Trusted CI Webinar Series

Today’s webinar topic is “The Security Program at LSST” with NCSA’s Alex

Withers. Our host is Jeannette Dopheide.

The meeting will begin shortly. Participants are muted. Click the Chat button to

open the chat view and ask a question.

This meeting will be recorded.

The Trusted CI Webinar Series is supported by National Science Foundation grant #1547272.

The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the NSF.

Cyber Security at the Large Synoptic Survey Telescope

Alex WithersCCoE Webinar June 25th, 2018

•

••

••

•

Large Synoptic Survey Telescope• Scientific goals:

• Probe the nature of dark matter and dark energy• Cataloging the Solar System, particularly

near-Earth asteroids and Kuiper belt objects• Observing transient optical events• Mapping the Milky Way: exploring structure and

formation• More information: www.lsst.org

LSST Data• Recall that LSST data is the deliverable…• Data eventually released to the public• LSST’s Information Classification Policy outlines the

information categories and gives examples.• Sites that provide access to LSST data (i.e. NCSA) need

to follow LSST’s security policy w.r.t. to that data.• Identity management plays a very important role here.

•

•

•

•

•

•

Lots of data, lots of software

02C.06.02Data Access Services

02C.07.01, 02C.06.03Processing Middleware

02C.07.02Infrastructure Services

(System Administration, Operations, Security)

02C.08.03Long-Haul

Communications

Physical Plant (included in above)

02C.07.04.02Base Site

Application Layer (LDM-151)• Scientific Layer• Pipelines constructed from reusable, standard “parts”, i.e. Application Framework• Data Products representations standardized• Metadata extendable without schema change• Object-oriented, python, C++ Custom Software

Middleware Layer (LDM-152)• Portability to clusters, grid, other• Provide standard services so applications behave consistently (e.g. provenance)• Preserve performance (<1% overhead) • Custom Software on top of Open Source, Off-the-shelf

Software

Infrastructure Layer (LDM-129)•Distributed Platform•Different sites specialized for real-time alerting, data release production, peta-scale data

access•Off-the-shelf, Commercial Hardware & Software, Custom Integration

02C.06.01Science Data Archive

(Images, Alerts, Catalogs)

02C.01.02.01, 02C.02.01.04, 02C.03, 02C.04

Alert, SDQA, Calibration, Data Release

Productions/Pipelines 02C.03.05, 02C.04.07

Application Framework

02C.05Science User Interface

and Analysis Tools

02C.07.04.01Archive Site

02C.01.02.02 - 03SDQA and

Science Pipeline Toolkits

•LSST security program consists of:• Master security plan• Incident response plan• Information classification policy• Acceptable Use Policy• Security plans for each of LSST’s subsystems: camera, telescope,

data management, etc.

•Previously mentioned documents governed by LSST’s Change Control Board.

•Derived from these documents:• Web-based risk assessment tables per subsystem• Security requirements documents• Incident response and handling playbook

••

••

•••

…•

Scope and Scale of Security Plan• LSST comprised of many partner institutions: SLAC,

Caltech, NOAO, NCSA, Princeton, UW, etc.• These institutions have their own security programs and

handle their own incidents.• Where does that leave our security plan?

• Identifying of legal and regulatory concerns.• Outlines overall roles and responsibilities.• Protecting LSST data.• Areas not covered by an institution's own security plan.

Change Control and Risk• LSST’s change control board authorizes security

related changes• Policies, procedures, training, etc.• LSST Project Manager has final authority

• Residual risk is accepted by the Project Manager• Risk is documented using a simple risk assessment

table method:

•Technologies need to cover authn/z needs within the context of jupyterhub, web portals and RESTful APIs

• IAM system goals include:• Identify members of US/Chilean astronomy community• Identify named individuals and delegates with data rights (L2)• Manage collaborative groups within LSST (L3)• Access to applications/services• Admin/staff roles

• InCommon/COFRe authentication with eduPersonAffiliation•LDAP+Kerberos across NCSA, Chile and Tuscon

• User/group management with in-house NCSA software (CoManage-like)

• Duo for 2-factor

•LSST applications using CILogon (www.cilogon.org)•SciTokens (scitokens.org): authorization with OAuth2.0 and JWTs

•

Identity Linking

− External identities (University, GitHub, etc.) linked to individual’s LSST identity– Established during initial enrollment and managed

by user− Group memberships based on LSST identity

– LDAP queries using LSST IDs and external IDs

••

••••

L2 Data Rights (Proposed)

− National professional astronomical community– Use eduPersonAffiliation when available

• No "astronomy department" affiliation• "Member" is close enough?

– Use American Astronomical Society membership directory?• i.e. orcid

– Otherwise will require manual review/approval

L2 Data Rights (Proposed)

− Named individuals from international partners– Lookup existing LSST accounts– Email-based invitations

− A limited number of designated additional individuals (post-docs, grad students) per named individual– Named individuals can invite/grant others (from same

institution)− Periodic re-validation / review

••

• →

••

•

Recall...

••

•••••

Host-level security• Host-based firewalls• Configuration management with puppet• Endpoint security: ossec, anti-virus, etc.• User accounts centrally managed: LDAP, Kerberos,

sssd, Duo• System logs collected• Administrative privileges tied to specific user accounts

• i.e. no root login, sudo only, require two-factor

Network-level security• Network filtering (SDN whitelists, firewalls)

• Ingress and egress filtering• Remote access with SSH, VPN and HTTPS

• Two-factor authentication required• Bro IDS at perimeter• Management/operation tasks take place on

out-of-band networks

Data-level security• Risk assessment tables capture systems and storage

containing sensitive data• Data labeled as per the information classification

policy• Unintended release of this kind of data is documented

as a severe risk• Filesystems support for authn/z• Burden mainly falls on the application providing access

to the data

Physical-level security• Physical security present a weak point for bypassing

security controls• Policies enforced by software can mitigate these risks

• USB keys, portable storage• Dangerous for non-networked systems

• Physical security• Wireless devices, APs, and physical network ports

• Visitors who BYOD forced into visitor enclave

LSST Security Operations

● Operations managed from completely separate network● Permanent VPN tunnel from NCSA security management network to Chile

observation site management network● VM Infrastructure

○ High availability○ Host non-Bro security services

● Two Bro clusters: one production, one development/testing○ 40 GB network → 100 GB network○ Network taps aggregated, large flows shunted

Offsite Bastion

PfSense

PfSense

VM Infrastructure

Tap Aggregation

Bro ClusterProduction

Bro ClusterTest

Network Taps

WANIPsec VPN Tunnel, BGP Advertised

Cyber Security Mgmt/LOM Networks

PfSense

PfSense

@NCSA Sec Infrastructure

LSST Data and Operations100 GB links x2

Conclusion

• LSST has a working security plan covering existing and planned operations

• Future challenges:• Ensure LSST users and staff know what is expected

• Awareness and education is key• Enabling access to data in a secure manner• Securing the core of LSST’s operations

• Accomplishing our security goals helps LSST achieve its mission

Thanks!

− Contacts:– alexw1@illinois.edu– https://security.ncsa.illinois.edu/

− Acknowledgements– Jim Basney, NCSA (LSST IaM project, cilogon and

SciTokens)

Questions?Please take our survey

About the Trusted CI Webinar seriesTo view presentations, join the discuss mailing list, or submit requests to

present, visit:

https://trustedci.org/webinars

The next webinar is July 23rd at 11am Eastern.

Topic: RSARC: Trustworthy Computing Over Protected Datasets

Speaker: Mayank Varia