Workflows that span MAAP/HECC present new challenges that need to be addressed wrt to user authentication and trust.
Several issues to consider:
1) NASA security for HECC systems requires that work be traceable to specific users. For the MAAP system, only a subset of those users will be authorized to utilize HECC resources.
2) SMD has a process to allocate HECC time to specific projects. Some mechanism must be employed to ensure that a PI or their designate are the only ones allowed to utilize allocations.
3) The PI or their designate must have been formally granted access to HECC systems. Applying for access to those systems requires users to obtain a NASA Identity, complete cyber security training, and to acknowledge and adhere to certain conditions of behavior and acceptable use.
4) NASA legal requires that banners are presented to users upon entry to any system. Applicability and enforcement of this provision must be made.
5) Etc. The potential that other concerns could be raised as the project evolves, NASA cyber security constraints evolve, or the Federal Governments cyber security constraints evolve.
Definition of Done:
[x] Deliverable 1 - Review the MAAP-Proper documentation on security and authentication protocols
[x] Deliverable 2 - NASA security requires two factor authentication and HECC uses the agencies secureID infrastructure for this purpose. Access to this two factor infrastructure requires a NASA ID. Determine how MAAP uses who are authorized for HECC access will authenticate their MAAP/HECC workflow.
[x] Deliverable 3 - Determine how credentials for HECC users will be managed and presented to HECC for PI approved work under specific project IDs.
[x] Deliverable 4- Design A&A for HECC in MAAP
[x] Deliverable 5 - Determine banner requirements for work that spans MAAP/HECC.
[ ] Deliverable 6- Implement the required authentication and credential management
[ ] Keep MAAP/HEC sponsors apprised of these issues as they relate to interoperability.
[ ] Documentation provided
[ ] Github repo commits provided
[ ] Live demo provided
Status -
Aug 9,11,16. Had initial review and discussion on MAAP A&A and in scoping on design changes required for HECC
Aug 17, 2022. Briefed MAAP project sponsors about the potential impacts of cyber security interoperability
Oct 17, 2022. Briefed system owner and security teams on A&A sequence. Tentative approval. Multi-User implementation will require an MOU between MAAP and HECC that concerns the configuration/access requirements for the containers that MAAP user run in.
Nov 1 - final design details proceeding to implementation.
Dec 4 - initial implementation completed and in testing. NAS security advised that on-going multi-user use likely requires an MOU between NAS and MAAP. This requirement does no impact the R3 demo.
Workflows that span MAAP/HECC present new challenges that need to be addressed wrt to user authentication and trust.
Several issues to consider:
1) NASA security for HECC systems requires that work be traceable to specific users. For the MAAP system, only a subset of those users will be authorized to utilize HECC resources. 2) SMD has a process to allocate HECC time to specific projects. Some mechanism must be employed to ensure that a PI or their designate are the only ones allowed to utilize allocations. 3) The PI or their designate must have been formally granted access to HECC systems. Applying for access to those systems requires users to obtain a NASA Identity, complete cyber security training, and to acknowledge and adhere to certain conditions of behavior and acceptable use. 4) NASA legal requires that banners are presented to users upon entry to any system. Applicability and enforcement of this provision must be made. 5) Etc. The potential that other concerns could be raised as the project evolves, NASA cyber security constraints evolve, or the Federal Governments cyber security constraints evolve.
Definition of Done:
Status - Aug 9,11,16. Had initial review and discussion on MAAP A&A and in scoping on design changes required for HECC Aug 17, 2022. Briefed MAAP project sponsors about the potential impacts of cyber security interoperability Oct 17, 2022. Briefed system owner and security teams on A&A sequence. Tentative approval. Multi-User implementation will require an MOU between MAAP and HECC that concerns the configuration/access requirements for the containers that MAAP user run in. Nov 1 - final design details proceeding to implementation.
Dec 4 - initial implementation completed and in testing. NAS security advised that on-going multi-user use likely requires an MOU between NAS and MAAP. This requirement does no impact the R3 demo.