SPG:Drafts:LToS Service Scoped Security Policy:DiscussionInvite

From EGIWiki
Jump to: navigation, search
Dear all,

As part of the EGI user engagement process and in preparation for planned 
activities in 2015 and beyond, EGI.eu in collaboration with several 
resources centres, a few NGIs and developers of Science Gateways (portals)
have started a pilot to support the "Long Tail of Science" (LToS). The goal 
of this activity is to evaluate possible technologies to implement a set of 
services to make easier for the users of the long tail of platform to access 
EGI resources.
Participation in the pilot of voluntary. Participating resource centres
may provide the LToS service on dedicated resources, but also share their
existing service offering with both the well-known 'organised' user 
communities as well as with more ad-hoc LToS resource consumers.

However, the presence of such an alternative models within the EGI 
infrastructure changes the effective security risk, not only for those
sites that participate in the LToS Service, but ALSO to all other sites.
To address this potential change in risk, compensatory controls and
mitigating measures should be put in place. For this reason, the LToS
work group invites security policy experts and the SPG to consider such
a policy.

Based on discussions with the LToS WG, we propose to draft a security
policy *specific to the LToS pilot* that aims to ensure that the risk
to any other participant in EGI remains materially unchanged. 

You, the SPG, are the best group of experts we have to discuss the policy, 
and we invite your comments and criticism on the draft 

 EGI Long Tail of Science Service Scoped Security Policy 

The latest draft (v02), background and links to the LToS activity are at:


*Especially if you are not* involved in the LToS pilot, or if you do not
want to be affected by the LToS Service, it is important that you read  the
policy and consider whether it addresses your concerns!
Even is you are not involved directly, security risks propagate through
a federated infrastructure like EGI by virtue of all the seamless
interconnect mechanisms we built in to the system. The proposed 
mitigation aim to limits the spread of incidents outside of the LToS

If you are a Resource Centre, Science Gateway operator, or Registrar that
would like to engage with the LToS Service, review whether this policy
is adequate worded so as to serve you intended audience.

The time line for the LToS Service Pilot is short (still in 2014), so
having consensus about a (draft) policy in a timely fashion would be 

Let there be a fruitful discussion on this list!

Best regards, DavidG.