Providing Security in e-Infrastructure to
Meet the Needs of e-Research
Ally Hume, Tobias Schiebeck, Mike
Jackson, Steve Wilson, Phil Kershaw,
Weijian Fang, Louise Price, Matthew
Habgood, Steve Crouch
Web: www.omii.ac.uk
Email: info@omii.ac.uk
Aims
• How the OMII-UK security document should
evolve - feedback?
• The security challenges facing e-Research
• Specific requirements for security within various
domains
• Others?
Web: www.omii.ac.uk
Email: info@omii.ac.uk
OMII-UK Security Document
• What’s missing:
o
o
o
Security logging/audit trails
Trust should be included at high level
A more layman’s approach to structuring
• AuthN – who is accessing a resource?
o
Include more advanced security concepts as they become included, but not
include in-depth overview of everything e.g. single-sign on, VOMs, etc.
• Approach:
o
o
Each piece of software – case studies
Document split for project managers/PI’s, technical developers:
• Into overview + technical
• n+1 docs (per software + 1 overview)
o
S/w referenced more specifically in terms of security, perhaps not so much
general info
• How should it be advertised?
o
Include in FAQ, mailing lists
Web: www.omii.ac.uk
Email: info@omii.ac.uk
Challenges
• security challenges facing e-research
o
difficult to set-up, configure, too many options, when it goes
wrong hard to troubleshoot. divides into two:
• getting things working
• understanding
o
certs expiring problem – raised at NGS innovation forum
• abused – passing on security certs
o
project based certs: PAG requires things to be signed –
which cert do you use
• self signed?
• e-science CA won't issue cert to sign code
– apply for a service one
– compromise include name of individual
• do outside of e-science
Web: www.omii.ac.uk
Email: info@omii.ac.uk
Challenges
o
problem of crossing domains
•
•
•
•
o
organisational hurdles
technical differences in architectures
too many different solutions: Shibboleth, Athens, EduRoam
technology should be user driven rather than driven centrally
– tries prevent fragmentation of solutions but ends up pleasing no-one
workflows – security is a major barrier
• multiple domains and technologies
o
o
o
toolkits assume their own narrow solution – barrier to
interoperating
problems of access with ports
securely exchanging certificates
• want to create a venue on a new venue server
• 2 PAG clients – one creates a new venue at a venue server, needs to
exchange a certificate – use SSL connection to exchange?
Web: www.omii.ac.uk
Email: info@omii.ac.uk
Actions
• New draft of document (Steve C, …)
• Circulate for wider review
Web: www.omii.ac.uk
Email: info@omii.ac.uk