Identity Management Best Practices: A CTSC Blog Series

This technical report collects a series of CTSC blog posts on identity management (IdM) best practices published in 2014 for archival purposes

Center for Trustworthy Scientific Cyberinfrastructure Engagement Plan: Final Report for LIGO Engagement

The Center for Trustworthy Scientific Cyberinfrastructure (CTSC) engages with NSF-funded projects to address their cybersecurity challenges. This document presents the results of one such engagement with the Laser Interferometer Gravitational-Wave Observatory (LIGO), a large research project funded by the National Science Foundation. LIGO seeks to make the first direct detection of gravitational waves, use them to explore the fundamental physics of gravity, and develop the emerging field of gravitational wave science as a tool of astronomical discovery. The primary goal of this engagement was to apply CTSC experience and expertise in leveraging SAML identify federations to support scientific projects to remove barriers for efficient international collaboration between LIGO and other astronomy and astrophysics projects by decreasing the effort required for LIGO to federate with those projects

A Study of Three Approaches to International Identity Federation for the LIGO Project

This document is a product of the Center for Trustworthy Scientific Cyberinfrastructure (CTSC). CTSC is supported by the National Science Foundation under Grant Number OCI-1234408. For more information about the Center for Trustworthy Scientific Cyberinfrastructure please visit: http://trustedci.org/. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation

Center for Trustworthy Scientific Cyberinfrastructure Engagement Plan: Final Report for LIGO Engagement

The Center for Trustworthy Scientific Cyberinfrastructure (CTSC) engages with NSF-funded projects to address their cybersecurity challenges. This document presents the results of one such engagement with the Laser Interferometer Gravitational-Wave Observatory (LIGO), a large research project funded by the National Science Foundation. LIGO seeks to make the first direct detection of gravitational waves, use them to explore the fundamental physics of gravity, and develop the emerging field of gravitational wave science as a tool of astronomical discovery. The primary goal of this engagement was to apply CTSC experience and expertise in leveraging SAML identify federations to support scientific projects to remove barriers for efficient international collaboration between LIGO and other astronomy and astrophysics projects by decreasing the effort required for LIGO to federate with those projects

Trusted CI's Approach to Security for Open Science Projects

Presentation at the 13th FIM4R Workshop: Federated Identity Management for Research Collaborations.Ope

SciTokens: Capability-Based Secure Access to Remote Scientific Data

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. In this paper, we introduce SciTokens, open source software to help scientists manage their security credentials more reliably and securely. We describe the SciTokens system architecture, design, and implementation addressing use cases from the Laser Interferometer Gravitational-Wave Observatory (LIGO) Scientific Collaboration and the Large Synoptic Survey Telescope (LSST) projects. We also present our integration with widely-used software that supports distributed scientific computing, including HTCondor, CVMFS, and XrootD. SciTokens uses IETF-standard OAuth tokens for capability-based secure access to remote scientific data. The access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems.Comment: 8 pages, 6 figures, PEARC '18: Practice and Experience in Advanced Research Computing, July 22--26, 2018, Pittsburgh, PA, US

DataONE: Identity Management System Review

This document is a product of the Center for Trustworthy Scientific Cyberinfrastructure (CTSC). CTSC is supported by the National Science Foundation under Grant Number OCI-1234408. For more information about the Center for Trustworthy Scientific Cyberinfrastructure please visit: http://trustedci.org/. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation

A Credential Store for Multi-tenant Science Gateways

Science Gateways bridge multiple computational grids and clouds, acting as overlay cyberinfrastructure. Gateways have three logical tiers: a user interfacing tier, a resource tier and a bridging middleware tier. Different groups may operate these tiers. This introduces three security challenges. First, the gateway middleware must manage multiple types of credentials associated with different resource providers. Second, the separation of the user interface and middleware layers means that security credentials must be securely delegated from the user interface to the middleware. Third, the same middleware may serve multiple gateways, so the middleware must correctly isolate user credentials associated with different gateways. We examine each of these three scenarios, concentrating on the requirements and implementation of the middleware layer. We propose and investigate the use of a Credential Store to solve the three security challenges

Report of NSF Workshop Series on Scientific Software Security Innovation Institute

Many individuals attended these workshops and contributed to the writing of this report. They are named in the report itself.Over the period of 2010‐2011, a series of two workshops were held in response to NSF Dear Colleague Letter NSF 10‐050 calling for exploratory workshops to consider requirements for Scientific Software Innovation Institutes (S2I2s). The specific topic of the workshop series was the potential benefits of a security-­‐focused software institute that would serve the entire NSF research and development community. The first workshop was held on August 6th, 2010 in Arlington, VA and represented an initial exploration of the topic. The second workshop was held on October 26th, 2011 in Chicago, IL and its goals were to 1) Extend our understanding of relevant needs of MREFC and large NSF Projects, 2) refine outcome from first workshop with broader community input, and 3) vet concepts for a trusted cyberinfrastructure institute. This report summarizes the findings of these workshops.This material is based upon work supported by the National Science Foundation under grant number 1043843. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science