1 / 9

Security in Virtual Organizations

Security in Virtual Organizations. Facilitators: Jim Basney, Senior Research Scientist, NCSA, University of Illinois at Urbana-Champaign Margaret Murray, Net/Sec Research Associate, TACC, University of Texas at Austin. Session Overview.

zlata
Download Presentation

Security in Virtual Organizations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in Virtual Organizations Facilitators: Jim Basney, Senior Research Scientist, NCSA, University of Illinois at Urbana-Champaign Margaret Murray, Net/Sec Research Associate, TACC, University of Texas at Austin

  2. Session Overview • The session had 21 attendees representing TeraGrid, Open Science Grid, Ocean Observatory Initiative, TIGRE (TX), SURAGrid, LIGO, Virtual Astronomical Observatory, Earth Science Researchers (CO, WY), NEES, Savannah River Basin Project, National Parks Grid, IRNC Pacific Wave, OGF, Unidata, DOE Earth Systems Grid, CAMERA, LSST, Ice Cube, and EVO.

  3. Observations • NSF's Virtual Organizations as Sociotechnical Systems (VOSS) program (http://www.nsf.gov/pubs/2008/nsf08550/nsf08550.htm) addresses an important need and includes a useful working definition of Virtual Organizations: • A virtual organization is a group of individuals whose members and resources may be dispersed geographically, but who function as a coherent unit through the use of cyberinfrastructure. • From this definitions follows one of the challenges of VOs about crossing existing organizational boundaries.

  4. Observations • The Jan 08 Building Effective Virtual Organization (BEVO) workshop (http://www.ci.uchicago.edu/events/VirtOrg2008/), hosted by NSF OCI, included productive discussions about the social aspects of managing VO projects, but appears to have gotten side-tracked by comparisons of specific collaboration technologies. • We discussed differences in attitudes about security practices among different generations. Younger VO participants seem more willing to share information and accept new security mechanisms than more senior participants.

  5. Observations • We often hear questions like, "Why is it easier to get access to my mortgage online than it is to access VO services?" This is an ongoing challenge for VOs. VO users sometimes feel the level of security is not appropriate, and we need to address this either by education and persuasion or by changes to our security mechanisms as needed. • If everyone in the VO agrees on the level of tolerance for risk, it makes it easier for accepting security controls. Try to gain consensus on what the consequences would be in case of a problem. If data or an account is compromised, what is the fall-out?

  6. Observations • The distributed nature of a VO means that there is a natural separation of authentication and authorization. AuthN is naturally rooted in a face-to-face interaction with a person. AuthZ in naturally rooted in the management of a resource, so it must be taken care of by the managers of a resource. • We observe a shift in focus from securing computer systems to securing data. In many cases, data are the more valuable resources. Educating VO members about the consequences of data compromise can motivate interest in security mechanisms. • Virtual Organizations may overlap and this creates challenges for security policy. Often the system administrator has no control over a particular user or site, and must 'refer' to the organization who does have control.

  7. Recommendations for VOs • Steve Bellovin's "newspeak" paradigm, which he presented Wednesday morning, is a good model to follow in the design of VO systems. Use clearly defined interfaces between applications and services. Foster good and limit bad security practices and outcomes. • Conduct regular meetings of VO participants for socialization and trust building, from weekly meetings among small groups to annual "all hands" meetings for large groups. These meetings are good opportunities to reevaluate policies and technology choices.

  8. Recommendations for VOs • Choose appropriate levels of assurance (LOA) based on risk assessment. Match controls to identified risks. • Leverage existing trust networks and hierarchies for identity and membership vetting (for certificate issuance and management of VO membership). • Face-to-face identity proofing can occur by leveraging a distributed network of trusted "registration authorities" (RAs). Delegate responsibilities to PIs for managing research group members. Look for natural consequences. The closer the consequence is to the user, the more likely that security mechanism is to be successful.

  9. Recommendations for VOs • We recommend that VOs use applicable regulatory and standards documents. Use standard techniques/technologies. Don't reinvent the wheel. See http://www.educause.edu/security. • Make security mechanisms "as simple as possible, but no simpler." Make security mechanisms flexible as possible so administrators can choose appropriate mechanisms. • Don't "over-secure" the VO -- it will drive away the users or cause them to circumvent the security mechanisms.

More Related