SPG:Drafts:LToS Service Scoped Security Policy
Scope
The EGI Long-Tail-of-Science (LToS) Scoped Service Security Policy is applicable to all Participants involved in the EGI LToS Service.
Vocabulary
This Policy and the associated Implementation Guidelines use the controlled vocabulary of the EGI Glossary[1], the Security Policy Glossary of Terms[2], and Glossary of the Security for Collaborating Infrastructures (SCI) document[3]. The following terms are specific to this Policy and implementation guidelines:
Application |
The information provided by an Applicant and recorded by a Registry that describes the personal information, contact details, and research use case, and on which basis a resource allocation is made |
Applicant |
A human individual that seeks to gain access to the Service by providing information to the Registry |
width="177" valign="top" style="width:106.35pt;border:solid windowtext 1.0pt;
border-top:none;mso-border-top-alt:solid windowtext .5pt;mso-border-alt:solid windowtext .5pt; padding:0cm 5.4pt 0cm 5.4pt" | Registry |
width="567" valign="top" style="width:12.0cm;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt; mso-border-top-alt:solid windowtext .5pt;mso-border-left-alt:solid windowtext .5pt; mso-border-alt:solid windowtext .5pt;padding:0cm 5.4pt 0cm 5.4pt" | The Service that hold information about the Users and/or Applicants (also known as the User Management Portal UMP and any supporting systems that hold data about Users or Applicants) |
width="177" valign="top" style="width:106.35pt;border:solid windowtext 1.0pt;
border-top:none;mso-border-top-alt:solid windowtext .5pt;mso-border-alt:solid windowtext .5pt; padding:0cm 5.4pt 0cm 5.4pt" | Management |
width="567" valign="top" style="width:12.0cm;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt; mso-border-top-alt:solid windowtext .5pt;mso-border-left-alt:solid windowtext .5pt; mso-border-alt:solid windowtext .5pt;padding:0cm 5.4pt 0cm 5.4pt" | Those individuals or organisational bodies that have control over Resource Centres, Resource Infrastructures, and any associated personnel, and who are capable and authorized to assume risks. |
width="177" valign="top" style="width:106.35pt;border:solid windowtext 1.0pt;
border-top:none;mso-border-top-alt:solid windowtext .5pt;mso-border-alt:solid windowtext .5pt; padding:0cm 5.4pt 0cm 5.4pt" | eduGAIN |
width="567" valign="top" style="width:12.0cm;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt; mso-border-top-alt:solid windowtext .5pt;mso-border-left-alt:solid windowtext .5pt; mso-border-alt:solid windowtext .5pt;padding:0cm 5.4pt 0cm 5.4pt" | The service interconnecting Research and/or Education identity federations around the world[4] |
width="177" valign="top" style="width:106.35pt;border:solid windowtext 1.0pt;
border-top:none;mso-border-top-alt:solid windowtext .5pt;mso-border-alt:solid windowtext .5pt; padding:0cm 5.4pt 0cm 5.4pt" | LToS |
width="567" valign="top" style="width:12.0cm;border-top:none;border-left:
none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt; mso-border-top-alt:solid windowtext .5pt;mso-border-left-alt:solid windowtext .5pt; mso-border-alt:solid windowtext .5pt;padding:0cm 5.4pt 0cm 5.4pt" | Long Tail of Science as meant in the context of the EGI Long Tail of Science Service[5] |
The key words "must", "must not", "required", "shall",
"shall not", "should", "should not", "recommended", "may", and "optional" in this document are to be interpreted as described in RFC 2119.Aims of the Policy
This Policy and the Implementation Guidelines aim to enable a low-barrier Service to be offered to a wide range of research users in Europe and their collaborators world-wide, by any Resource Centre organisation that elects to do so. In offering such LToS Services, the Resource Centre shall not negatively affect any other Resource Centre or any other part of the e-Infrastructure. In particular, security incidents originating in the LToS Service should not impact the IT Infrastructure in ways that are incompatible with the operational model of other, more tightly controlled, parts of the infrastructure. This document also provides guidelines on the implementation of security procedures and controls to facilitate offering of the Service by Resource Centres and Science Gateways.
LToS Service Security Policy
- Any Participant, including the Registry, shall be subject to the Grid Security Policy and any subordinate Policies, insofar as they are not superseded explicitly by this specific Policy.
- Access granted to Users under this policy shall be limited in time and shall be subject to a reviewed resource allocation that is not yet exhausted.
All access shall be exclusively through Science Gateways based on User information contained In the Registry. The Registry and Science Gateways should implement the material implications of the EGI CSIRT Central Emergency Suspension mechanism - The Registry shall determine the origin of all Applicants and Users in a way sufficient to identify their organisational affiliation, and shall record at least one communication method. That contact information shall include an electronic mail address identifiably linked by name to the organisational affiliation. The contact information for Users shall be verified at least every 13 months.
- Information about Users shall be kept in the Registry for at least 13 months and no more than 18 months after terminating access to the LToS Service for the User.
- The Registry shall have a Data Protected and Privacy Policy and practice statement, and must implement appropriate technical and organisational measures to protect the data contained in the Registry. In addition to information sharing permitted by the Security Policy, information in the Registry may also be shared with any Resource Centre and Science Gateway participating in the LToS Service.
- The Resource Provider shall configure the Services such that capabilities are limited to only those necessary to execute permitted Workflows.
- The Resource Provider shall apply any controls necessary to ensure that the risk posed to other Resource Providers and to the e-Infrastructure Participants does not change in a significant way as a result of its participation in the LToS Service.
- The Management of the Resource Centre and of the Resource Infrastructure Provider shall accept the risk involved with participation in the LToS Service, and shall have the capability to absorb the consequences of any residual risk with respect to the other Participants.
- Users shall comply with the Acceptable Use Policy, and shall respect any further restrictions placed on permissible use by Resource Centres and Science Gateways.
By adopting this policy, the LToS Service shall qualify as having security controls sufficient for the operation of Job Management Portals as meant in the VO Portal Policy[6] for qualified LToS Users, when used within the ensemble of Service Providers participating in the LToS Service.
Implementation Guidelines