|
Size: 4612
Comment:
|
Size: 2762
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 2: | Line 2: |
| #language fr | #language en == A final Requirements Document == This page offers a guide to what work ESP-GRID has done on requirements for access control for grids. (-- AlunEdwards [[DateTime(2006-04-11T08:48:11Z)]]) {{{ AE: moved sections 2.5-7 to DefinitionsPage. Added notes about Mullen document to the Bibliography entry. Recommend adding definitive list of documents to this page, to assist with version control etc. (-- AlunEdwards [[DateTime(2006-04-11T08:52:32Z)]]) }}} RequirementsDoc * These are the final requirements for Authentication, Authorisation and Accounting on a generic grid as proposed by the ESP-GRID project. They are based heavily upon [wiki:Self:RequirementsBibliography#MullenGAAAR Shawn Mullen et al's] (2004) document on "Grid Authentication, Authorization and Accounting Requirements". * Other "requirements" documents (including that of Mullen et al.) make an assumption that PKI is being used throughout (client to site/machine, and machine to machine). We wished to take a step back and write down the requirements (for access management and security) without the assumption that 'client to machine' PKI is already employed. For more detail and justifications of changes made to the original [wiki:Self:RequirementsBibliography#MullenGAAAR Mullen et al.] document, please see RequirementsDocFull. This contains many annotations explaining the difference between the documents. |
| Line 4: | Line 19: |
| Currently we are seeking assistance to build a list of use-cases that will lead us towards a set of functional requirements for access management and security for a generic grid. (The 'generic grid' is a production grid, with production applications and a set of users with a wide variety of skills and interests.) We are trying to avoid any limitations with current technologies and to think clearly about requirements before considering technology. This is an early workpackage for the ESP-GRID project. | To inform the above work, the project reviewed publications and other work concerning grid UseCases. The 'generic grid', to which this work alludes, is a production grid, with production applications and a set of users with a wide variety of skills and interests. This work attempts to avoid any limitations with current technologies and to think clearly about requirements before considering technology. |
| Line 6: | Line 21: |
| === Top-level requirements described under: === | === Bibliography === RequirementsBibliography * sources and references to articles and papers used in this Requirements gathering exercise === Focus Group === FocusGroup |
| Line 8: | Line 28: |
| * Grid AAA (A) requirements (authentication authorisation and accounting, and auditing) * Grid protection of data requirements (privacy, confidentiality, integrity, digital rights management) * Grid operational characteristics (trust, performance and scalability, manageability incl. architectural components, interoperability, assurance) * Additional requirements which need a better home (single log-on, policy exchange) |
* Notes and reports from the focus group meeting (as yet unprocessed). This meeting was held at the start of this activity, on xxxx. }}} === Use Cases === UseCases * use cases for a generic grid * this work contains some of the ESP-GRID project output, plus many references to other good work. See also [http://users.ox.ac.uk/~markn/GridUseCases/ Grid Use Cases] for the documents produced for and after the Focus Group Meeting. === Definitions for documents === DefinitionsPage {{{ * Nice definitions of grid, grid computing etc. that others have used. Scope or Include notes for phrases such as AAA etc. It is low on content! |
| Line 13: | Line 43: |
== Grid AAA requirements (authentication authorisation and accounting, and auditing) described under: == === Authentication AuthN === Include Note identity, anonymity, pseudonimity (secure anonymous communication), credential lifespan and renewal (short-term credentials), assurance levels (SEE ALSO Operational Characteristics), revocation, policies, documentation, usability, trust (SEE ALSO Operational Characteristics) and responsibility, secure roaming Insert definition here and requirements follow... === Authorisation AuthZ === Include Note identity, grouping users/roles, authorisation levels, revocation, attributes, policies, 'transparency', privacy, logging, credentials, fault tolerance, delegation, XXXXmore... Insert definition here and requirements follow... === Accounting === Include Note accurate billing and metering, (operational costs, service levels), monitoring or logging, resource and end entity - secure logging, scheduling and resource management. SEE ALSO Grid Auditing Insert definition here and requirements follow... === Auditing === Include Note 'Accounting as a security component', monitoring or secure logging (resource access decisions, policies, policy changes, resource implication of policies), audit logs, intrusion detection, forensics, diagnostics, audit trail (AuthN and AuthZ). SEE ALSO GridAccounting Insert definition here and requirements follow... == Grid protection of data requirements described under: == Include Note . === Privacy === Include Note use of data, (supported by confidentiality mechanisms including AuthZ), significant for health data etc. Definition and requirements follow... === Confidentiality === Include Note supported by access control within systems and encryption between and within systems, signalling policies, supports privacy, protects sensitive data Definition and requirements follow... === Integrity === Include Note provenance (i.e. maintaining integrity of chains/groups of related data), message integrity Definition and requirements follow... === Digital rights management (DRM) === Include Note XXXX Definition and requirements follow... == Grid operational characteristics described under:== Include Note . === Trust === Include Note between collaborative organisations, policy framework, infrastructure Definition and requirements follow... === Performance and scalability === Include Note delegation(policies and trust frameworks, virtual grids) Definition and requirements follow... == Manageability incl. architectural components == Include Note policies, identity management, intrusion detection, anti-virus (i.e. architectural components - others include platform security, system level security design, firewall traversal). Definition and requirements follow... === Interoperability === Include Note between grid environments, policies Definition and requirements follow... === Assurance === Include Note (is this the same as we understand?), security assurance level Definition and requirements follow... described under: == Other Requirements == Additional requirements which need a better home include: . === Single log-on === Include Note delegate an entity's rights subject to policy Defintion and requirements follow... === Policy exchange === Include Note establish a negotiated security context Defintion and requirements follow... |
A final Requirements Document
This page offers a guide to what work ESP-GRID has done on requirements for access control for grids. (-- AlunEdwards DateTime(2006-04-11T08:48:11Z))
AE: moved sections 2.5-7 to DefinitionsPage. Added notes about Mullen document to the Bibliography entry. Recommend adding definitive list of documents to this page, to assist with version control etc. (-- AlunEdwards [[DateTime(2006-04-11T08:52:32Z)]])
These are the final requirements for Authentication, Authorisation and Accounting on a generic grid as proposed by the ESP-GRID project. They are based heavily upon [wiki:RequirementsBibliography Shawn Mullen et al's] (2004) document on "Grid Authentication, Authorization and Accounting Requirements".
- Other "requirements" documents (including that of Mullen et al.) make an assumption that PKI is being used throughout (client to site/machine, and machine to machine). We wished to take a step back and write down the requirements (for access management and security) without the assumption that 'client to machine' PKI is already employed.
For more detail and justifications of changes made to the original [wiki:RequirementsBibliography Mullen et al.] document, please see RequirementsDocFull. This contains many annotations explaining the difference between the documents.
Requirements gathering for secure access and use of a generic grid
To inform the above work, the project reviewed publications and other work concerning grid UseCases. The 'generic grid', to which this work alludes, is a production grid, with production applications and a set of users with a wide variety of skills and interests. This work attempts to avoid any limitations with current technologies and to think clearly about requirements before considering technology.
Bibliography
- sources and references to articles and papers used in this Requirements gathering exercise
Focus Group
* Notes and reports from the focus group meeting (as yet unprocessed). This meeting was held at the start of this activity, on xxxx.
Use Cases
- use cases for a generic grid
- this work contains some of the ESP-GRID project output, plus many references to other good work.
See also [http://users.ox.ac.uk/~markn/GridUseCases/ Grid Use Cases] for the documents produced for and after the Focus Group Meeting.
Definitions for documents
* Nice definitions of grid, grid computing etc. that others have used. Scope or Include notes for phrases such as AAA etc. It is low on content!