SPG:Drafts:LToS Service Scoped Security Policy:DiscussionInvite
Dear all, As part of the EGI user engagement process and in preparation for planned activities in 2015 and beyond, EGI.eu in collaboration with several resources centres, a few NGIs and developers of Science Gateways (portals) have started a pilot to support the "Long Tail of Science" (LToS). The goal of this activity is to evaluate possible technologies to implement a set of services to make easier for the users of the long tail of platform to access EGI resources. Participation in the pilot of voluntary. Participating resource centres may provide the LToS service on dedicated resources, but also share their existing service offering with both the well-known 'organised' user communities as well as with more ad-hoc LToS resource consumers. However, the presence of such an alternative models within the EGI infrastructure changes the effective security risk, not only for those sites that participate in the LToS Service, but ALSO to all other sites. To address this potential change in risk, compensatory controls and mitigating measures should be put in place. For this reason, the LToS work group invites security policy experts and the SPG to consider such a policy. Based on discussions with the LToS WG, we propose to draft a security policy *specific to the LToS pilot* that aims to ensure that the risk to any other participant in EGI remains materially unchanged. You, the SPG, are the best group of experts we have to discuss the policy, and we invite your comments and criticism on the draft EGI Long Tail of Science Service Scoped Security Policy The latest draft (v02), background and links to the LToS activity are at: https://wiki.egi.eu/wiki/SPG:Drafts:LToS_Service_Scoped_Security_Policy *Especially if you are not* involved in the LToS pilot, or if you do not want to be affected by the LToS Service, it is important that you read the policy and consider whether it addresses your concerns! Even is you are not involved directly, security risks propagate through a federated infrastructure like EGI by virtue of all the seamless interconnect mechanisms we built in to the system. The proposed mitigation aim to limits the spread of incidents outside of the LToS perimeter. If you are a Resource Centre, Science Gateway operator, or Registrar that would like to engage with the LToS Service, review whether this policy is adequate worded so as to serve you intended audience. The time line for the LToS Service Pilot is short (still in 2014), so having consensus about a (draft) policy in a timely fashion would be appreciated. Let there be a fruitful discussion on this list!
Best regards, DavidG.