Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

SPG:Drafts:LToS Service Scoped Security Policy

From EGIWiki
Revision as of 15:13, 6 November 2014 by Davidg (talk | contribs)
Jump to navigation Jump to search

Scope

The EGI Long-Tail-of-Science (LToS) Scoped Service Security Policy is applicable to all Participants involved in the EGI LToS Service.


Vocabulary

This Policy and the associated Implementation Guidelines use the controlled vocabulary of the EGI Glossary[1], the  Security Policy Glossary of Terms[2], and Glossary of the Security for Collaborating Infrastructures (SCI) document[3]. The following terms are specific to this Policy and implementation guidelines:


Application

The information provided by an Applicant and recorded by a Registry that describes the personal information, contact details, and research use case, and on which basis a resource allocation is made

Applicant

A human individual that seeks to gain access to the Service by providing information to the Registry

width="177" valign="top" style="width:106.35pt;border:solid windowtext 1.0pt;
 border-top:none;mso-border-top-alt:solid windowtext .5pt;mso-border-alt:solid windowtext .5pt;
padding:0cm 5.4pt 0cm 5.4pt" | 

Registry

width="567" valign="top" style="width:12.0cm;border-top:none;border-left:
 none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
mso-border-top-alt:solid windowtext .5pt;mso-border-left-alt:solid windowtext .5pt;
mso-border-alt:solid windowtext .5pt;padding:0cm 5.4pt 0cm 5.4pt" | 

The Service that hold

 information about the Users and/or Applicants (also known as the User
Management Portal UMP and any supporting systems that hold data about Users
or Applicants)
width="177" valign="top" style="width:106.35pt;border:solid windowtext 1.0pt;
 border-top:none;mso-border-top-alt:solid windowtext .5pt;mso-border-alt:solid windowtext .5pt;
padding:0cm 5.4pt 0cm 5.4pt" | 

Management

width="567" valign="top" style="width:12.0cm;border-top:none;border-left:
 none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
mso-border-top-alt:solid windowtext .5pt;mso-border-left-alt:solid windowtext .5pt;
mso-border-alt:solid windowtext .5pt;padding:0cm 5.4pt 0cm 5.4pt" | 

Those individuals or

 organisational bodies that have control over Resource Centres, Resource
Infrastructures, and any associated personnel, and who are capable and
authorized to assume risks.
width="177" valign="top" style="width:106.35pt;border:solid windowtext 1.0pt;
 border-top:none;mso-border-top-alt:solid windowtext .5pt;mso-border-alt:solid windowtext .5pt;
padding:0cm 5.4pt 0cm 5.4pt" | 

eduGAIN

width="567" valign="top" style="width:12.0cm;border-top:none;border-left:
 none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
mso-border-top-alt:solid windowtext .5pt;mso-border-left-alt:solid windowtext .5pt;
mso-border-alt:solid windowtext .5pt;padding:0cm 5.4pt 0cm 5.4pt" | 

The service interconnecting

 Research and/or Education identity federations around the world[4]
width="177" valign="top" style="width:106.35pt;border:solid windowtext 1.0pt;
 border-top:none;mso-border-top-alt:solid windowtext .5pt;mso-border-alt:solid windowtext .5pt;
padding:0cm 5.4pt 0cm 5.4pt" | 

LToS

width="567" valign="top" style="width:12.0cm;border-top:none;border-left:
 none;border-bottom:solid windowtext 1.0pt;border-right:solid windowtext 1.0pt;
mso-border-top-alt:solid windowtext .5pt;mso-border-left-alt:solid windowtext .5pt;
mso-border-alt:solid windowtext .5pt;padding:0cm 5.4pt 0cm 5.4pt" | 

Long Tail of Science

 as meant in the context of the EGI Long Tail of Science Service[5]

The key words "must", "must not", "required", "shall",

"shall not", "should", "should not", "recommended",  "may", and "optional" in this document are to be interpreted as described in RFC 2119.

Aims of the Policy

This Policy and the Implementation Guidelines aim to enable a low-barrier Service to be offered to a wide range of research users in Europe and their collaborators world-wide, by any Resource Centre organisation that elects to do so. In offering such LToS Services, the Resource Centre shall not negatively affect any other Resource Centre or any other part of the e-Infrastructure. In particular, security incidents originating in the LToS Service should not impact the IT Infrastructure in ways that are incompatible with the operational model of other, more tightly controlled, parts of the infrastructure. This document also provides guidelines on the implementation of security procedures and controls to facilitate offering of the Service by Resource Centres and Science Gateways.



LToS Service Security Policy


  1. Any Participant, including the Registry, shall be subject to the Grid Security Policy and any subordinate Policies, insofar as they are not superseded explicitly by this specific Policy.
  2. Access granted to Users under this policy shall be limited in time and shall be subject to a reviewed resource allocation that is not yet exhausted.
    All access shall be exclusively through Science Gateways based on User information contained In the Registry. The Registry and Science Gateways should implement the material implications of the EGI CSIRT Central Emergency Suspension mechanism
  3. The Registry shall determine the origin of all Applicants and Users in a way sufficient to identify their organisational affiliation, and shall record at least one communication method. That contact information shall include an electronic mail address identifiably linked by name to the organisational affiliation. The contact information for Users shall be verified at least every 13 months.
  4. Information about Users shall be kept in the Registry for at least 13 months and no more than 18 months after terminating access to the LToS Service for the User.
  5. The Registry shall have a Data Protected and Privacy Policy and practice statement, and must implement appropriate technical and organisational measures to protect the data contained in the Registry. In addition to information sharing permitted by the Security Policy, information in the Registry may also be shared with any Resource Centre and Science Gateway participating in the LToS Service.
  6. The Resource Provider shall configure the Services such that capabilities are limited to only those necessary to execute permitted Workflows.
  7. The Resource Provider shall apply any controls necessary to ensure that the risk posed to other Resource Providers and to the e-Infrastructure Participants does not change in a significant way as a result of its participation in the LToS Service.
  8. The Management of the Resource Centre and of the Resource Infrastructure Provider shall accept the risk involved with participation in the LToS Service, and shall have the capability to absorb the consequences of any residual risk with respect to the other Participants.
  9. Users shall comply with the Acceptable Use Policy, and shall respect any further restrictions placed on permissible use by Resource Centres and Science Gateways.

By adopting this policy, the LToS Service shall qualify as having security controls sufficient for the operation of Job Management Portals as meant in the VO Portal Policy[6] for qualified LToS Users, when used within the ensemble of Service Providers participating in the LToS Service.

Implementation Guidelines




[6] https://documents.egi.eu/document/80