Safe, Secure, and State-of-the-Art

By
Image of a lock icon on a clear futuristic screen interface. Image is an abstract representation of the idea of cybersecurity.

With a new program comes the impetus to try new things. As a new NSF-funded program, ACCESS is striving to change the research computing landscape in many ways, one being cybersecurity. ACCESS has built upon the identity and access management system previously used by XSEDE, creating a modernized login experience that is both more user-friendly and secure. 

ACCESS’s Operations team is responsible for various services that keep the program running smoothly, such as cybersecurity. This includes the authentication services, or, Identity and Access Management (IAM) services, that help ACCESS users sign in and connect with resources.

When the Operations team wrote their proposal, the authors knew how important it would be to plan for a modernized authentication system to provide the best user experience for ACCESS users. 

“One of the things we proposed is overhauling the way people authenticate and are authorized to access resources,” said Alex Withers, Operations Co-PI and Lead for Cybersecurity. “The idea was two-fold: to make it easier and more user-friendly for users, and also to make things more secure. And the way we did that is by proposing the use of newer authentication technologies, mainly web-based technologies.”

In keeping with the current trend in research and education computing, the Operations team launched a modern, web-native authentication system for ACCESS. This is an upgrade from the Grid Security Infrastructure previously used by XSEDE, which was developed 20 years ago and relied on certificates. XSEDE users trying to access a supercomputer would go through a multi-step process login process with the Single Sign-On Hub, and while this method was secure, it was also rather unwieldy and user errors could lead to unsafe situations. 

In contrast, modern web-based technologies offer users an easier way to log in. For example, have you noticed that you can use your Google account to sign in to Spotify, Facebook, and a number of other accounts? That process, which is also used by ACCESS, is called “federated identity” and makes for a more user-friendly login experience. 

Not only is ACCESS utilizing improved authentication methods such as federated identities, but ACCESS is also leveraging existing NSF-funded technologies to do so. Instead of reinventing the wheel and creating its own infrastructure, ACCESS is making good use of other NSF investments, such as COmanage, a software solution for identity data management in academic research organizations, and CILogon, which offers federated identity management that enables researchers to use their home organization identities to log on to cyberinfrastructure, rather than requiring yet another username and password to log on.

In addition to making the login process easier, the Operations team also wanted to increase security. Using CILogon has allowed the Operations team to easily add in Multi-Factor Authentication, which increases security by adding a second step to the login process which further verifies your identity, such as a special code sent directly to your phone or email. Adding this second step to logging in makes it much less likely for your account to be compromised. And, by using a federated identity system, users don’t need to have as many different login accounts, which makes it easier for security teams to respond to a potential security breach. 

For the user, I can’t imagine this being anything other than making their lives easier.

Alex Withers, operations Co-PI and lead for cybersecurity.

While these changes primarily benefit ACCESS users, they can also benefit resource providers creating web-based resources for ACCESS, as they don’t need to worry about the authentication and authorization aspects.

“Doing web-based authentication and authorization can be notoriously difficult. It can be very hard to get it right, and it can be a huge resource and time-sink. We have created a drop-in solution with CILogon, so that resource providers can integrate with ACCESS’s CILogon, and security is taken care of,” said Withers. 

You can learn more about ACCESS’s authentication methods and other cybersecurity efforts by visiting their webpage here: https://operations.access-ci.org/pub/cybersecurity.

Sign up for ACCESS news and updates.

Receive our monthly newsletter with ACCESS program news in your inbox. Read past issues.