science gateway security recommendations
play

Science Gateway Security Recommendations Jim Basney - PowerPoint PPT Presentation

Sep 03, 2023 •240 likes •414 views

Science Gateway Security Recommendations Jim Basney jbasney@illinois.edu Von Welch vwelch@indiana.edu This material is based upon work supported by the National Science Foundation under grant numbers 1127210 and 1234408. Our abstract:

  1. Science Gateway Security Recommendations Jim Basney jbasney@illinois.edu Von Welch vwelch@indiana.edu This material is based upon work supported by the National Science Foundation under grant numbers 1127210 and 1234408.

  2. • Our abstract: http://go.illinois.edu/gwsecabstract • These slides: http://go.illinois.edu/gwsecslides sciencegatewaysecurity.org | trustedci.org

  3. Science Gateway Security Concerns • Confidentiality of pre-publication research data • Integrity of research results • Availability of services • Provide trustworthy service to researchers • Maintain trust of resource providers • Use resources in compliance with policies • Each science gateway is unique • Assess risks to determine appropriate mitigations • Risk = Likelihood x Impact sciencegatewaysecurity.org | trustedci.org

  4. Science Gateway Risk Factors • small, closely-knit • large, distributed, user community open user community • public data • sensitive data (sky survey data) (personal health info) • internal resources • external resources • focused functionality • wide range of user capabilities less risk more risk sciencegatewaysecurity.org | trustedci.org

  5. Science Gateways and Resource Providers Deployment models include: • Dedicated : Resources managed by science gateway • Science Gateway sets its own policies • Example: Rosetta Online Server That Includes Everyone (ROSIE) • Transparent : Providing a new interface to existing resources • Users have accounts on existing resources • Example: TeraGrid Visualization Gateway • Tiered : Science Gateway manages resource allocation • Science Gateway manages its own users • Using community account / robot certificate at resource provider • May send per-user attributes to resource providers • Examples: CIPRES, GENIUS sciencegatewaysecurity.org | trustedci.org

  6. TeraGrid Science Gateway AAAA Model (2005) http://dx.doi.org/10.1145/1838574.1838576 sciencegatewaysecurity.org | trustedci.org

  7. Existing Security Recommendations • Virtual Organization Portal Policy (EGI-InSPIRE SPG, 2010) • Securing Science Gateways (Hazlewood and Woitaszek, 2011) sciencegatewaysecurity.org | trustedci.org

  8. VO Portal Policy (EGI-InSPIRE SPG, 2010) • General Conditions • Limit job submission rate Ÿ Audit logging • Assist in security incident investigations • Securely store passwords, private keys, and user data https://documents.egi.eu/document/80 sciencegatewaysecurity.org | trustedci.org

  9. TeraGrid: Securing Science Gateways (Hazlewood and Woitaszek, 2011) • Recommendations: • Per-user accounting • Limiting access at resource providers (restricted shell, grid interfaces) • Separating per-user data from shared software and data • Individual accounts for science gateway developers • Short-lived certificates for remote access http://doi.acm.org/10.1145/2016741.2016781 sciencegatewaysecurity.org | trustedci.org

  10. Science Gateway User Authentication • Why authenticate users? • Access to external resources • Personalization • Maintaining state across sessions • Accounting / tracking usage • How to authenticate users? • Outsourced: federated identities, identity as a service • Internal: password DB managed by science gateway sciencegatewaysecurity.org | trustedci.org

  11. Federated User Authentication • Avoid managing user passwords! • SAML: campus identities • OpenID/OAuth: public identities • Enables two-factor authentication sciencegatewaysecurity.org | trustedci.org

  12. Passwords If your science gateway needs to handle user passwords: • Protect passwords from online attack • Use HTTPS • Block brute-force attacks (e.g., Fail2Ban) • Protect passwords from offline attack • Store password hashes • Use a strong hashing algorithm, with per-password salt • Use existing password hashing implementation • e.g., PHP password_hash() • http://security.blogoverflow.com/2013/09/about-secure- password-hashing/ sciencegatewaysecurity.org | trustedci.org

  13. Science Gateway Operational Security • Prevent (eliminate) threats (when possible) • Detect security incidents • Respond effectively to security issues • Goal : manage risks • First Step : Early communication with local security staff • Provide security services (monitoring, scanning, logging, etc.) • Identify security policies and best practice recommendations tailored to your local environment • Establish relationships now in case of security incident later sciencegatewaysecurity.org | trustedci.org

  14. Basic Operational Security Checklist Prevent Detect • Software patching • File integrity checking • Control admin access • Intrusion detection • Vulnerability scanning • Log monitoring • Firewalls Respond/Recover • Physical security • Centralized logging • Secure backups sciencegatewaysecurity.org | trustedci.org

  15. Continuous Software Assurance The Software Assurance Market Place (SWAMP) is a DHS S&T sponsored open facility to become operational in January 2014. It is driven by the goal to expand the adoption of software assurance (SwA) by software developers. The SWAMP will enable you to: • Identify new (possible) defects in your software every time you commit a change • Identify new (possible) defects in a software/library/module you are using every time a new version is released • Track the SwA practices of your project While protecting your privacy and the confidentiality of your data. http://continuousassurance.org

  16. Science Gateway Security: Community Resources http://trustedci.org/help http://sciencegatewaysecurity.org/discussion http://xsede.org/gateways sciencegatewaysecurity.org | trustedci.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2

Courtesy of Andrea Zonca, SDSC Science Gateway Security Considerations Applications of OAuth2 and OpenID Connect to Science Gateways https://tools.ietf.org/html/rfc6749 Three Layers of Science Gateway Cyberinfrastructure Tenants Resources

813 views • 43 slides
WHIT ITE OAK SCIE IENCE GATEWAY 1 White Oak Science Gateway Master Plan 2014 to 2018

WHIT ITE OAK SCIE IENCE GATEWAY 1 White Oak Science Gateway Master Plan 2014 to 2018

WHIT ITE OAK SCIE IENCE GATEWAY 1 White Oak Science Gateway Master Plan 2014 to 2018 http://montgomeryplanning.org/planning/communitie s/area-2/white-oak-science-gateway/ 2 White Oak Vicinity BALTIMORE WHITE OAK & FDA UNIV OF MD

667 views • 28 slides
Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches

Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches

10/16/2013 Securing Information Systems Barbarians at the Gateway Learning Objectives Security breaches are on the rise Understand the potentially damaging impact of security breaches Security must be made a top organizational

610 views • 20 slides
WHITE OAK SCIENCE GATEWAY THE FUTURE OF THE EAST COUNTY 1 White Oak Science Gateway Master Plan

WHITE OAK SCIENCE GATEWAY THE FUTURE OF THE EAST COUNTY 1 White Oak Science Gateway Master Plan

WHITE OAK SCIENCE GATEWAY THE FUTURE OF THE EAST COUNTY 1 White Oak Science Gateway Master Plan of 2014 2 White Oak Vicinity BALTIMORE WHITE OAK & FDA UNIV OF MD UNIV OF MD COLLEGE PARK COLLEGE PARK WASHINGTON, DC 3 Federal

575 views • 29 slides
WHITE OAK SCIENCE GATEWAY THE FUTURE OF THE EAST COUNTY 1 White Oak Science Gateway Master Plan

WHITE OAK SCIENCE GATEWAY THE FUTURE OF THE EAST COUNTY 1 White Oak Science Gateway Master Plan

WHITE OAK SCIENCE GATEWAY THE FUTURE OF THE EAST COUNTY 1 White Oak Science Gateway Master Plan of 2014 2 White Oak Vicinity BALTIMORE WHITE OAK & FDA UNIV OF MD UNIV OF MD COLLEGE PARK COLLEGE PARK WASHINGTON, DC 3 Federal

415 views • 28 slides
Gateway A SHORT INTRODUCTION A brief overview on the Dog gateway, starting from the design

Gateway A SHORT INTRODUCTION A brief overview on the Dog gateway, starting from the design

T he Dog Gateway A SHORT INTRODUCTION A brief overview on the Dog gateway, starting from the design principles and going deep into the gateway architecture and modules, with some application sample http://dog-gateway.github.io/ WIRELESS

576 views • 30 slides
The Southern Gateway The Southern Gateway Metropolitan Memphis A vital gateway for moving

The Southern Gateway The Southern Gateway Metropolitan Memphis A vital gateway for moving

The Southern Gateway The Southern Gateway Metropolitan Memphis A vital gateway for moving people and freight Home to critical transportation infrastructure Railroads, Airport, Inland Port, Interstates Four Mississippi River Bridge

405 views • 19 slides
API Gateway API Gateway Gateway ESB At present tooling for API

API Gateway API Gateway Gateway ESB At present tooling for API

API Gateway API Gateway Gateway ESB At present tooling for API gateways is achingly immature and so while defining applications with API gateways is possible its most definitely not for the

416 views • 22 slides
R T L INVESTING IN THE GATEWAY TO THE CONSUMER I N D E X WHY RTL INDEX? GATEWAY TO THE

R T L INVESTING IN THE GATEWAY TO THE CONSUMER I N D E X WHY RTL INDEX? GATEWAY TO THE

R T L INVESTING IN THE GATEWAY TO THE CONSUMER I N D E X WHY RTL INDEX? GATEWAY TO THE CONSUMER The storefront is the gateway to the consumer with commercial real estate serving as an ideal medium for connecting with established shoppers and

447 views • 18 slides
EPICS Channel Access Gateway and Access Security Florian Feldbauer Helmholtz-Institut Mainz

EPICS Channel Access Gateway and Access Security Florian Feldbauer Helmholtz-Institut Mainz

EPICS Channel Access Gateway and Access Security Florian Feldbauer Helmholtz-Institut Mainz Johannes Gutenberg-Universit at Mainz LV. Collaboration Meeting November 30, 2015 Florian Feldbauer (HIM/JGU) LV. CM, 11/30/2015 CA Gateway 1/15

413 views • 18 slides
Campus Gateway Project Spring 2017 Planning Studio May 10th, 2017 Identified Potential Gateway

Campus Gateway Project Spring 2017 Planning Studio May 10th, 2017 Identified Potential Gateway

Campus Gateway Project Spring 2017 Planning Studio May 10th, 2017 Identified Potential Gateway Sites Impact Threshold Likelihood of remaining a gateway VCU Campus IDENTITY Gateway Project Implement gateway elements that expand the

725 views • 44 slides
Open community software: Building science gateways and workflows Marlon Pierce, Suresh Marru

Open community software: Building science gateways and workflows Marlon Pierce, Suresh Marru

Open community software: Building science gateways and workflows Marlon Pierce, Suresh Marru Science Gateway Group Research Technologies, UITS November 16, 2012 Science Gateway Challenges Science Gateways are user environments for

408 views • 17 slides
CARER GATEWAY PRESENTATION 2020 carergateway.gov.au Carer Gateway is the national service

CARER GATEWAY PRESENTATION 2020 carergateway.gov.au Carer Gateway is the national service

CARER GATEWAY PRESENTATION 2020 carergateway.gov.au Carer Gateway is the national service Carers, funded by the Australian Government. It includes: Carer A website with information and advice Phone or online services Gateway

488 views • 14 slides
Integrated Security Curriculum Conceptions of SECURITY RISK THREATS TECH VALUES The Big

Integrated Security Curriculum Conceptions of SECURITY RISK THREATS TECH VALUES The Big

5/18/2017 Integrated Security Curriculum Conceptions of SECURITY RISK THREATS TECH VALUES The Big Picture: Integrated Security Pathways Cyber Security ISERC Student portal National Security Studies CAPSTONE: Gateway course Peace Studies

298 views • 3 slides
Harry & Maes Inc Client Presentation; Security Issues and Recommendations Presented by:

Harry & Maes Inc Client Presentation; Security Issues and Recommendations Presented by:

Harry & Maes Inc Client Presentation; Security Issues and Recommendations Presented by: Angel Hooper, IT Security Consultant February 19, 2017 CYBR 650 Summary Due to a data breach, impacting 25,000 customers, Harry & Maes has

618 views • 34 slides
For personal use only Cloud security through cloud gateway intelligence FCT July Update Innovate

For personal use only Cloud security through cloud gateway intelligence FCT July Update Innovate

For personal use only Cloud security through cloud gateway intelligence FCT July Update Innovate Create Execute July 2017 1 For personal use only AGENDA Executive Summary Steve OBrien, MD Financial & Operational Update

549 views • 30 slides
Connecting Resources with Science via HTCondor-CE Brian Lin OSG All Hands 2017 Connecting

Connecting Resources with Science via HTCondor-CE Brian Lin OSG All Hands 2017 Connecting

Connecting Resources with Science via HTCondor-CE Brian Lin OSG All Hands 2017 Connecting Resources with Science | OSG All Hands 2017 | Brian Lin A fundamental problem of scientific computing at scale is matchmaking Connecting Resources with

568 views • 21 slides
Build your own Gateway with RAK831 and RESIN.IO Workshops start at: 10:45 13:30 15:30

Build your own Gateway with RAK831 and RESIN.IO Workshops start at: 10:45 13:30 15:30

Build your own Gateway with RAK831 and RESIN.IO Workshops start at: 10:45 13:30 15:30 Workshop Build your own Gateway with RAK831 and RESIN.IO Your trainers: Jac Kersing Gergely Imreh (resin.io) Leonel Lopes Parente Shaun

535 views • 19 slides
IoT Security Function Distribution via DLT Le Su, Dinil Mon Divakaran, Sze Ling Yeo, Jiqiang Lu,

IoT Security Function Distribution via DLT Le Su, Dinil Mon Divakaran, Sze Ling Yeo, Jiqiang Lu,

IoT Security Function Distribution via DLT Le Su, Dinil Mon Divakaran, Sze Ling Yeo, Jiqiang Lu, Vrizlynn Thing Work was done at Institute for Infocomm Research (IR), A*STAR, Singapore Motivation IoT devices while increasingly deployed at

733 views • 28 slides
Gang of Four Object Oriented Design Patterns Motivation Object Oriented Analysis (OOA)

Gang of Four Object Oriented Design Patterns Motivation Object Oriented Analysis (OOA)

Gang of Four Object Oriented Design Patterns Motivation Object Oriented Analysis (OOA) domain problem designed as (domain) objects addresses the functional challenges what a system does provides guidance for implementation Object

921 views • 28 slides
EMBEDDED PEER INQUIRY SPECIALISTS: A Gateway to Information Literacy University of California,

EMBEDDED PEER INQUIRY SPECIALISTS: A Gateway to Information Literacy University of California,

EMBEDDED PEER INQUIRY SPECIALISTS: A Gateway to Information Literacy University of California, Los Angeles Hall! Our Team Julia Glassman Collections & Writing Programs Librarian Simon Lee Learning Technologies Librarian Marc

521 views • 23 slides
LAB-02 BPMN Basics Lecturer: Andrea MARRELLA Objectives of this lecture Learn how to use

LAB-02 BPMN Basics Lecturer: Andrea MARRELLA Objectives of this lecture Learn how to use

Lab for the course on Process and Service Modeling and Analysis LAB-02 BPMN Basics Lecturer: Andrea MARRELLA Objectives of this lecture Learn how to use Bizagi Modeler Recap: BPM Basics and use of gateways Checking

494 views • 28 slides
Media Gateway Control Media Gateway Control and the Softswitch Softswitch and the Architecture

Media Gateway Control Media Gateway Control and the Softswitch Softswitch and the Architecture

Media Gateway Control Media Gateway Control and the Softswitch Softswitch and the Architecture Architecture Call Flow for RGW to TGW (1/18) Call Flow for RGW to TGW (1/18) CA@ca.whatever.net 140.113.65.24 DB CA ACC SG rgw.whatever.net

267 views • 25 slides
HUD Lead Hazard Control Grantee City of Marshalltown Serving Marshall, Tama, Hardin and Story

HUD Lead Hazard Control Grantee City of Marshalltown Serving Marshall, Tama, Hardin and Story

HUD Lead Hazard Control Grantee City of Marshalltown Serving Marshall, Tama, Hardin and Story Counties In Iowa Presented by: Michelle Spohnheimer, Housing and Community Development Director Joyce Brown, Lead Grant Program Manager An overview

319 views • 6 slides

More recommend