This wiki service has now been shut down and archived
Theme8 First Workshop Position Statements
Participants: please add a paragraph or two here, describing your project/interests.
It will be helpful if you structure your presentation - if not the description here - around the following questions:
1. What is your current approach to security? Are you satisfied with it? Why?
2. What is the worst security problem you have encountered? What is the worst that you can imagine happening?
3. What kind of changes would you like to make to your approach (scientifically, in the use of resources, and so on), but do not dare, for reasons of security?
Name: Andrew Martin
Project/area: Digital Rights Management for eScience Data (this is anomalous: I would imagine that most of the projects represented at this workshop would be from eScience applications, rather than being about technologies)
Description: Digital Rights Management tends to be associated, for most people, with music and movies, with big business, and awkward controls on behaviour. The same techniques could, however, be used to apply access control permissions to data uploaded to a repository, or to highly mobile electronic patient records. I will describe some of these potential use cases, and talk about the prospects for their implementation.
Name: Andrew Martin
Description: Climateprediction.net distributes computing jobs to thousands of participants worldwide. A significant issue of security for the project is the provenance of the data returned: did it really arise from the genuine climate model, or did the participant alter it for their own purposes (which may or may not be wholly malicious)? One solution to this problem is to duplicate the model parameters, giving them to several participants, and comparing the results. This is not feasible in our case. How could the next generation of such projects benefit from the new technologies of Trusted Computing?
Name: Alexandra Nenadic
Description: Taverna workbench developed by the MyGrid project provides a workflow enactment engine for the user defined workflows to execute using local and remote services. Users delegate their rights to the workflow engine but problems arise when more that one identity is required to execute a workflow (e.g. multiple identities of the same user with different services or different users collaborating on the same workflow each using their set of credentials). Problem becomes worse as services do not have or want to publicise their security policies - there is no way for Taverna to know if a remote service has certain security requirements and constraints and the user has to know and take care of this. We need a workflow engine that can assume different identities as needed and can negotiate security requirements with remote services.
Name: David Rodriguez
Project/area: Sinapse, brain imaging
Description: SINAPSE is a research network on brain imaging there sensitive patient data is managed. This imposes restrictions in their use and in the access to additional medical information. The problem is the trade-off between security and usability and research interest. Research would greatly benefit from broader data sharing, but the opportunities are often seriously limited due to the practicalities of complying with data protection issues. This project would seek to implement systems which simultaneously complied with the data protection requirements and the desire for collaboration. As a by product of such systems security and privacy would be greatly enhanced since research groups would no longer be tempted to circumvent local policy due to the difficulty of compliance.
Project/area:e-Infrastructure for Social Science
Description:The e-Infrastructure for social science project aims to build a Grid infrastructure to provide secure access to a variety of resources including datasets, tools and services for social science research. This project will build a Shibboleth based security infrastructure to enable users access the e-infrastructure in a secured manner. In this security infrastructure, we are particularly interested to address issues like (1) creation of Shibboleth federation for social science community (2) Shibboleth-enabled collaborative environment based on Sakai portal (3) attribute-based fine grained authorization mechanism for grid-enabled datasets.
Name: Philip Kershaw
Project/area: NDG Security
Description: NDG Security is the security system for the NERC Data Grid. NDG Security has been developed to provide users with seamless access to secured resources across NDG participating organisations whilst at the same time providing an underlying system which is easy to deploy around organisation's pre-existing systems. From the perspective of developing such a system, key challenges have been:
- the range of different grid related security technologies: which to adopt and how to interoperate with them;
- integration into partner organisation's existing security infrastructures;
- human factors: expectations, perceptions about security, trust
- preserving a simple interface for clients and application developers based on web based technologies and tools readily available to a client PC desktop.
Name: Philip Kershaw
Project/area: Contributions from NDG Partner Organisations
Description: This is a summary of feedback from some of the NDG partners. NDG is part way through deployment. Partners have pre-existing systems based around username/password login via portals. There is overlap with NDG requirements but also specific needs for individual sites:
- Single Sign On is desirable, to merge access mechanism to different functions and facilities;
- Greater flexibility with authentication mechanisms to enable access for a wider user community e.g. opening to OpenID and Shibboleth users;
- Security requirements should not cripple access to resources;
- Access audit trails to feedback to funding bodies and in some cases to fulfil legal requirements;
- Improved means of detecting and handling abuses such as sharing of login details between users; licence breeches
Problem areas are:
- The worst possible scenario that can envisaged is the compromise of data integrity.
- Rights to create derivative products;
- Digital Rights Management – Possible future impact for distribution of data
One capability desired but held back for reasons of security is the ability for a data provider to host sandboxes for users to run their code against data provider's datasets
Name: Junaid Arshad
Project/area: Modelling and Simulation for e-Social Science (MoSeS)
Description: The objective of the project is to develop representation of the entire UK population as individuals and households, together with a package of modelling tools which allows specific research and policy questions to be addressed. The components of the MoSeS project are a baseline representation of the UK population; a dynamic modelling capability; a grid-enabled portal for policy analysis; and a series of application scenarios. The model will have a grid-enabled portal which provides access to data, scenarios and modelling tools within a decision support environment.
- The major "functional" requirement concerned with security is to ensure confidentiality of the raw data and the results produced by analyzing that data. Other "non-functional" requirements include single sign-on, delegation of authority and usability of the approach. Shibboleth security system, with few enhancements e.g. fine grained access control, is currently envisaged as the most appropriate solution.
- The worst that can happen is the breach of confidentiality leading to breach of licenses and agreements for the "raw data".
- Ideally, we would like to expose some part of the research to public i.e. information useful to public and not subject to licenses. Also, the process requires huge computational resources and we are looking at providers such as Amazon EC2 but the bottleneck is to establish trust on a remote machine.
Name: David Spence
Project/area: SARoNGS: Shibboleth and Grid Integration
Description: The SARoNGS project seeks to encourage more users to use the Grid from all areas of research by removing the barrier of using Grid certificates. The chosen method is to provide a Shibboleth to Grid Credential Translation Service for the NGS. The resulting service will be a universal service for enabling Grid access for those in institutions supporting JISC Federated Access Management. The service seeks to be independent of the exact method of accessing the Grid and the user tools used to request the credential translation. The SARoNGS project will also integrate this Shibboleth to Grid translation for compute, data and portals; and allow this translation to be in the context of a Virtual Organisation, institution or a default context. As well as integrating with existing Virtual Organisations using a VOMS, Virtual Organisations can also be hosted directly in the SARoNGS service - with memebership specified in either the Shibboleth or Grid domain.
Name: Bruce Beckles
Project/area: RealityGrid and its associated projects (via the "User-Friendly Authentication and Authorisation for Grid Environments" project)
Description: Using grid technology to closely couple high throughput experimentation and visualisation, RealityGrid has provided a highly flexible and robust computing infrastructure for supporting the modelling of complex condensed matter systems, including life science. This has enabled researchers - who would not have otherwise been able to do so - to exploit exceptionally vast high performance computing resources linked via grid infrastructure, coupled to novel methodological paradigms through steering and visualisation together with the use of scalable algorithms. The "User-Friendly Authentication and Authorisation for Grid Environments" project seeks to develop a more usable grid security infrastructure than that with which the middleware used by RealityGrid and its associated projects must currently interact. In so doing, our aim is to improve the usability of the grid environment for existing users, and to lower the cost of entry to these environments for new users, thus encouraging them to engage with grid environments. Having identified that a major barrier to entry, and a source of many usability issues, is the use of digital certificates for authentication and authorisation in these environments, we are currently looking at ways to remove such certificates from the end-user's experience of these environments.
Amongst the most serious security-related issues that RealityGrid and its associated projects have encountered (to date) are the following (in no particular order):
- The inordinately high cost of entry to the grid environment due to the use of digital certificates. In particular, it can take weeks, or in extreme cases, months, for users to obtain a digital certificate from the UK e-Science Certificate Authority and get it authorised for all the grid resources they wish to use.
- The poor usability of digital certificates encouraging the sharing of certificates between users. This causes a number of problems, including the difficult of properly accounting use of grid resources to the appropriate project/quota, as well as the constant danger that such users will be discovered and have the shared certificate(s) revoked and/or be denied access to grid resources on which they have come to depend.
- The absence of fine-grained authorisation controls for project managers, PIs, etc. Currently, use of a resource identified by a particular certificate can be associated with a particular project/quota. However, the project manager is not able to specify that individual users should only be allowed to use a certain amount of the project's quota. Even when no certificate sharing takes place, it is not uncommon for the entire allocation of a project to be inadvertently used up by a member of the project team who has accidentaly submitted 1000 jobs instead of 10.
- The use of short-lived proxy certificates causes problems because it is often difficult for users to accurately estimate the lifetime of their jobs. This is exacerbated by the use of job schedulers on most grid resources, few of which make it easy to predict when a job will actually be run on the resource. Many users work round this problem by using long-lived proxy credentials which, whilst not a problem for the user, are held to increase the risk of the credential being acquired by unauthorised individuals who might use it to compromise the integrity of the environment.
- The absence of a lightweight authentication and authorisation framework that can be easily integrated into grid applications (especially computational steering and collaborative visualisation applications). Such a framework needs to be easy to interface to the application and not impose an overly onerous burden on the application's developer and intended users.
- The lack of clear guidelines and best practice for handling medical data in distributed computing environments such as computational grids or data grids.
Worst case scenarios (in no particular order) include:
- Failure to engage target user communities with grid environments, RealityGrid's deliverables (including its middleware), etc.;
- Compromise of data integrity;
- Compromise of application integrity for computational steering and remote/collaborative visualisation applications;
- Exposure of patented (or otherwise confidential) algorithms and techniques used by processes running in the grid environment; and
- Exposure of medical (or related) data.
Changes to approach felt to be prevented by "security considerations" (in no particular order) include:
- Widening access to the methodologies and techniques developed by RealityGrid (and associated projects) to embrace "ordinary" (i.e. non-grid-aware) scientists;
- Collaborative working, particularly with researchers not currently using the grid, using computational steering and remote/collaborative visualisation applications;
- Casual use of grid environments by researchers; and
- Use of grid environments for processing medical (or other sensitive) data.