High Performance Computing Environment for Research on Restricted Data. Dr. Erik Deumens Rob Adams Dr. Alin Dobra

Transcription

1 High Performance Computing Environment for Research on Restricted Data Dr. Erik Deumens Rob Adams Dr. Alin Dobra

2 The Needs of Sponsored Research Dr. Erik Deumens Director, Research Computing University of Florida

3 Problem: Managing Risk in the Giant Unknown Space of Research Data

4 Problem: Research Contracts and Grants Invoke DUA s and Regulations

5 UF Strategy: Computing Environments by Data Classification Restricted Data NIST Moderate Sensitive Data NIST Low Open Data Open Baseline

6 UF Keys to Success Meet Researcher Needs - Affordable - Reliable - Easy to Provision - Simple to Use Simple Process Identify/Track During Proposal Submission Process 1. Review Scope 2. Categorize Data 3. Assess Risk ResShield ResVault HiPerGator

7 Regulatory Armageddon DoD: DFARS Amend. NIST: ISOO: 32 CFR FISMA Modernization 2010 OMB Memo & EO HITECH 2002 E-Gov Act/FISMA 2016 FAR Advanced Encryption 1996 HIPAA 1987 Computer Security Act 1976 ITAR/EAR

8 Risk Management & Compliance Rob Adams Chief Information Security Officer University of Florida

9 Build the Foundation Build Trust & Develop Long-Term Partnerships Office of Research Distributed Campus IT Units VP/CIO and the VPR Support from President, Provost, COO for Risk Management Research Computing, IT and Faculty UF Research Shield Built on a Handshake

10 Governance for UF Information Security Governance From Chaos to Control IT Policy Development & Approval Process Approved Policies Topical committee process Staff presents Initial draft Mandatory step Discretionary step Recommend policies, standards, and priorities in support of the university s mission and business goals. Comments Comments General Counsel reviews draft Topical Committee reviews and modifies draft VP/CIO reviews draft Comments Constituent groups provide input Comments CIO consults with other university administrators Acceptable Use Risk Management Identity Management Remote Access Mobile Computing & Storage Devices Authentication Management Data Classification Well Defined VP/CIO approves or disapproves policy Transparent Business Driven Applies to all policies and standards recommended by governance and approved by the Vice President and Chief Information Officer. Inclusive

11 Importance of Governance, Risk Management, and Compliance Information security is not only a technical issue - It is a business and governance challenge that involves adequate risk management, reporting and accountability. - Effective security requires the active involvement of management to assess emerging threats and the response to them. Risk Decisions Share Reduce Accept Transfer University Mission Education Research Service Patient care The goal is to reduce adverse impacts to an acceptable level of risk - Balance risk with the missions of education, research, service and patient care.

12 UF Strategy: Pre-Assessed Research Computing Environments Stakeholders - Office of Research - Research Computing - Information Security Office - Privacy Office - Office of the General Counsel - Office of Internal Audit - Procurement Services - Institutional Review Board - Principal Investigator - Organizational Unit Pre-Assessed Research Computing Environments HiPerGator Research Vault Research Shield Benefits - Expedite Assessments - Expedite Documentation - Manage Risk - Maintain & Report on Compliance - Boilerplate text for research proposals (budget justification, research resources) - Letters of Support for Research Proposals - Independent Verification & Validation - Third Party Testing & Assessment

13 Enable UF Researchers to Create New Technologies, Discover Industry Breakthroughs, and Spawn New Economic Opportunities How do we abstract and secure the user interface layer to allow our research faculty to uncover ideas that change the world without having to understand regulatory compliance, information technology, information security and risk management?

14 Secure File Storage, Sharing, and Processing Dr. Alin Dobra Associate Professor Computer Information Science & Engineering, University of Florida CEO, Tera Insights, LLC

15 Ambitious Security Goals Protect Users from the Administrators - Assume admin malicious of hackers took over the system Security Independent of Infrastructure - Assume SSL/TLS, VPN, Firewalls have failed Easy to Use Despite Security Measures - Use web interfaces, integrated tools with no tedium - Is this even possible?

16 The Key is Symmetric and Public Key Cryptography

17 Public Key Cryptography A Simple Idea

18 Data Confinement Through Encryption

19 Security Architecture

20 Live Demo of Login

21 Login Procedure

22 Key Escrow Our Key Recovery System

23 Live Demo of File Storing and Sharing

24 File Sharing Simple and Secure

25 Live Demo of Virtual Machines

26 Secure Virtual Machines

27 Questions and Discussion