Title: Virtual Organisations for Trials and Epidemiological Studies VOTES Experiences
1Virtual Organisations for Trials and
Epidemiological Studies (VOTES) Experiences
Prototypes after 1 yearProf Richard
Sinnott Technical Director National e-Science
CentreUniversity of Glasgowr.sinnott_at_nesc.gla.ac
.uk
2Clinical Trials 101
- Need to answer questions such as
- How many men in Scotland between the ages of
45-65 had a heart attack in the last 5 years? Of
those that did, would they be interested in
trialling a new drug to prevent possible further
serious major events? - Recruitment!
- For recruited men, are they regularly taking the
new drug (or placebo)? Do they visit their
GP/hospital regularly for the drug/placebo, to
give samples, for monitoring purposes? Did they
have any further major events (or side-effects)
in taking the drug? - Data collection!
- Who can see the information associated with this
trial? Can a hospital doctor, nurse see all of
given patients data? Only their GP? A clinical
trials researcher? Who ensures that a study is in
the patients interest? Can we simplify the
ethical review process? Who checks the validity
of trial results? - Study management!
3VOTES
- Virtual Organisations for Trials and
Epidemiological Studies - 3 year (2.8M) MRC funded project started October
2005 - Plans to develop framework for producing Grid
infrastructures to address key components of
clinical trial/observational study - Recruitment of potentially eligible participants
- Data collection during the study
- Study administration and coordination
- Involves Glasgow, Oxford, Leicester/Nottingham,
Manchester, Imperial - Strong links with UK Biobank
4Grid Background
- What is a Grid?
- Data Grid vs Compute Grid vs Information Grid vs
Campus Grid vs Enterprise Grid vs - Technologies for Grids
- Web services
- Globus
- OMII-UK
- EGEE/gLite
-
5E-Health Grids
- Essential that they offer
- Fine grained security
- AAAA
- Access/integration of rich variety of clinical
data sets - Ease of use for end users
- Single sign-on to various remote resources
- Site autonomy/manageability for local admins
- Scalability for large scale virtual organisations
- Controlled dynamicity of users, resources,
policies -
- HYPOTHESIS Shibboleth Grid advanced
authorisation infrastructures can address these
issues
6Usability
- Grid Security
- AAAA
- Users like usernames/passwords
- Provide them (once!)
- Users dont like/understand X.509 based PKI
- Forget training, education for most users!
- gt openssl pkcs12 -in cert.p12 -clcerts -nokeys
-out usercert.pem! - The vast majority most certainly wont jump
through hoops to get on the Grid - me-Science culture
7AAAA
- Identity management issues
- Certificate Revocation Lists
- When revoked? By whom? How timely?
- Strong passwords for private keys
- Users write them down, share them, forget them
- Privilege Management
- Numerous domains where never get access to local
account to do stuff - I need to access your NHS DB to run queries,
change tables, run arbitrary code - At NeSC Glasgow we have focused on
- improving AAAA and AAAA
8Improving AAAA
- Best to exploit local authentication
- Sites know best if users still at institution and
are best placed to state what their privileges
are/should be - Introducing Shibboleth
9Introducing Shibboleth
- Shibboleth (http//shibboleth.internet2.edu)
- Definition
- Shibboleth Hebrew for an ear of corn, or a
stream or flood - 1. A word which was made the criterion by
which to - distinguish the Ephraimites from the
Gileadites. The - Ephraimites, not being able to pronounce
sh, called the - word sibboleth. See --Judges xii.
- 2. Hence, the criterion, test, or watchword
of a party a - party cry or pet phrase.
- Shibboleth will replace Athens as access mgt
system across UK academia - i.e. this is main stream and not (weird) Grid
solutions! - Federations based on trust
- or more accurately trust but verify
- numerous international federations exist MAMS,
SWITCH, HAKA, SDSS
10Typical Shibboleth Scenario
Identity Provider
AuthN
Home Institution
Federation
Service provider
5. User accesses resource
W.A.Y.F.
User
Grid resource / portal
11Its a start, but
- Benefit from local authentication but really want
finer grained control - I know you have authenticated, but I need to know
that you have sufficient/correct privileges to
access my VO resources - can also return various other information needed
to support authorisation decisions - At NeSC we have been working extensively with
PERMIS
12Role Based Access Controls
- Basic idea is to define
- roles applicable to specific VO
- roles often hierarchical
- Role X Role Y Role Z
- Manager can do everything (and more) than an
employee can do who can do everything (and more)
than a trainee can do - actions allowed/not allowed for VO members
- resources comprising VO infrastructure
(computers, data resources etc) - A policy then consists of sets of these rules
- Role x Action x Target
- Can user with VO role X invoke service Y on
resource Z? - Policy itself can be represented in many ways,
e.g. XML, XACML, - Tools available for policy editing, associating
users with roles, signing policies etc - Policies stored as attribute certificates in LDAP
server - Digitally signed/tamper proof!
13Finer Grained Shibboleth Scenario
Service provider
Identity Provider
Shib Frontend
AuthN
Home Institution
6. Make final AuthZ decision
Federation
Grid Application
5. Pass authentication info and attributes
to authZ function
W.A.Y.F.
User
Grid Portal
14Ok, but
- I can do authorisation but I want single-sign on
to lots of distributed resources - Browser allows to keep session information so can
access other resources without signing in again - Provided authorisation information valid for
different service providers - Each service provider completely autonomous
- Can configure attribute release/attribute
acceptance policies per identity provider/service
provider
15Trials Tribulations of Scottish Clinical Data
Space
- Scottish Data Space
- Scottish Care Information (SCI) Store
- Scottish Morbidity Records (SMR)
- General Practitioners Administration System for
Scotland (GPASS) - Data dictionary
-
- Consent database
16SCI Store
- Batch-type system that regional health
authorities use - Includes
- lab results,
- biochemical,
- haematology,
- pathology,
- microbiology,
- radiology
-
- Front end web based tools
- input data,
- querying
17SCI Storectd
- 16 SCI stores across Scotland
- Atos Origin commercial supplier of technology
- each have their own schemas collecting different
data sets - NeSC been given SCI store software
- Includes training data sets
- These data sets are partial at best right now
- 100 tables in schema, but only 10 tables used in
data provided - SQLServer back-end database
18A Quick Tour of SCI Store
19Scottish Morbidity Records
- Scottish Morbidity Records
- Good quality data sets put together by ISD
- Historic SMR1 Discharges January 1981 - March
1997 - COPPISH SMR01 Discharges April 1997 onwards
- Historic SMR4 Discharges 1981 March 1997
- COPPISH SMR04 Admissions April 1996 onwards
- GRO Death Records January 1980 - December1995
- GRO Death Records January 1996 onwards
- SOCRATES (Cancer Registrations) 1980 onwards
- (Still) negotiating access to anonymised SMR data
sets
20GPASS
- General Practice Administration System for
Scotland (GPASS) - used by over 85 of GPs in Scotland
- links from SCI Store to GPASS
- access to GPASS software with training data sets
- XML API available for querying
- www.gpass.co.uk
21Data Dictionary
- Includes vocabulary for
- SMR data
- Clinical data
- Social care data
- Negotiating access to
- DB back end or web
- service front end to this
- Will link to data
- federation framework
- / tools
22Consent
Access by academics!?! Why? For pharmaco... what?
Geno...what? ....NO!
23Data Linkage
- Achieved through Community Health Index (CHI)
number - 10-character code consisting of
- 6-digit date of birth (DDMMYY)
- two digits
- 9th digit which is always even for females and
odd for males - arithmetical check digit
- Was scheduled for complete roll-out by 6-6-6
24Distributed Data Framework
25VOTES Demonstrator(s)
- Various proof of concept clinical trials linking
SCIStore, GPASS, Consent DBs - Brain Trauma network (www.brainit.org)
- Collecting various data sets from brain trauma
patients across Europe - Centrally maintained repository in Glasgow
Southern General Hospital - MRI images
- Physiological data sets
- We have been given anonymised versions of these
data sets
26(No Transcript)
27(No Transcript)
28(No Transcript)
29(No Transcript)
30(No Transcript)
31Dynamicity, Scalability?
- UK Shibboleth federation based around small set
of pre-agreed attributes based on eduPerson
schema - eduPersonScopedAffiliation indicates the users
relationship (e.g., staff, student, etc) within
the institution - eduPersonTargetedID needed when an SP is
presented with an anonymous assertion only, e.g.
eduPersonScopedAffiliation. This attribute
provides a persistent user pseudonym - eduPersonPrincipalName used where a persistent
user identifier consistent across different
services is needed - eduPersonEntitlement enables an institution to
assert that a user satisfies an additional set of
specific conditions that apply for access to a
particular resource - Grid vision for dynamic virtual organisations
- Add, remove, change people, institutes, their
privileges on the fly for changing sets of
resources as required by the VO
32Dynamicity, Scalability?
- Dynamic Virtual Organisations for e-Science
Education (DyVOSE) project - Delegation issuing service
- Remote Source of Authority trusts me to assign
their roles to my users - Also allows me to delegate to someone else
potentially at a remote site - I trust them to assign roles to my users directly
33Future Plans
- Several other projects looking to exploit these
kinds of things - Major EPSRC pilot project (5.3M) on Meeting the
Design Challenges of nanoCMOS Electronics
(project just started) - Security essential in this domain including
support for IP of data, simulations, processes,
licenses, - Many other life science projects
- Grid Enabled Microarray Expression Profile Search
- Scottish Bioinformatics Research Network
- Biochemical Pathway Simulator
- Further proposals building on these solutions
- Scottish Grid Service
34