Add to collection(s) Add to saved
  1. Business
  2. Management

Brian Stengel

advertisement 
Campus ScienceDMZ and Campus Cybersecurity
Slide 1
Slide 1
Introductions
• Moderator: XXX, Institution
• Brian Stengel – University of Pittsburgh
• XXX, Institution
• XXX, Institution
Slide 2
University of Pittsburgh
•
•
•
•
•
•
•
•
Pittsburgh Campus – Oakland area
Four regional campuses
Undergrads – 18,757 on main campus, 6,317 at regionals
Graduate students – 7,739
Doctorates – 2,121
Medical Center – UPMC
University Data Center (NOC) – off campus (10 miles)
Affiliated with the Pittsburgh Supercomputing Center
Slide 3
Information Technology @Pitt – CIO Jinx Walton
•
•
•
•
•
•
•
Enterprise Services
– ID, Data, Voice, Server/Web Hosting, etc..
Academic Computing
Student Computing
Business Intelligence
Enterprise Systems
Consulting Services
Information Security
– CISO, Security Analysts, Incident Response
•
Operations
– Data Center Operations, 24x7 NOC, Help Desk
•
Research Support
– Hosting of University HPC systems at data center, HPC engineers
– FISMA environment
– Campus Cyberinfrastructure
Slide 4
Metro
Commodity
Internet
Providers
Slide 5
Slide 6
University Data
Center
Campus
Enterprise Services
10G
10G
10G
HPC resources
10G
2G
10G
3G
Commodity
Internet
Providers
3Rox
Regional
Members
Metro, Regional
National,
International
10G
100G
Other
R&Es
Slide 7
CC*IIE Award
•
•
•
Our project - Accelerating Science, Translational Research, and Collaboration at
the University of Pittsburgh Through the Implementation of Network Upgrades
Engineering activities – Science DMZ, 100G to GigaPoP, 100G to data center,
Enterprise DTN, extension of SDMZ to one campus cluster, perfSONAR
Research projects supported:
PGRR
The Pittsburgh Genome
Resource Repository
provides data management
and computing infrastructure
to support use of national
genome data resources for
personalized medicine
research.
LCTP
Laboratory of Computational
Transport Phenomena.
Swanson School of
Engineering. Conducts
research in fluid mechanics,
combustion, heat and mass
transfer, applied
mathematics and numerical
methods.
ATLAS
Department of Physics
and Astronomy, Tier3
cluster on campus using
the WLCG.
SaM
Center for Simulation and
Modeling. Pitt’s group that
runs the large shared cluster
at the data center.
PSC
Pittsburgh Supercomputing
Center. Storage (Supercell,
Slash2) compute (Blacklight)
Slide 8
Organizing – acquiring, building,
assembling, funding etc.. – requires
planning
Coordinating – acquiring, integrating,
delivering, provisioning, communicating,
governing … – requires skills
Cyberinfrastructure - is the organized
aggregate of information technologies
coordinated to address problems in science
and society. (Source: Fran Berman, Data and
Society, CSCI 4967/6963)
Slide 9
Others
Research Labs
Centers
IT
Lots of owners….
Who does security?
Organizing – acquiring, building,
assembling, funding etc.. – requires
planning
Coordinating – acquiring, integrating,
delivering, provisioning, communicating,
governing … – requires skills
Cyberinfrastructure - is the organized
aggregate of information technologies
coordinated to address problems in science
and society.
Slide 10
Team Composition - Others supporting…
SaM, PSC
PGRR
Little control,
Some influence
Developers Users
Dept IT Software
and code
Datasets
Co-PI
from PGRR
Some control,
More influence
HPC (tech, people)
PSC (tech, people)
Leadership
LCTP
ATLAS
Researchers
Faculty WLCG
SC Grad Students
ATLAS
Resources
Support
Co-PI
from SaM, LCTP
Important Artifact:
Most control
(our
department), but
least knowledge
of scientific
workflows.
•
•
•
Enterprise Architects
Security Analysts
Network Engineers
•
•
•
•
Academic Consultant
• “landscape documents”
HPC Engineers
• Helped us see
Project Mgmt
relationships and
Communications
drivers…
Slide 11
Six Principles of Resilience to Manage Digital Security
(Gartner)
1. Move from check box compliance to risk-based thinking
2. Move from protecting the infrastructure to supporting
organizational outcomes
3. Move from being the righteous defenders of the
organization to acting as the facilitators of balance
4. Move from controlling the flow of information to
understanding how information flows
5. Move from a technology focus to a people focus
6. Move from protection only, to detect and respond
Slide 12
PGRR
Department of BioMedical Informatics
Login,
compute
nodes
Local
storage
10G
100G
Engineering Changes
•
•
•
•
•
100G to 3Rox and data center
VRFs for segmentation
Infiniband and 10G for Slash2
service in SDMZ
Dedicated, purpose-built DTN
in SDMZ with 10G and IB
New cluster to use SDMZ for
compute against datasets in
both locations
Research
VRF
ScienceDMZ
Research
VRF
100G
Research
VRF
Slash2
New Enterprise DTN
100G
Data
Supercell
Slash2
Blacklight
CGHub – UC Santa Cruz
A resource of the National Cancer Institute
Slide 13
PGRR
Department of BioMedical Informatics
Login,
compute
nodes
Engineering Changes
Local
storage
10G
100G
Research
VRF
Security Changes
•
•
•
ACLs for research VRFs. No
firewalls
DTN built with security
controls and data movement
tools only
Presented VRF to Infiniband
VLANs protected by ACLs
ScienceDMZ
Research
VRF
100G
Research
VRF
Slash2
New Enterprise DTN
100G
Data
Supercell
Slash2
Blacklight
CGHub – UC Santa Cruz
A resource of the National Cancer Institute
Slide 14
PGRR
Department of BioMedical Informatics
Engineering Changes
Login,
compute
nodes
Security Changes
Security Integration/
Tradeoffs
•
•
•
•
•
•
•
Desired-state configuration mgmt
for DTN using SALT
Netflow for behavioral analysis
monitoring. Nessus security scans
Slash2 is PSC technology… PSC
people are part of the PGRR
team…
SDMZ is not a “service” for us…
We had to navigate farther up the
stack…
Early established regulatory
framework provided solid
foundation, but implementation
forced a critical review…
Attention and effort can result in
good balance between security and
ease of access
Local
storage
10G
100G
Research
VRF
ScienceDMZ
Research
VRF
100G
Research
VRF
Slash2
New Enterprise DTN
100G
Data
Supercell
Slash2
Blacklight
Two artifacts:
• SDMZ Application
Security Plan
CGHub – UC Santa Cruz
• Enterprise DTN
A resource of the National Cancer Institute
Security Plan
Slide 15
LCTP
Globus Connect Personal
Engineering Changes
•
•
•
Globus Connect Server
running on new Enterprise
DTN
New storage subsystems for
Globus endpoints
Integration of federated ID
10G
100G
Research
VRF
100G
Research
VRF
Security Changes
•
•
ACLs for Globus Online
Security controls for DTN
ScienceDMZ
Research
VRF
100G
Enterprise DTN
Globus Connect Server
Security
Integration/Tradeoffs
•
•
•
Identity mapping for current
Globus users to
CILogon/Incommon
Significant changes to
directories, home/etc..
Globus (MyProxy) to accounts
via LDAP
Globus Connect Personal
Slide 16
ATLAS
Tier 3g node
DTN
Engineering Changes
•
•
•
•
10G extension of SDMZ to
campus building
Re-purposed DTN for
participation in WLCG grid
Latest grid software (Rucio)
New storage subsystem
Research
VRF
10G
100G
Research
VRF
Security Changes
•
•
•
ACLs for DDN network to
Tier2,3 sites
Security controls for DTN
(user shell restrictions)
Integration to campus AD
ScienceDMZ
100G
Research
VRF
100G
Security
Integration/Tradeoffs
•
•
•
DTN is single-function only…
No longer used for cluster
operations – data transfer
only.
Change in DDN client
functions (Rucio)
Slide 17
Must do’s
• Map out the workflows to identify the key intersections
(not just the technology intersections)
• Identify vulnerabilities (not just the technology
vulnerabilities) and take a risk-based approach to
addressing them
• Attend an OIN Workshop
• Participate in a CTSC Peer Review
• Promote, discuss, develop “CI competency”
• Use “cybersecurity” as a way to promote these
discussions…
Slide 18
Cyberinfrastructure
Organizations
Scientific
instruments
Expertise
Discovery
Collaboration
Knowledge
Computational
Resources
Data
Advanced
networking and
cybersecurity
Software
Slide 19
Performance, ROI
“CI Competency” Maturity Model
•
•
•
•
•
•
•
•
Scientific outcomes are linked to CI
•
capacity/competency
Critical to data-intensive research
Reference architectures to non-traditional
domains (humanities, social sciences) •
•
Inertia building – not single purpose
Opportunities become emergent
“Free capacity” is no longer only driver
Innovations are being driven
to/in the cloud
CI is composable – per
service capabilities and
choices
Workload/compute
federations in neutral, multivendor environments
CI is “social”
CI security is an enabler
Capabilities, Benefits, Opportunities
Slide 20
…need for cybersecurity innovation, education, practice, tools
Who are your
people that work in
the gaps?
Do they have the
skills, tools, and
support to be
effective?
Do you have their
backs?
Great programs:
•
•
•
•
CICI
SaTC
CTSC
ACI-REF
Slide 21
Related documents
Buoyancy Lab
Buoyancy Lab
Investigating Hooke`s Law - Tasker Milward Physics Website
Investigating Hooke`s Law - Tasker Milward Physics Website
8_Answers to Ch_13
8_Answers to Ch_13
Iain Grant, Bruntwood
Iain Grant, Bruntwood
Memory Dynamics and Transmission Performance of Bundle
Memory Dynamics and Transmission Performance of Bundle
Queen Cakes
Queen Cakes
KISII SOUTH SUB DISTRICT JOINT EVALUATION TEST 2014
KISII SOUTH SUB DISTRICT JOINT EVALUATION TEST 2014
Download
advertisement