Changes between Version 1 and Version 2 of CompSec-QSR-1Q2012


Ignore:
Timestamp:
03/08/12 14:16:08 (8 years ago)
Author:
Adam Slagell
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • CompSec-QSR-1Q2012

    v1 v2  
    3131=== A. Activities and findings ===
    3232
    33 The beginning of this period was spent digesting the comments from the clearinghouse panel and working with Jeff Chase on consensus towards the many concepts presented in it. It took a bit of time for everyone to agree that the concepts in the clearinghouse could be supported by the architecture and proposed ABAC logic. The clearinghouse document underwent one major revision, and two minor ones to reflect the changes in terminology that developed. Version 0.4.2 is the most current. There are still a few loose ends until a few remaining questions are answered related to whether or not there needs to be a global slice tracker at the clearinghouse and what its requirements are.
     33The beginning of this period was spent digesting the comments from the clearinghouse panel and working with Jeff Chase on consensus towards the many concepts presented at the panel. It took a bit of time for everyone to agree that the concepts in the clearinghouse document could be supported by the architecture and proposed ABAC vocabulary. The clearinghouse document underwent one major revision, and two minor ones to reflect the changes in terminology that developed during this time (Version 0.4.2 is the most current). There are still a few loose ends until remaining questions are answered related to whether or not there needs to be a global slice tracker at the clearinghouse and what its requirements are.
    3434
    35 I participated in the reviews of the GENI racks and commented on their design documents. I focused on issues that could affect the ability to adhere to existing agreements and policies as well as provided a high-level sanity check on security design issues. After many back and forth discussions on email and phone calls, I made several recommendations to each team. I don't think either will have problems meeting requirements for attribution or such as stated in existing documents I have written, both draft and approved.
     35I participated in the reviews of the GENI racks and commented on their design documents. I focused on issues that could affect the ability to adhere to existing agreements and policies as well as provided a high-level sanity check on security design issues. After many back and forth discussions on email and phone calls, I made several recommendations to each team. I don't think either team will have problems meeting requirements for attribution or such as stated in existing documents I have written, both draft and approved.
    3636
    37 I reviewed existing documents for changes after altering the clearinghouse document, but I found no changes needed currently. I did identify the need for several new agreements in the near future. Most immediately I think we need a project leader agreement and Acceptable Use Policy for experimenters. I have noted what is needed in these in the existing clearinghouse document. Next, I believe a federation charter is needed for establishing governance, and this is a prerequisite for any changes to the incident response plan. Finally, agreements should be established with identity portals and slice authorities as they have several responsibilities alluded to in the clearinghouse document.
     37I reviewed existing documents for changes after altering the clearinghouse document, but I found no changes needed currently. I did identify the need for several new agreements in the near future. Most immediately I think GENI needs a project leader agreement and an acceptable use policy for experimenters. I have noted what is needed in these in the existing clearinghouse document. Next, I believe a federation charter is needed for establishing governance, and this is a prerequisite for implementation of the incident response plan. Finally, agreements should be established with identity portals and slice authorities as they have several responsibilities alluded to in the clearinghouse document.
    3838
    39 I participated in several discussions with regards to authentication and authorization with the goal of (1) making sure that what is proposed in the clearinghouse document can be realized, and (2) informing myself to make a recommendation regarding adoption of ABAC. Regarding the latter, I found ABAC to be an elegant solution to many of the problems of realizing the clearinghouse policy and other agreements and would recommend its use given two caveats. First, there should be default policies that could be used by most aggregates out of the box. Second, complexity should be abstracted away with good tools. I know that ISI has been working on GUI tools for the aggregate operators, but I have not evaluated these. But at no point should learning RT 2 be a prerequisite for running an experiment or configuring a standard aggregate in my opinion.
     39I participated in several discussions with regards to authentication and authorization with the goal of (1) making sure that what is proposed in the clearinghouse document can be realized, and (2) informing myself to make a recommendation regarding adoption of ABAC. Regarding the latter, I found ABAC to be an elegant solution to many of the problems of realizing the clearinghouse policy and other agreements and would recommend its use given two caveats. First, there should be default policies that could be used by most aggregates out of the box. Second, complexity should be abstracted away with good tools. I know that ISI has been working on GUI tools for the aggregate operators, but I have not evaluated these. At no point should learning RT 2 be a prerequisite for running an experiment or configuring a standard aggregate in my opinion.
    4040
    41 I also spent a bit of time digging into the potential privacy issues related to data collected from aggregates. I think I laid some of the foundation for developing a more formal policy and laid out the issues for the GPO. Of particular concern to me is the privacy of opt-in users, and I recommend that GENI push that responsibility off on to the experimenters. That can be spelled out in a future AUP.
     41I also spent a bit of time digging into the potential privacy issues related to data collected from aggregates. I think I laid some of the foundation for developing a more formal policy and laid out the issues for the GPO. Of particular concern to me is the privacy of opt-in users, and I recommend that GENI push that responsibility off to the experimenters. That can be spelled out in a future AUP.
    4242
    4343Finally, I continued in my role as the GENI LLR representative.
     
    5050
    5151=== D. Outreach activities ===
    52 There have no been substantial out reach activities beyond those already within the GENI community. Intra-GENI communication has been on the ABAC and Dev email lists, the monitoring calls and the exoGENI and instaGENI reviews.
     52There have no been substantial out reach activities beyond those already within the GENI community. Intra-GENI communication has been on the ABAC and Dev email lists, the monitoring calls, and the exoGENI and instaGENI reviews.
    5353
    5454=== E. Collaborations ===