170 likes | 322 Views
ICAT Developer Workshop : Consequence. Shirley Crompton, ESC, STFC Daresbury Laboratory. Overview. Consequence Project What, who, objectives Sensitive Scientific Data Test Bed Test Bed Scenario Problem Definitions Consequence General Architecture DSA Components Test Bed Components.
E N D
ICAT Developer Workshop : Consequence Shirley Crompton, ESC, STFC Daresbury Laboratory
Overview • Consequence Project • What, who, objectives • Sensitive Scientific Data Test Bed • Test Bed Scenario • Problem Definitions • Consequence • General Architecture • DSA Components • Test Bed Components ICAT Developer Workshop 26 August 2009
Consequence – the ProjectData-centric Information Protection • FP7 ICT Programme • Call 1 project : secure, dependable and trusted infrastructures • Start: 1 Jan 2008 • Duration: 36 months ICAT Developer Workshop 26 August 2009
Consequence – the Consortium Researchers Industrial Innovators High Demand Test beds ICAT Developer Workshop 26 August 2009
Consequence – Main Objectives • Define an architecture within aframework • to enable dynamic management policies • based on data sharing agreements that • ensure end-to-end secure protection • of data-centric information. • Implementthe architecture in software. • Evaluate the technicaland business benefits of the implementation and framework via two test beds: • Sensitive scientific data (STFC) • Crisis management data (BAE) ICAT Developer Workshop 26 August 2009
Data Sharing Agreement Lifecycle ICAT Developer Workshop 26 August 2009
Funding Agency Research Manager Admin Researcher STFC Experi- mental Facility Main Scenario (STFC Test Bed) 2a. Negotiates between Agreement Specification, Analysis And Mapping Phase 3. Submits grant with signed agreement to Enforcement Phase 1. Discusses grant proposal with 2b. Consults with 4. Awards grant to 6. Experiments in 5. Triggers system config by 7. Serves data to 8. Exchanges data with
ICAT Authorisation Model (RBAC Implemented in Oracle DB) Smallest document is a single data file ICAT Developer Workshop 26 August 2009
Key DS Policies in Research Domain • Context condition: ‘… 3-year embargo on experimental data generated at the facility by publicly-funded project …’ • Data Integrity + attribute-based desc : ‘ … cannot modify experimental data generated at the facility ...’ • Consent : ‘ …refined data is limited at all time to users authorised by the data owner/admin’ • Derived data – ‘… foreground IP derived from the use of its proprietary data must not be disseminated without its official consent…’ • Usage Control – ‘… work using proprietary data must be carried out within the laboratory located in …during office hours’ • History + obligation – ‘… permits read access three time for a maximum period of 7 days, after which the doc will be deleted…’ • Purpose-awareness – ‘… proprietary data can only be used for thepurposeof carrying out the project ..’ 8 ICAT Developer Workshop 26 August 2009
Policy-based Access/Usage Control Data Sharing Agreement/s Data Consumer Data Host Protected Document Consequence- Aware App Is access allowed? Allow access only while user is in office. Usage Policy Policy Evaluator ICAT Developer Workshop 26 August 2009
Consequence – General Architecture Overview Organization A Organization B DSA DSA Enforcement Policy Policy Enforcement Application Application Identity/ Context provider ICAT Developer Workshop
DSA Components(*DSA Policy Mapper) DSA Policy PDSA Authoring DSA Trust management Analysis Lifecycle manager DSA to Policy mapping DSA to Policy Mapper The Projection Phase PDSAis equivalent to P1DSA º …º PnDSA P2DSA P3DSA PnDSA P1DSA …………….. The Refinement Phase through a refinement function r Enforceable Policies r(P1DSA) r(P4DSA) r(P3DSA) r(PnDSA) ICAT Developer Workshop 26 August 2009
Pub Licence Data File/s Consequence Existing New ICAT Server-side Components (Publishing)*not all ICAT components/interactions shown Session CSDM Data Store DSA Service DPO WS api ICAT IRM Server PEP PDP PEP Creates protected doc MD Manager Service PIP Context Delegate AuthN ICAT Developer Workshop 26 August 2009
Client-side Components (Consuming) Pub Licence Data File/s Consequence Existing New If IRM Server is unreachable Light Weight Licensor DPO api iCON IRM Server PEP read/upd protected doc via PEP PDP MD Manager Service Context Provider Delegate PIP Local Env Provider Event Delegate Subj/Attr Provider Event Processor 13 ICAT Developer Workshop 26 August 2009
Consequence Vision Managers draft and sign data-sharing agreements that contain policies which must be enforced when data is accessed and used ICAT Developer Workshop 26 August 2009
Questions? 15 ICAT Developer Workshop 26 August 2009
ICAT Developer Workshop : Consequence Shirley Crompton, ESC, STFC Daresbury Laboratory