bad actors
14

15. Federal security standards address some IT risks
15
IT risk Federal security
controls?
Misconfiguration Yes
Flaw in 3rd party component system Yes
Overlooked ancillary functions remain active Yes
System restored to unplanned state Yes
Lack of operational coordination leaves system in
unplanned state
No
Uncaught data transport error No
Inadequate incident response capability Yes

16. Will Federal security frameworks assimilate all
US scientific CI?
Yes
Appropriate, probably
unavoidable, for some
secure research
Some aspects well suited
to both open science and
secure research
No
Needs common executive management, hence
hard to apply across organizations
Some critical IT risks aren’t addressed
TrustedCI is developing alternatives for open
science
• Open Science Cyber Risk Profile
• Guide to Developing Cybersecurity Programs
for NSF Science and Engineering Projects
16

17. Lack of operational coordination
leaves system in unplanned state
Please hold this thought in mind for a few minutes….
17

18. A complex case
Trust Frameworks and Federation reduce risk in complex, multi-
organizational circumstances
18

19. 19
Since 2015, thirteen ESFRI Research Infrastructures from the field of BioMedical Science
(BMS RI) joined their scientific capabilities and services to transform the understanding of
biological mechanisms and accelerate its translation into medical care.
• biobanking & biomolecular
resources
•curated databases
•marine model organisms
•systems biology
•translational research
•functional genomics
•screening & medicinal
chemistry
•microorganisms
•clinical trials
•structural biology
•biological/medical imaging•plant phenotyping
•highly pathogenic
microorganisms
Slide credit:
Mikael Linden

20. Increasing complexity of scientific CI
• Bigger data & bigger teams need bigger CI
• Beyond the scale a single organization can achieve on its own
• Not-bigger funding motivates the concentration of CI investments
• Federating or centralizing HPC centers, cloud
• Size brings complexity
• Federated user access, federated resources
• Access management
• Data, cache, and network management
20
As scientific CIs integrate more components and organizations, it’s
harder to manage, debug, and ascertain the state of the entire system

21. Federated user access – a global infrastucture
faculty, students, staff
data sets
intellectual property
specialized instruments
specialized computing
68 countries (March 2019)
> 16,700 entities (25% InCommon)
> 10,000,000 users
connected by global research
networks and federation
21

22. 22
Get collaboration ready
Release “Research & Scholarship” attributes
Basic security for Identity Provider
Accurate & complete metdata for good user experience
Standard MFA request/response
Identity assurance info
Enable
basic collaboration
Support
high value resources
Protect
collaboration resources Reduce risk
Identity
Providers
implement
Academic
Service
Providers
implement
Each item in the bottom two tiers is associated with a trust framework,
as is the federation itself

23. InCommon progress on metadata (user experience)
23

24. 24
InCommon’s Baseline Expectations program
Dimensions
❏ Security
❏ Privacy
❏ Transparency/Accountability
❏ User Experience
Participation Agreement
requires everyone to adhere
to Baseline Expectations
Processes
❏ Community Consensus
❏ Community Dispute Resolution
Mostly, it consists of tons of communication and help

25. Baseline Roadmap (under development)
25
1Q18 2Q18 3Q18 4Q18 1Q19 2Q19 3Q19 4Q19 1Q20 2Q20 3Q20 4Q20 1Q21 2Q21 3Q21 4Q21
Create BE processes, redo
contracts, metadata quality.
errorURL. SIRTFI all entities.
R&S and REFEDS MFA for
academic OS IdPs.
IdPs must use collaboration-
ready software/services.

26. Research & Scholarship attribute release
• Name, email, affiliation, persistent identifier
• Common need for “research and scholarship” services
• Those service providers are “tagged” by their national federation
operators as “R&S”
• Identity Providers automatically release the R&S attributes to R&S tagged
services
• Such Identity Providers are also tagged as “R&S” so that services can elect
to require R&S attributes in order to provide service
• The R&S program contributes to good privacy practice under the
European General Data Protection Regulation (GDPR)
[ 26 ]

27. SIRTFI - security incident response trust
framework for federated identity
27
Be willing to collaborate in
responding to a federated security
incident.
Apply basic operational security
protections to your federated
entities
in line with your organization’s
priorities.
Self-assert SIRTFI “tag” so that
others will know to trust this
about you.

28. REFEDS Assurance Framework
28
Identity Assurance Authentication Strength
Authentication
Single-factor
authentication (SFA)
Multi-factor
authentication (MFA)
Attributes
Affiliation freshness
1 day
Affiliation freshness
1 month
ID Proofing
Medium
(eg postal credential
delivery)
Low
(self-asserted)
High
(eg F2F)
Identifiers
ID is unique, personal
and traceable
ePPN is unique,
personal and
traceable
Defines a standard means for service providers to receive information about identity
assurance practice and request and receive information about strength of credentials

29. Review of the complex case & trust frameworks
A trust framework is
• A standard of behavior that applies to participants and/or components in
large, complex, even global systems
• Developed in response to identified needs of research and scholarly
activities
We trust that trust framework adopters reasonably observe the standard of
behavior because of our shared mission in Research & Education
Federations and other organizations enable and monitor trust framework
participation and may operate processes to verify or compel adoption
29

30. Lack of operational coordination
leaves system in unplanned state
Systems that integrate components across many organizations can use
trust frameworks to reduce the risk posed by intrinsic inability to
coordinate operationally
30

31. Reducing risk to scientific CI
Some services and programs you can take advantage of.
Some things you might think about doing.
31

32. ResearchSOC
ResearchSOC helps make scientific computing resilient to cyberattacks and
capable of supporting trustworthy, productive research.
• NSF funded center
• Indiana University, Duke University, Pittsburgh Supercomputing Center, University of
California San Diego
• Security Operations Center
• Vulnerability scanning and threat intelligence sharing
• Training information security professionals to address challenges of
securing research
32

33. TrustedCI and Internet2
• Direct engagements or partnerships to review or solve problems
• Security programs for NSF funded activities
• Facility/Site Identity & Access Management
• Federated user access
• Cloud use
• Campus Champions / CaRRC
• Science Gateways Community Institute
• Hope to translate experience with user federation into resource
federation space
33

34. Globus Connect/High Assurance
• Enhanced Connect Server/Personal to meet the security needs of
protected environments for secure research
• Only authorized identities
• Audit trails
• Session timeouts
• More…
• Enhanced Transfer & Auth services backend in AWS
• Meets Federal/NIST security standards
• Suited to HIPAA and other sensitive research data
34

35. You – campus research computing staff
• Add federated user access tooling to your environment
• CILogon, Globus Auth, COmanage, Grouper, others
• Help your CISO become your partner
• Support Federal security standards for high risk projects, sensible
security for low (eg, Open Science Cyber Risk Profile)
• Stay abreast of prototype resource federation efforts
• Help TrustedCI/Internet2 understand your researchers’ problems and
give guidance on good solutions
35

36. You – platform & gateway developers
• Use federated user access tooling
• Deep water, don’t roll your own user management!!
• Help your information security people to help you
• Bake sensible security into your dev and operational processes
• Provide sensible security functionality to deployers
• Your platforms are sometime implemented in very exposed Science
DMZs – focus on securing system integrity, make it hard for bad guys
to re-purposed as weapons
36

37. You - PIs
• Involve research computing staff as early as possible in grant
formulation process to optimize proposed data processing workflow
• If sensitive research data is involved, early engagement will minimize
hurdles & hoops, ensure satisfactory proposed data security plan
• Demand sensible security – make the IT and security powers that be
know that it matters and you need them for it
37

38. 38
Thank you!
Questions?
tbarton@uchicago.edu