Secure Research at PowerAmerica

The Office of Information Technology (OIT)’s partnership with PowerAmerica gave a resounding “Yes, We Can” assurance on an eight-month project that began with a seemingly impossible task and ended with a secure IT environment that now serves as a business case to protect university research data.

In January 2014, President Obama announced the university’s leadership of the PowerAmerica Institute, a $140 million advanced manufacturing institute that would develop the next-generation power electronics using wide bandgap semiconductors.

This institute would forge relationships among the U.S. Department of Energy (DOE), academia and 18 industry partners to produce not only revolutionary but highly competitive manufacturing innovations.

In May 2014, NC State’s Office of General Counsel reached out to OIT’s Security and Compliance unit to discuss the National Institute of Standards and Technology (NIST) 800-53 security mandates required by the U.S. Department of Energy to protect and store the Institute’s data.

PowerAmerica Challenges

PowerAmerica presented the opportunity to grow NC State’s capacity to meet the stringent requirements presented by federal information security requirements,” says Mardecia Bell, NC State chief information security officer and OIT director of Security and Compliance.

“Our challenges were limited resources, understanding the scope, and meeting the initial requirements,” says Bell. The choice was clear: provide assistance to PowerAmerica or they could contract with an external entity; either way, the university was obligated to ensure the Institute was NIST 800-53 compliant, she said.

“We had to delegate resources to PowerAmerica without an overall service ready to help them,” added Leo Howell, assistant director in OIT Security and Compliance and project lead.

According to Howell, campus researchers typically provide support and security for their own grants, seldom seeking security assistance from the central IT unit.  Limited in resources, OIT was not positioned to stand up security measures for research data on this large a scale, he said.

Streamlined NIST 800-53 Security Requirements

According to Bell, Howell and other OIT members took the challenge head-on and helped PowerAmerica and its partners meet the stringent federal information security requirements by conceptualizing a new approach to secure and house sensitive data. The process had to be simplified to make it easy for new partners to meet the requirements.

Howell partnered with Atinuke Diver, PowerAmerica director of Compliance, to streamline the process. They focused on a risk-based approach rather than a compliance-based approach to develop a subset of NIST 800-53 requirements that were approved by DOE. They also created an IT security program including carefully selected security controls, continuous risk assessment, and monitoring that simplified the required process for the members.

The amendment of the Institute’s Information Security Requirements cleared an eight­-month roadblock, resulting in additional Institute Members who had previously been unable to complete membership agreements,” says Bell.

“Leo and other OIT staff dedicated their time and energy to personally engage with the PowerAmerica staff, researchers, members, DOE, and other institutes in the NNMI network,” Bell said. “OIT played a crucial role in breaking down silos and working across NC State’s organizational boundaries to connect PowerAmerica to a plethora of resources to support its mission.”

Secure Research Environment

According to Bell, OIT helped to create a customized secure space that uses Google.gov to house the Institute’s partners’ information and data; OIT also purchased CloudLock, a tool that simplified the administration of the Google.gov environment and ensured confidential docs were not shared outside of the domain.

Bell said several OIT units were involved with this project, including Security and Compliance, Shared Services (SS), and Technology Support Services (TSS).

“We’ve assisted PowerAmerica with security compliance and desktop administration and helped them to administer their cloud domain,” she said. “Bert Stoner in TSS dedicated his time to customize a desktop environment to meet the needs of the PowerAmerica staff, and Jason Maners in SS spent countless hours administering the Google.gov domain and implementing CloudLock. Providing the needed assistance to PowerAmerica was truly a team effort.”

PowerAmerica Security and Compliance Program

Howell said OIT also worked with PowerAmerica to establish a detailed Security and Compliance Program to provide a secure and compliant IT environment for Institute and member researchers to safely perform their duties by implementing effective controls and processes to defend against cyber threats.

According to Howell, OIT is currently performing a security assessment — or a gap analysis — to ensure the PowerAmerica Institute security program meets the standards approved by DOE.

OIT is also assisting the Institute and members with ongoing security assessments to meet DOE quarterly audits.

Securing Research in the Future

The PowerAmerica project is introducing a new way to support research data on campus.   

“This project has increased OIT’s understanding of what it takes to deliver effective support to our researchers,” says Howell.

PowerAmerica is the proverbial tip of the iceberg in needing to meet increasingly strict security requirements.

The federal government will require, by December 2017, all Department of Defense (DoD) grants to be compliant with NIST 800-171. OIT is working with NC State’s Research Administration Office to perform gap analyses and obtain requirements for approximately 20 campus grants.

In addition, the OIT Shared Services unit is developing a secure research storage environment that meets NIST 800-171 requirements and that will provide a compliant, secure process for all campus researchers to store their data.  

“Assisting PowerAmerica with their compliance efforts has forced us to look at the security requirements for the university’s overall research environment,” Bell added. “It has made it a high-priority.”

---

VCL go App

If you’re an iOS user, it’s time to make a connection to the Virtual Computing Lab (VCL) go App!

The app allows university iOS users (iPhone, iPad, and iPod Touch) one more way to access the VCL, NC State’s cloud computing system that provides 24×7 remote access to high-end lab computers and software. The app was released by OIT in the Apple App Store on Jan. 3 and has been downloaded more than 1,200 times since its release.

In the spring of 2012, an idea to develop an iOS application for interaction with the VCL was born in a cloud computing class in NC State’s Department of Computer Science. The students eventually released the project to OIT Shared Services to get the application ready for production. Download the VCL go App from the Apple App Store.

Data Privacy Month

In celebration of Data Privacy Month, Jan. 28 to Feb. 28, OIT encouraged all campus users to learn how to safeguard their sensitive data in the workplace and at home.

Sponsored by the National Cyber Security Alliance, Data Privacy Month is held annually to empower campus users to protect their privacy and to control their digital footprint. It also stresses the protection of privacy and data as everyone’s priority.

During Data Privacy Month, OIT sponsored several activities to show campus users how to protect themselves and others. They included:

• SANS Securing the Human videos
  From password protecting to encrypting your data, SANS Securing the Human videos offer numerous security measures you can use immediately to protect your data. Campus users were encouraged to watch ALL of the brief videos — especially Family Educational Rights and Privacy Act (FERPA), Personally Identifiable Information (PII), Health Insurance Portability and Accountability Act (HIPAA) and Data Protection — to learn valuable steps to protect the privacy of all campus constituents.

• Data Security for Researchers panel discussion
  Campus researchers who were not able to attend the Data Security for Researchers panel discussion during Cyber Security Awareness Month (CSAM) in October could view it online to  learn valuable security tips from fellow faculty researchers, research administrators and OIT staff on how to safely store their research data. Participants’ questions and answers and other frequently asked questions were also available.
• Secure Tweets
  Campus users were encouraged to follow OIT on Twitter to learn helpful security measures to guard their data during Data Privacy Month.

See NC State’s Data Privacy Month 2016 website.

Additional Highlights

• UNC Research Opportunities Initiative (ROI) grant – Deployed storage and computing infrastructure to support the projects included in the ROI grant. NC State, in partnership with UNC Charlotte and the Renaissance Computing Institute, continues to build a cloud-based computing infrastructure to support research projects important for North Carolina’s economy. The partnership received a $2.1 million ROI grant that provides funding for innovative research in advanced manufacturing; marine and coastal science; defense, military and security; pharmacoengineering; energy; and data sciences.
• Apache Software Foundation VCL Project – Released VCL version 2.4.2 in collaboration with Apache VCL community.
• Research Storage – Purchased and began deployment of new storage to support long-term storage of research data.
• VCL – Continued outreach work with Community Colleges to utilize VCL, primarily focusing on non-Windows-based applications, due to Microsoft and Adobe licensing challenges.
• VCL Reservations – Had 117,499 reservations from June 1, 2015 to May 31, 2016, using more than 1,186,349 hours by 10,146 unique users.
• High Performance Computing – Delivered 16,221,420 CPU hours to 131 active research and classroom projects and 384 unique users from June 1, 2015 to May 31, 2016.
• SAS Visual Analytics (VA) – Partnered with the Office of Institutional Research and Planning (OIRP) and SAS to develop a strategy and plan for implementing the platform using student cohort data. This implementation will ultimately result in better institutional data management and analytics, beginning with the delivery of university Fact Books in the fall.
• SPARCS– Partnered with SPARCS to assist researchers in negotiating and establishing security requirements during pre-award contracts and grants negotiations.
• NIST 800-171 compliance – Partnered with the Office of Research, Innovation and Economic Development to begin development of secure IT services for sensitive research contracts or grants to meet NIST 800-171 compliance by December 2017.
• PowerAmerica – Established a security and compliance program for the PowerAmerica Institute, including the implementation of a FedRAMP-compliant cloud services environment (Google.gov) to meet the Department of Energy requirements.
• Campus Cyberinfrastructure – Network Infrastructure and Engineering Program – Installed an overlay research network in six buildings using software defined networking (SDN) to create unique control mechanisms for network traffic. SDN opens up a huge range of possibilities for research collaboration.
• Research Administration Pre-Award Systems – Participated in the assessment by Attain Consulting of research administration (pre-award) systems currently in use on campus and their integrations with other enterprise applications.