Project notes about Security Research Challenges for e-Science Document published by the UK e-Science Security Task Force (2005)
- The Security Research Challenges for e-Science document (2005) has lots of implied requirements (general expectations). (This document has [End July 05] been published on the NeSC web site).
General Note: Doc. talks about AAA= Authentication, Authorisation and Accounting, but when it gets down to detail, the final A becomes “Auditing”. This is probably deliberate, but could do with highlighting and explaining.
General Note: Doc. is about priority needs for further work, but this implies requirements.
General Note/Requirement: [p3] “Authentication is the establishment and propagation of a user's identity in the system”. This is presented as a definition!
Implied Requirement: Need to support different levels of “trust and responsibility” (and assurance levels).
Implied Requirement: Easy credential management by users (i.e./e.g. transporting their authentication credentials between applications and end-systems).
Implied Requirement: Support for Secure Roaming [overlaps with the above, really].
Implied Requirement: Management of authorisation policies and their distribution
Implied Requirement: Authorisation policies must allow for dynamic or short-term groups of users.
Implied Requirement: Need flexible dynamic delegation policies.
General Note/Requirement: [p4] “Many e-Science and e-Health applications require fine grained access controls, perhaps administered through a number of different policy authorities and distributed decision points.
Implied Requirement: Privacy requirement for some applications during the authorisation process.
Implied Requirement: Auditing: need to be able to generate complete diagnostic trails.
Implied Requirement: Re. above – need to “allow some types of record (e.g. user accountability information) to be obtained securely from other parts of the system and interpreted in a common framework.
Implied Requirement: (Some applications) – Privacy of the data subject.
Implied Requirement: (Some applications) Confidentiality of data (i.e. who can access data at all).
Implied Requirement: Signalling of need for (a) privacy and (b) confidentiality when data are passed between systems.
Implied Requirement: Provenance of data (“maintaining the integrity of chains or groups of related data”) whilst in transit and in storage.
General Note: Trust relationships between organisations are needed for: standards for identifying and managing users, agreements about payments or other boundary settlements, limitations of use etc.
Implied Requirement: Policies and parameters that control security (both inside and outside the system) must be able to be changed flexibly and easily.
Implied Requirement: Mechanisms are required for the agreement and setting of assurance levels for a particular security policy or function. These are needed in both directions (i.e. user to SP and SP to user).