CICI: UCSS: CloudSec: Collaborative Policy Alignment for Secure Scientific Computing Infrastructures

About This Grant

The CloudSec project leverages Artificial Intelligence (AI) to protect sensitive scientific resources and data. Scientific computing relies heavily on secure and efficient access control systems to protect sensitive resources and data. However, there is no effective tool to ensure these critical access control policies truly reflect the intentions of users. As a result, sensitive data and resources have been exposed and this threat persists despite the best intentions of both scientists and cybersecurity experts. To counter this threat, CloudSec helps researchers and developers of scientific infrastructure to collaboratively work to develop access control policies that align with user intent. Improving the security of access control policies requires overcoming the disconnect between high-level scientific workflows and low-level infrastructure policies. To accomplish this, CloudSec uses Large Language Models (LLMs) and Natural Language Processing (NLP) to provide a new tool-assisted approach. CloudSec supports cross-layer policy analysis to compare user level policy with system-level policy to detect discrepancies. When mismatches are found, Cloudsec explains how they may lead to security vulnerabilities, guiding suggestions to refine policies to better align with user intent. The project’s intellectual contributions advance foundational tools and methods for securing cyberinfrastructure, including innovative policy analysis techniques, intuitive tools for capturing user intent, and interactive workflows for refining access policies. Its broader impacts include enhancing the security of scientific discovery and workflows, fostering collaboration between researchers and developers on policy design, and integrating findings into computer science and scientific computing curricula at partner institutions. CloudSec is piloted and validated using real-world applications hosted on the Tapis project, a secure platform for managing computational research. The resulting CloudSec methodology is designed to be broadly applicable across other cyberinfrastructure systems and made available as open source, hosted on GitHub, and a publicly available web application and API. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.