Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

E - Science Projects and Security M. Angela Sasse

advertisement 
E-Science Projects and Security
M. Angela Sasse
&
Mike Surridge
Who are we?
z M.
Angela Sasse, Department of
Computer Science, University College
London (UCL)
– a.sasse@cs.ucl.ac.uk
z Mike
Surridge IT Innovation, University
of Southampton
– ms@it-innovation.soton.ac.uk
z Members
of the Security Task Force
Practical Security Workshop Nov. 2003
2
Why are we here?
z Previous
STF work with projects
unveiled raft of issues
– Awareness of security issues
– Perception
– Management
– Implementation
Practical Security Workshop Nov. 2003
3
Security not high on agenda
‘Still early stages … going from requirements to
design’
‘Get it to work first, then we’ll worry about security.’
– ‘There are no security issues: all our data are
public.’
– ‘This is just a proof of concept – no commercial
implications.’
Practical Security Workshop Nov. 2003
4
Perceptions & Attitudes
No security
knowledge and
skills
Some security
knowledge and
skills, but …
Not interested
in security
Interested in
security, but …
“what threat?
Doesn’t X do
that?”
“not my job/
not worth it”
“don’t know
where to start”
“impossible to
get it right
anyway”
Practical Security Workshop Nov. 2003
5
Management issues
z
Nobody in charge of security
– Virtual organisations: no clear lines of
communication or responsibility
– Ad-hoc decision-making
– Urban legends
z
Implicit assumptions: security is taken care of
by others
– people (sysadmin, other developers networking,
computer centre, …)
– technologies (Globus, firewalls, certificates, …)
Practical Security Workshop Nov. 2003
6
Difficulties implementing
security
z Knowledge lacking
– Threats
– Countermeasures
– Best practice
z Developers
or inaccurate
and administrators feel
overloaded
z Conflicts with institutional regulations
and mechanisms
Practical Security Workshop Nov. 2003
7
Image problem
z
Projects vs. security
– “security is used to prevent change”
– bureaucrats, detached, “preach”, not helpful
– projects have many questions, but don’t pursue
them in a coherent manner or involve security
experts
z
Security vs. projects
– “users don’t care”
– something that must be controlled
Practical Security Workshop Nov. 2003
8
Policy Purpose
z
To promote best practice in security
– in UK e-Science projects
– in the UK e-Science Programme
z
To recognise and manage security risks from
– distributed networked (grid) information systems
– distributed, collaborative project management
– newly discovered security problems in new grid or
e-Science technology
z
The policy is part of the Programme’s overall
security approach
Practical Security Workshop Nov. 2003
9
Stipulations
z
Projects must adopt secure practices
– commensurate with the risks they face
z
Project must
–
–
–
–
–
z
document their security policy and practices
undertake a detailed threat and risk analysis
ensure adequate resources to address threats
provide staff training where appropriate
keep up to date with security developments
Projects may be subject to audit
– against their own security policy…
Practical Security Workshop Nov. 2003
10
Project Security Policies
z
Must be commensurate with risks faced
– driven by a project threat and risk analysis
– not based on any “pre-ordained” security level
z
May need to address
– policy and guidance from the Programme
– legal obligations: health and safety, personal data
–
–
–
–
protection
ethical frameworks: oversight committees, etc
specific security threats
actions to be taken if security is breached
community best-practice
Practical Security Workshop Nov. 2003
11
Responsibility
z
Responsibility for the programme policy
– UK e-Science Core Programme Directorate
– advised by STF and TAG
z
Responsibility for project security
– project Principal Investigator
– aided by their project management team
z
Principal Investigator must
– identify and address security roles
– establish operational security contact points
– ensure project security policy is maintained
Practical Security Workshop Nov. 2003
12
Security Risk Management
z
z
Should drive project security policy
Requires identification of threats and risks
–
–
–
–
–
–
–
z
to project staff and associated personnel
to computer systems
to information
to relationships
to reputation
to the UK Programme
etc
Project security policy must address threats
Practical Security Workshop Nov. 2003
13
Practical Security Workshop
z
Support for project PI’s and their teams
– practical risk identification and management
– practical advice on specific policy issues
– disseminating best practice
z
Support for the UK Programme through STF
–
–
–
–
z
identifying security risks to the overall programme
identifying security risk management methods
identifying gaps in technology, processes and skills
disseminating best practice
The Programme must observe its policy too!
Practical Security Workshop Nov. 2003
14
Purpose of Workshop
z Help
security projects to define their
security needs
z Share experiences, learn from each other
z Introduce methods and tools (risk
analysis and management)
z First steps towards developing good
practice
z Identify training and support needs
Practical Security Workshop Nov. 2003
15
Workshop Approach
z
Presentations
– on risk identification and management
– on project experiences
z
Breakout sessions
– to identify project security risks
– to identify appropriate security mechanisms
z
Results
– greater awareness of types of risks and defences
– understanding of best practice for projects
– gaps and needs of the Programme
Practical Security Workshop Nov. 2003
16
Overview Day 1 - morning
10.00 Registration and coffee
10.30 Welcome
(Alan Robiette, Chair, Security Task Force for the eScience Programme)
10.45 Workshop Introduction: e-Science projects and
security
(Mike Surridge, IT Innovation & Angela Sasse, UCL)
11.15 Understanding and managing risks
(Jonathan Moffett, York University)
12.15 Lunch
Practical Security Workshop Nov. 2003
17
Overview Day 1- afternoon
13.30 myGrid security issues
(Luc Moreau, Southampton University)
14.30 Breakout sessions: Identifying risks in your projects
(including tea at 15.30)
16.30 Reports from workshop groups
17.15 Security lessons from the EGSO Project
(Clare Gryce, UCL)
18.00 Close
19.30 Dinner
Practical Security Workshop Nov. 2003
18
Overview Day 2
09.00 Coffee
09.15 Managing security in the DAME Project
(Howard Chivers, York University)
10.00 Breakout sessions: Managing risks in your projects
(including coffee at 11.00)
12.30 Lunch
13.45 Reports from workshop groups
14.15 Establishing secure practices
(Peter Ryan, Newcastle University)
15.00 Closing remarks: Security in e-Science projects First steps in the right direction
(Mike Surridge, IT Innovation & Angela Sasse, UCL)
Practical Security Workshop Nov. 2003
19
Related documents
Theme for Day 2 Risk Management Best Practice z
Theme for Day 2 Risk Management Best Practice z
y = 3x + 2 Y depends on X Functions A11­4PatternsAndFunctions.notebook
y = 3x + 2 Y depends on X Functions A11­4PatternsAndFunctions.notebook
Art Contest sense of community at CWDHS.
Art Contest sense of community at CWDHS.
Click here for upcoming cashier training
Click here for upcoming cashier training
"The best Quality of Service is the one you don't... Angela Sasse, University College London
"The best Quality of Service is the one you don't... Angela Sasse, University College London
F I N A N C I A L ...
F I N A N C I A L ...
FSCOT Agenda Nov. 1 , 2006
FSCOT Agenda Nov. 1 , 2006
Download
advertisement