Www.consequence-project.eu ICAT Developer Workshop : Consequence Shirley Crompton, ESC, STFC...
-
Upload
jaren-billet -
Category
Documents
-
view
224 -
download
0
Transcript of Www.consequence-project.eu ICAT Developer Workshop : Consequence Shirley Crompton, ESC, STFC...
www.consequence-project.eu
ICAT Developer Workshop : ConsequenceShirley Crompton, ESC, STFC Daresbury Laboratory
www.consequence-project.eu2 ICAT Developer Workshop 26 August 2009
Overview• Consequence Project
– What, who, objectives
• Sensitive Scientific Data Test Bed
– Test Bed Scenario
– Problem Definitions
• Consequence
– General Architecture
– DSA Components
– Test Bed Components
www.consequence-project.eu3 ICAT Developer Workshop 26 August 2009
• FP7 ICT Programme
– Call 1 project : secure, dependable and trusted infrastructures
• Start: 1 Jan 2008
• Duration: 36 months
Consequence – the ProjectData-centric Information Protection
www.consequence-project.eu
High Demand Test beds
4 ICAT Developer Workshop 26 August 2009
Consequence – the Consortium
IndustrialInnovators
Researchers
www.consequence-project.eu5 ICAT Developer Workshop 26 August 2009
Consequence – Main Objectives
• Define an architecture within a framework
– to enable dynamic management policies
– based on data sharing agreements that
– ensure end-to-end secure protection
– of data-centric information.
• Implement the architecture in software.
• Evaluate the technical and business benefits of the implementation and framework via two test beds:
– Sensitive scientific data (STFC)
– Crisis management data (BAE)
www.consequence-project.eu
Data Sharing Agreement Lifecycle
6 ICAT Developer Workshop 26 August 2009
www.consequence-project.eu7
Main Scenario (STFC Test Bed)
Researcher
Research Manager
1. Discusses grant proposal
with
2a. Negotiates between
FundingAgency
3. Submits grant with signed agreement to
4. Awards grant to
Admin
STFC Experi-mental Facility
6. Experiments in
7. Serves data to
8. Exchanges data with
5. Triggers system config by
2b. Consults with
Enforcement Phase
AgreementSpecification, Analysis
And Mapping Phase
www.consequence-project.eu
Smallest document is a single data file
8 ICAT Developer Workshop 26 August 2009
ICAT Authorisation Model (RBAC Implemented in Oracle DB)
www.consequence-project.eu9 ICAT Developer Workshop 26 August 20099
Key DS Policies in Research Domain1. Context condition : ‘… 3-year embargo on experimental data
generated at the facility by publicly-funded project …’
2. Data Integrity + attribute-based desc : ‘ … cannot modify experimental data generated at the facility ...’
3. Consent : ‘ …refined data is limited at all time to users authorised by the data owner/admin’
4. Derived data – ‘… foreground IP derived from the use of its proprietary data must not be disseminated without its official consent…’
5. Usage Control – ‘… work using proprietary data must be carried out within the laboratory located in …during office hours’
6. History + obligation – ‘… permits read access three time for a maximum period of 7 days, after which the doc will be deleted…’
7. Purpose-awareness – ‘… proprietary data can only be used for the purpose of carrying out the project ..’
www.consequence-project.eu
Policy-based Access/Usage Control
10 ICAT Developer Workshop 26 August 2009
Data Sharing Agreement/s
Protected Document
Is access allowed?
Data HostData Consumer
Allow access only while user is in office. Usage PolicyPolicy Evaluator
Consequence-Aware App
www.consequence-project.eu11 ICAT Developer Workshop
Consequence – General Architecture Overview
Organization A
PolicyPolicy
DSADSA
EnforcementEnforcement
Organization B
PolicyPolicy
DSADSA
EnforcementEnforcement
ApplicationApplication ApplicationApplication
Identity/Contextprovider
Identity/Contextprovider
www.consequence-project.eu
DSA Components(*DSA Policy Mapper)
12 ICAT Developer Workshop 26 August 2009
Authoring
Authoring
Analysis
Analysis
DSA to Policy mappingDSA to Policy mapping Lifecycle manager
Lifecycle manager
Trust management
Trust management
DSA
DSA to Policy Mapper
DS
A P
olic
yP
DS
A
The Projection PhasePDSA is equivalent to P1
DSA º …º PnDSA
P1D
SA
P2D
SA
P3D
SA ……………..
PnD
SA
The Refinement Phase through a refinement function r
r(P1DSA) r(P4
DSA) r(P3DSA) r(Pn
DSA)Enforceable Policies
www.consequence-project.eu13 ICAT Developer Workshop 26 August 2009
ICAT Server-side Components (Publishing)*not all ICAT components/interactions shown
ICAT
CSDM
PEP
PDP
PIP
MD Manager ServiceContext
Delegate
IRM Server
AuthN
DSA Service
Consequence
Existing
New
DataStore
Pub Licence
Data File/s
PEP Creates protected doc
Session
DPO WS api
www.consequence-project.eu14 ICAT Developer Workshop 26 August 200914
Client-side Components (Consuming)
iCON
PEP
PDP
Pub Licence
Data File/s
read/upd protected docvia PEP
PIP
Context ProviderDelegate
Light WeightLicensor
IRM Server
Local EnvProvider
Consequence
Existing
New
Subj/AttrProvider
MD ManagerService
If IRM Server is unreachable
DPO api
EventDelegate
EventProcessor
www.consequence-project.eu15 ICAT Developer Workshop 26 August 2009
Consequence Vision
Managers draft and sign data-sharing agreements
that contain policies
which must be enforced
when data is accessed and used
www.consequence-project.eu16 ICAT Developer Workshop 26 August 200916
Questions?
www.consequence-project.eu
ICAT Developer Workshop : ConsequenceShirley Crompton, ESC, STFC Daresbury Laboratory