Conference program

Finding the sweet spot: How much security is needed for NSF projects?

Cybersecurity can be viewed as a cost center with every dollar going to cybersecurity being a dollar not spent on science. How do we as the cybersecurity community convince our leadership that their investments in us benefit their science mission? How do we convince them on what the right amount is to spend? How do we convince them we’re spending it wisely? This panel will bring together leadership in NSF projects and cybersecurity to discuss these important questions.

Panelists: Rebecca L. Keiser, NSF Chief of Research Security Strategy and Policy David Halstead CIO National Radio Astronomy Observatory Alex Withers, Assistant Director of Cyber Security at National Center for Supercomputing Applications, Manager of XSEDE Security Team Pamela Nigro, Vice President Information Technology and Security Officer, Everly Health

SciAuth: Deploying Interoperable and Usable Authorization Tokens to Enable Scientific Collaborations

NSF cyberinfrastructure is undergoing a security transformation: a migration from X.509 user certificates to IETF-standard JSON Web Tokens (JWTs). This migration has facilitated a re-thinking of authentication and authorization among cyberinfrastructure providers: enabling federated authentication as a core capability, improving support for attribute, role, and capability-based authorization, and reducing reliance on prior identity-based authorization methods that created security and usability problems. Achieving the benefits of a fundamentally new security credential ecosystem in our cyberinfrastructure, while avoiding the temptation to simply re-implement old X.509 methods using JWTs, requires leadership and coordination. The SciAuth project (https://sciauth.org/), which began in July 2021, supports this critical transformation through community engagement, coordinated adoption of community standards, integration with software cyberinfrastructure, security analysis and threat modeling, training, and workforce development. SciAuth helps the community realize the benefits of an interoperable, capability-based ecosystem when transitioning between technologies, while maintaining the reliable and secure cyberinfrastructure upon which the scientific community depends.

Usable mechanisms for privilege management are critical for enabling productive scientific collaborations across a diverse and distributed scientific cyberinfrastructure ecosystem. The SciTokens project demonstrated that the use of JWTs with the IETF OAuth standard for privilege delegation provides a breakthrough for interoperable, least-privilege resource sharing in scientific collaborations [1,2,3,4]. Now our challenge is to make that breakthrough technology usable by scientists across disciplines, project sizes, and software ecosystems by enabling coordinated deployments across cyberinfrastructures in active use today.

In this presentation, the SciAuth team will provide an update on the migration from GSI to JWT, will highlight science drivers, security collaborators, and software implementations, and will present an updated threat model for JWT adoption.

ESNET Security Group Impact on Network Architecture

The Energy Sciences Network (ESnet) is a high performance, unclassified network built to support scientific research and is engineered and optimized for large-scale science. Every few years our network is redesigned to systematically take advantage of hardware and software advances – the current effort is ESnet6. Since the previous redesign, the security group has grown in both headcount as well as experience and has been better able to provide advice during the early architecture/design stage as well as during the current implementation phases of the ESnet6 project.

In this talk Scott Campbell will discuss some of the social, technical and architectural outcomes that were beneficial to the organization at large. One of the unexpected benefits of this was the heightened visibility for the security group and improved communication between the various core groups within ESnet. This visibility has created a much better understanding of the ways that the various groups interact, and their different methods of problem solving and time management. By being involved early (and changes not being "bolted on"), security design elements have been incorporated into workflows early, reducing friction and problems for engineering. In addition the increased visibility to the security group has been given a much louder voice in getting projects accepted and understood. A particularly good example of success is the design and operation of the management network. From routing and sinkholes to the way that address space is laid out for simpler ACL construction, having the security group involved created design decisions that are both tightly integrated and vetted during the core design process.

Increasing Security with Federated Authentication

Federated identity management has enabled collaboration beyond campus borders for many years, but we now face an increasing need to secure services and data and a continued interest in eliminating barriers to entry. See how community members within InCommon have used international standards for expressing multi-factor authentication and identity assurance to elevate the security of services and shared datasets from the National Institutes of Health (NIH). Attendees will learn how institutions adopting the REFEDS Multi-Factor Authentication and Assurance Frameworks have reduced the cybersecurity risks to critical services in health sciences, and how service providers (SPs) can leverage these tools to increase their cybersecurity posture.

Best practices for securing Science DMZ

High speed data transactions have always been one of the priorities at National Laboratories and research facilities, and operating high-performance networking environments safely continues to be an active topic of discussion. High speed networks play a significant role in conducting cutting edge research without any significant delays, and security implementations to protect the network are often viewed as playing the same role as resistors in an electric circuit, to hinder the flow of data (current). It is a very common use-case for a researcher at a National Lab or any other research environment to be able to efficiently access data and collaborate with peers for performing research without being impeded by the security of the network and data. This presentation will talk about some best practices in securing a Science DMZ and thinking of Science DMZ as a security architecture, providing useful and practically implementable security controls without impacting the high-speed flows through the network. The talk will focus on disentangling security policies and enforcement for science flows from traditional security approaches for business systems and using the Science DMZ model to defend high-performance science flows.