Case StudyDeveloper working with new program

Beyond certification

Cyber security assessment accelerates action to tighten security in the Northern Ireland High Performance Computing (NI-HPC) Centre.

How can you be confident that your high-performance computing (HPC) environment is protected against cyber attack when you can’t apply commonly used tools like anti-virus protection? What will reassure researchers (and research funders) that data and research outputs are secure when recognised security certifications aren’t applicable?

These questions can keep people who manage HPC environments awake at night. And, until recently, they were exercising minds at the NI-HPC Centre, a UK Tier 2 national HPC facility run jointly by Ulster University and Queen’s University Belfast, and funded by the Engineering and Physical Sciences Research Council (EPSRC).

Researchers at Queen’s and Ulster University rely on the facilities, primarily to crunch data for research into chemistry, neuroscience and food security.

Escalating cyber security risk

With cyber security incidents globally increasing in frequency and severity, Queen’s had already done a lot to bolster security. But HPCs continue to be a particularly high-risk target and staff at the NI-HPC Centre wanted to do a deep dive focused specifically on the centre’s security posture.

David Smyth, director of the NI-HPC Centre, says:

“Many HPC centres have had security incidents in recent years, including some facilities that shut down temporarily, so it was time to take a close look and get a fresh set of eyes to help. We searched around for programmes or certifications to help us keep on top of emerging threats and new thinking on cyber security, but there was nothing suitable.”

And that’s when Queen’s Jisc relationship manager Noel McDaid suggested the cyber security assessment service.

Tailored security assessment

During an assessment, our own cyber security experts analyse and evaluate your organisation’s security posture. The subsequent report highlights vulnerabilities, makes recommendations and offers a roadmap to achieving optimal levels of up-to-date protection. Our approach is built around education and research and the assessment can be tailored to meet your exact needs. At the NI-HPC Centre we were applying the assessment to an HPC environment for the first time and so this tailoring was particularly important.

David says:

“Some common elements of an assessment aren’t applicable here. For example, anti-virus protections aren’t typically deployed in an HPC environment because of the nature of the workloads.”

“Our centre’s team worked with the assessor to scope out alternative risk mitigation strategies and this wasn’t onerous; we put in around a couple of days’ work on it ourselves and left the rest to Jisc. Overall, not a huge distraction from the day job.”

In fact, the most time-consuming part for the centre’s staff was in coordinating diaries. Much of the assessment happens during interviews with people who manage and maintain the environment. Because the centre uses a third-party service provider to run the back-end infrastructure and handles security internally, there were numerous conversations to coordinate.

The report

Usually about a week after their assessment, the customer gets our report. Following NI-HPC Centre’s assessment we recommended several actions – some for the HPC centre and some for Queen’s as its host institution. For example, we had some additional thoughts on work they’d already undertaken as part of their cyber security programme around identity management. And we also recommended some actions around using multi-factor authentication (MFA) and user engagement.

People power

User engagement is essential. Targeted conversations with service users can be powerful in bolstering security. Following our report NI-HPC talked to researchers to reinforce stringent safety protocols and develop user agreements.

Vaughan Purnell, research computing manager in digital and information services at Queen’s says:

“We’d already done a lot of work on our security posture before we invited Jisc in and they told us we were in pretty good shape.”

"The audit showed us we could do more and it stimulated conversations inside and outside the centre so we could raise the profile of our kit, how it works, what it does and what we can all do to protect its integrity."

“Sometimes it takes a third party coming in to get people to focus on the issue, stop kicking the harder bits down the road and give it the priority it needs.”

Get in touch

An assessment could be just what your organisation needs to harden its security posture.

Find out more about our full range of products and services by talking with your dedicated relationship manager.

Contact us