OII Seminar "User Experiences with Security in e-Science Grids: Lessons and Opportunities"

M. Angela Sasse and Brock Craft (UCL)

Alun and Mark attended (these are Mark's notes).

Overview of existing security issues in e-Science

Some security factors highly germaine to e-Science:

Previous work

Ivan Flechais PhD

Many stakeholders

Pressure to deliver functionality -> lack of motivation to consider security

Lack of communication between stakeholders

"High level of complexity and low level of knowledge leads to avoidance of issue".

Angela gave examples of where people may be sharing across VOs (even across continents) until the local computing service heard what they were doing and pointed out that they were breaking the conditions of use. Some projects then set up their computing resources outside the university to get around this.

People use security terms in a 'name dropping' kind of way to hide behind the technology. It has been found that if the people that use the terms 'Firewall', 'Globus', 'X.509 Certificate' etc., they didn't really understand the technology (another way of avoidance of issue).

"Security as a non-functional requirement"!!

Value-based design

Description of the e-Science survey

Brock Craft

Data collection

Personal interviews

Focus groups

Observation of e-Science project planning meetings

50 candidates, 34 interviewees.

Many hours of transcript - analysed using Grounded Theory

Results

Groups all had different (overlapping) areas of need, as follows...

The seminar ended with quite a few questions, some centred on PKI and the way that the CA/RA structures work in the UK.

Bill Dutton questioned whether it would ever be possible to build security in from the start of a development project, something which I too struggle with.

Brock and Angela said that, at least, new projects were encouraged to have security work packages outlined in them (which were expected to be delivered upon). And there was more pressure to try to find developers with security knowledge to associate with each project.

Angela and Brock didn't get much chance (due to time) to go into much about recommendations and work for the future.


There were references to Angela's and Brock's presentation appearing on a handy web site somewhere, but I'm unable to find it as yet. (-- MarkNorman 2006-05-17 14:15:32)

ESPGRIDwiki: SecurityExperienceMay06 (last edited 2013-05-17 16:26:46 by localhost)