Providing Security in e-Infrastructure to Meet the Needs of e-Research

1
Providing Security in e-Infrastructure to Meet
the Needs of e-Research

• Ally Hume, Tobias Schiebeck, Mike Jackson, Steve
  Wilson, Phil Kershaw, Weijian Fang, Louise Price,
  Matthew Habgood, Steve Crouch

2
Aims

• How the OMII-UK security document should evolve -
  feedback?
• The security challenges facing e-Research
• Specific requirements for security within various
  domains
• Others?

3
OMII-UK Security Document

• Whats missing
• Security logging/audit trails
• Trust should be included at high level
• A more laymans approach to structuring
• AuthN who is accessing a resource?
• Include more advanced security concepts as they
  become included, but not include in-depth
  overview of everything e.g. single-sign on, VOMs,
  etc.
• Approach
• Each piece of software case studies
• Document split for project managers/PIs,
  technical developers
• Into overview technical
• n1 docs (per software 1 overview)
• S/w referenced more specifically in terms of
  security, perhaps not so much general info
• How should it be advertised?
• Include in FAQ, mailing lists

4
Challenges

• security challenges facing e-research
• difficult to set-up, configure, too many options,
  when it goes wrong hard to troubleshoot. divides
  into two
• getting things working
• understanding
• certs expiring problem raised at NGS innovation
  forum
• abused passing on security certs
• project based certs PAG requires things to be
  signed which cert do you use
• self signed?
• e-science CA won't issue cert to sign code
• apply for a service one
• compromise include name of individual
• do outside of e-science

5
Challenges

• problem of crossing domains
• organisational hurdles
• technical differences in architectures
• too many different solutions Shibboleth, Athens,
  EduRoam
• technology should be user driven rather than
  driven centrally
• tries prevent fragmentation of solutions but ends
  up pleasing no-one
• workflows security is a major barrier
• multiple domains and technologies
• toolkits assume their own narrow solution
  barrier to interoperating
• problems of access with ports
• securely exchanging certificates
• want to create a venue on a new venue server
• 2 PAG clients one creates a new venue at a
  venue server, needs to exchange a certificate
  use SSL connection to exchange?

6
Actions

• New draft of document (Steve C, )
• Circulate for wider review