[RITL] Updates, issues and next quarterly meeting

Chuck Forsyth charles.forsyth at ucr.edu
Fri Aug 14 17:35:53 PDT 2020 

Dear RITL,

Hoping everyone is well. I just want to provide some updates and solicit some discussion.
*note* Please don't forward this email outside UC, there is some slightly sensitive information below, and the provider requested it not be shared outside the UC system.

Thomas has a discussion point regarding Duo enabled 2FA for SSH for external collaborators:

*         "how can we use Duo or some other UCR-supported dual authentication system to support research with outside collaborators so that external members can continue to login to research systems via ssh, scp/sftp, etc where we want to require dual authentication. As far as I understand, under UCR's Duo setup, users need to have a UCR netid which locks out external researchers."

Here some things I have found through discussions with various groups so far; although to benefit RITL, any and all additional ideas and input are welcome.

Campus DUO and affiliate accounts (*may be the best option*)

*         For this type of access (SSH, SFTP) it seems we can use the API for the campus Duo and create a campus affiliate account<https://cnc.ucr.edu/edir/affiliateacc.html#guide_content> for the external collaborator at the same time as creating the cluster/system user account. This in essence adds one more step to the collaborator account creation/maintenance process. However, In doing so it allows 2FA SSH access for external collaborators. It may be possible to automate the affiliate account creation process. We would have to investigate that. This solution should also allow the collaborator to use UCR VPN which is another big benefit.

*         Any thoughts or discussion on this?

OAUTH SSH with Globus Auth

*         There are extensions to the popular OpenSSH software that enables authentication with OAuth tokens from Globus Auth, rather than passwords or keys. Integration with Globus Auth allows users to use hundreds of supported identity providers, and enables external applications and services to obtain short-term tokens on behalf of users for securely accessing remote systems.

o   XSEDE OAUTH SSH (https://github.com/XSEDE/oauth-ssh)

o   SSH with Globus Auth - NCSA Wiki (https://wiki.ncsa.illinois.edu/download/attachments/49548882/1705SSHwithGlobusAuthUser.pdf?version=1&modificationDate=1499696476000&api=v2)

Open OnDemand and CiLogon for federated login

*         CILogon can be used with Open OnDemand<https://openondemand.org/> which is a really nice fully functional interface to your clusters or research system for your users.

*         Open OnDemand is used on many clusters/research system at many universities.

*         Web based SSH and GUI

*         The goal of Open OnDemand is to provide an easy way for system administrators to provide web access to their HPC resources, including, but not limited to:

o   Plugin-free web experience

o   Easy file management

o   Command-line shell access

o   Job management and monitoring across different batch servers and resource managers

o   Graphical desktop environments and desktop applications

*         Great software for any cluster or research system

I think the Campus DUO and Campus Affiliate account creation approach might be the most flexible across the different types of research systems on campus. Window's systems, Linux systems, clusters, DUO, VPNs and even wireless access (if we ever get back on campus) can be enabled and secured using affiliate accounts in this way.
What do we think?

Some Research Support Updates:

To help increase the visibly of the research support being conducted by the various support units on campus. I think it would be helpful if we could give each other important updates occasionally on the kinds of support being done.
This way we might be able to identify areas of collaboration or identify blockers that other RITL members might have and be able to help remove.

As far as research support updates from ITS research computing:

*         Upgrading two Nautilus cluster<https://its.ucr.edu/research-computing/resources/computing#nautilus_cluster_pacific_research_platform> nodes

*         XSEDE allocation for Dr. Bahamonde

*         XSEDE allocation renewal for Dr. Palermo

*         AWS support for the Brain Game Center

*         FPGA workload in AWS Dr. Sadredini

*         REDCap on AWS project in the pipeline

*         AWS for web application Dr. Levy

*         AWS for web application Dr. Lo

*         Google Sites for some faculty personal webpages

*         Cluster support Dr. Sales cluster and Br. Beran cluster

*         NAS support for Dr. Fokwa

*         Apporto<https://ucr.apporto.com/home> virtual windows desktops for research workloads, including secure workloads.

*         Various secure data/compute requests being supported by RITL members.

*         Research Lifecycle Framework collaborations beginning

*         AWS EDP

*         Azure EDP

No real road blocks at this time. Engagement with the researchers early on in the research project is the standing challenge.

Let the group know if you see any opportunities for collaboration here. Secure solutions for researchers continues to be an important and challenging topic.
I look forward to other's updates.

DoD Capability Maturity Model Certification (CMMC) is coming and we need to be ready:

*note* Please don't forward this email outside UC, there is some slightly sensitive information below, and the provider requested it not be shared outside the UC system.
Below is an email from Robert Smith UCOP providing a recording of a very important University of California Information Technology Policy & Security (ITPS) meeting affecting DoD research support and security.
The slides are attached.

"
Hello ITPS,
Good morning.

Here are the slides and chat from today's special ITPS meeting on CMMC.

My co-presenters and chat wizards were:
Matt Gilbert, Principal,  matt.gilbert at bakertilly.com<mailto:matt.gilbert at bakertilly.com>
Mike Cullen, Director, mike.cullen at bakertilly.com<mailto:mike.cullen at bakertilly.com>

I did record today's session.  This is for UC internal use only, please do not share or post in any publically accessible channels/pages/blogs/media/etc.  I will leave this up for 30 days or so, unless something occurs that significantly changes the landscape:
https://UCOP.zoom.us/rec/share/z5RxPZPO-UROZpHj5RrTcLMnGZziT6a8hyYe-PULyUz68MEVXQ3afE8PYN8TlnAz <-- UC Internal Use Only
One small correction - POAMs (Plan of Action, Milestones)
Wishing you a sunny day from afar,
Robert Smith, CISSP, PMP
Systemwide IT Policy Director/Security Director
Information Technology Services
University of California Office of the President
(510) 587-6244 (o)
(510) 541-8103 (m)
robert.smith at ucop.edu<mailto:robert.smith at ucop.edu>
"

We don't have the details yet as to when this will impact us for sure but it is certain to impact the campus and many of our researchers as early as next year. From the slides we can see that UCR conducts a significant amount of DoD research (~$18M). The CMMC will eventually affect both the researcher and the support infrastructure for all DoD grants and contracts, even low security level. We should begin to talk about this and should collaborate with RED and ISO as they key to a successful approach.
Please check out the slides and the zoom recording, it's important to start to build awareness of CMMC for everyone.

Next quarterly meeting scheduled for September 18th 3-4pm

Do we have any scheduling conflicts with this time slot?
If so I'll break out the doodle poll and we can find something that works.

Standing proposed topics to discuss over email and/or during the meetings:

*         Accelerating Public Access to Research Data<https://www.aplu.org/projects-and-initiatives/research-science-and-technology/public-access/>

*         ISO Security Recommendations for Research Systems

*         Consolidated training portal

*         Research Storage

*         Research Networking/Science DMZ

*         Secure Computing (Computing with P4 Data), P3?

*         Research lifecycle model (where we fit, what we can support)

*         Cloud Services and UC Agreements

*         Server Room Space - SOMe Server Room

*         DoD CMMC

Regards,

Chuck Forsyth
Associate Director of Research Computing
XSEDE Campus Champion
Research Computing | Information Technology Solutions
University of California, Riverside

951.827.9385 | charles.forsyth at ucr.edu<mailto:charles.forsyth at ucr.edu>

[ucr-logo-email]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucr.edu/pipermail/ritl/attachments/20200815/b0cf5dfa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 8689 bytes
Desc: image001.png
URL: <https://lists.ucr.edu/pipermail/ritl/attachments/20200815/b0cf5dfa/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20200814v4 ITPS CMMC Intro Action.pdf
Type: application/pdf
Size: 1198740 bytes
Desc: 20200814v4 ITPS CMMC Intro Action.pdf
URL: <https://lists.ucr.edu/pipermail/ritl/attachments/20200815/b0cf5dfa/attachment.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20200814 Saved Chat - formatted.pdf
Type: application/pdf
Size: 111419 bytes
Desc: 20200814 Saved Chat - formatted.pdf
URL: <https://lists.ucr.edu/pipermail/ritl/attachments/20200815/b0cf5dfa/attachment-0001.pdf>

More information about the RITL mailing list