What Do Research Computing and Information Security Leaders Have in Common?
Quite a lot, it turns out, as demonstrated at the “Enabling Trustworthy Campus Cyberinfrastructure for Science” workshop, held at the University of Maryland in September 2018.
The workshop, a collaborative production of Internet2 and Trusted CI (the National Science Foundation’s Cybersecurity Center of Excellence), had 37 invited participants representing 18 institutions (including 15 universities) from 12 states and followed a highly interactive format to shed light on several objectives:
- Discerning and articulating challenges that exist between research computing and information security groups.
- Identifying successes and lessons learned about how research computing and information security groups can work together to support open and regulated research.
- Identifying changes and initial steps that could improve this situation.
- Improving professional networking among attendees.
Each institution brought its research computing and information security leads as a team, who were asked to jointly prepare a brief talk in advance. The workshop proceeded in four segments. The first three each consisted of one-third of the participating institutions giving their brief talks, with a healthy allocation of time for discussion and no strict limit on presentation time, unlike typical lightning talk sessions. Topics spanned:
- Addressing appropriate security controls for Science DMZ.
- Drivers for convening campus stakeholders in both secure and open research computing environments.
- Variability across institutions regarding security, policy, risk mitigation practices, and sensibilities.
- The pyramid of computing tiers, beginning with the national/international base, followed in sequence by regional, campus, and local tiers.
- Differing missions of research and enterprise IT and the need to somehow get to "Yes" when research IT asks for help.
The workshop format engendered rich discussion among participants that was mined in real time by the participants, to produce more than sixty items across five perspectives: Do’s, Don’ts, Commonalities, Differences, and a Parking Lot of topics worthy of further attention. These were further expanded and refined during the fourth and final workshop segment by the participants, who broke into corresponding groups for that task.
Some inferences drawn from the discussion include:
- The need to manage institutional liability conveyed by research-related contracts brings research computing and information security leadership together with a range of other parties such as legal counsel, research administration, and IRB directors. Such groups are effective at achieving an institutional perspective and strategy for managing liability with a minimum of impedance to researchers.
- The programmatic response to that liability across participating institutions was similar, despite myriad differences in their contexts; for example, where the research computing and information security leads report, whether they were driven top down or bottom up, or came from smaller or larger institutions. Key elements of that programmatic response are:
- convening stakeholder groups like those described in the bullet above,
- creating computing environments in which contract terms that are typical of secure research can be upheld, and
- implementing policy and workflow that connects sensitive research data with environments designed to house them
- None used a commercial cloud platform for secure research computing. “How can we do NIST SP800-171 security in the cloud?” was one of the topics noted as worthy of further attention.
The participants recommended that further similar discussions be facilitated to continue bringing together campus research computing and information security leaders to better position campuses to apply appropriate security measures and risk management mechanisms to both sensitive and open research activities.
The workshop was supported in part by NSF awards #1652376 and #1547272.