Semantic security: specification and enforcement of semantic policies for security-driven collaborations

Collaborative research can often have demands on finer-grained security that go beyond the authentication-only paradigm as typified by many e-Infrastructure/Grid based solutions. Supporting finer-grained access control is often essential for domains where the specification and subsequent enforcement of authorization policies is needed. The clinical domain is one area in particular where this is so. However it is the case that existing security authorization solutions are fragile, inflexible and difficult to establish and maintain. As a result they often do not meet the needs of real world collaborations where robustness and flexibility of policy specification and enforcement, and ease of maintenance are essential. In this paper we present results of the JISC funded Advanced Grid Authorisation through Semantic Technologies (AGAST) project (www.nesc.ac.uk/hub/projects/agast) and show how semantic-based approaches to security policy specification and enforcement can address many of the limitations with existing security solutions. These are demonstrated into the clinical trials domain through the MRC funded Virtual Organisations for Trials and Epidemiological Studies (VOTES) project (www.nesc.ac.uk/hub/projects/votes) and the epidemiological domain through the JISC funded SeeGEO project (www.nesc.ac.uk/hub/projects/seegeo)

Security oriented e-infrastructures supporting neurological research and clinical trials

The neurological and wider clinical domains stand to gain greatly from the vision of the grid in providing seamless yet secure access to distributed, heterogeneous computational resources and data sets. Whilst a wealth of clinical data exists within local, regional and national healthcare boundaries, access to and usage of these data sets demands that fine grained security is supported and subsequently enforced. This paper explores the security challenges of the e-health domain, focusing in particular on authorization. The context of these explorations is the MRC funded VOTES (Virtual Organisations for Trials and Epidemiological Studies) and the JISC funded GLASS (Glasgow early adoption of Shibboleth project) which are developing Grid infrastructures for clinical trials with case studies in the brain trauma domain

Shibboleth-based access to and usage of grid resources

Security underpins grids and e-research. Without a robust, reliable and simple grid security infrastructure combined with commonly accepted security practices, large portions of the research community and wider industry will not engage. The predominant way in which security is currently addressed in the grid community is through public key infrastructures (PKI) based upon X.509 certificates to support authentication. Whilst PKIs address user identity issues, authentication does not provide fine grained control over what users are allowed to do on remote resources (authorization). In this paper we outline how we have successfully combined Shibboleth and advanced authorization technologies to provide simplified (from the user perspective) but fine grained security for access to and usage of grid resources. We demonstrate this approach through different security focused e-science projects being conducted at the National e-Science Centre (NeSC) at the University of Glasgow. We believe that this model is widely applicable and encourage the further uptake of e-science by non-IT specialists in the research communitie

Electronic Employment Eligibility Verification

[Excerpt] Unauthorized immigration and unauthorized employment continue to be key issues in the ongoing debate over immigration policy. Today’s discussions about these issues build on the work of prior Congresses. In 1986, following many years of debate about unauthorized immigration to the United States, Congress passed the Immigration Reform and Control Act (IRCA). This law sought to address unauthorized immigration, in part, by requiring all employers to examine documents presented by new hires to verify identity and work authorization and to complete and retain employment eligibility verification (I 9) forms. Ten years later, in the face of a growing unauthorized population, Congress attempted to strengthen the employment verification process by establishing pilot programs for electronic verification, as part of the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 (IIRIRA). The Basic Pilot program (known today as E Verify), the first of the three IIRIRA employment verification pilots to be implemented and the only one still in operation, began in November 1997. Originally scheduled to terminate in November 2001, it has been extended several times. It is currently authorized until September 30, 2018, in accordance with the Consolidated Appropriations Act, 2018 (P.L. 115 141). E Verify is administered by the Department of Homeland Security’s (DHS’s) U.S. Citizenship and Immigration Services (USCIS). As of April 2, 2018, there were 779,722 employers enrolled in E Verify, representing more than 2.5 million hiring sites. E Verify is a largely voluntary program, but there are some mandatory participation requirements. Among them is a rule, which became effective in 2009, requiring certain federal contracts to contain a new clause committing contractors to use E Verify. Under E Verify, participating employers enter information about their new hires (name, date of birth, Social Security number, immigration/citizenship status, and alien number, if applicable) into an online system. This information is automatically compared with information in Social Security Administration and, if necessary, DHS databases to verify identity and employment eligibility. Legislation on electronic employment eligibility verification has been considered in recent Congresses. In weighing proposals on electronic employment verification, Congress may find it useful to evaluate them in terms of their potential impact on a set of related issues: unauthorized employment; verification system accuracy, efficiency, and capacity; discrimination; employer compliance; privacy; and verification system usability and employer burden

Electronic Employment Eligibility Verification

[Excerpt] The policy issues discussed here may be especially important to consider in the context of proposals to require most or all employers to participate in E-Verify or another electronic employment eligibility verification system. A mandatory system could arguably make it possible to identify many more unauthorized workers. At the same time, under such a system, any inaccuracies, inefficiencies, or privacy breaches that occurred could affect much larger numbers of employees and employers. Employer compliance under a mandatory system would seem to be a salient issue, especially since it has direct implications for other issues, notably discrimination. Employer burden may be another important consideration. It may be that a mandatory system would require new strategies to address these issues

Towards a virtual research environment for paediatric endocrinology across Europe

Paediatric endocrinology is a medical specialty dealing with variations of physical growth and sexual development in childhood. Genetic anomalies that can cause disorders of sexual development in children are rare. Given this, sharing and collaboration on the small number of cases that occur is needed by clinical experts in the field. The EU-funded EuroDSD project (www.eurodsd.eu) is one such collaboration involving clinical centres and clinical and genetic experts across Europe. Through the establishment of a virtual research environment (VRE) supporting sharing of data and a variety of clinical and bioinformatics analysis tools, EuroDSD aims to provide a research infrastructure for research into disorders of sex development. Security, ethics and information governance are at the heart of this infrastructure. This paper describes the infrastructure that is being built and the inherent challenges in security, availability and dependability that must be overcome for the enterprise to succeed

Supporting security-oriented, collaborative nanoCMOS electronics research

Grid technologies support collaborative e-Research typified by multiple institutions and resources seamlessly shared to tackle common research problems. The rules for collaboration and resource sharing are commonly achieved through establishment and management of virtual organizations (VOs) where policies on access and usage of resources by collaborators are defined and enforced by sites involved in the collaboration. The expression and enforcement of these rules is made through access control systems where roles/privileges are defined and associated with individuals as digitally signed attribute certificates which collaborating sites then use to authorize access to resources. Key to this approach is that the roles are assigned to the right individuals in the VO; the attribute certificates are only presented to the appropriate resources in the VO; it is transparent to the end user researchers, and finally that it is manageable for resource providers and administrators in the collaboration. In this paper, we present a security model and implementation improving the overall usability and security of resources used in Grid-based e-Research collaborations through exploitation of the Internet2 Shibboleth technology. This is explored in the context of a major new security focused project at the National e-Science Centre (NeSC) at the University of Glasgow in the nanoCMOS electronics domain

Broadening the Scope of Security Usability from the Individual to the Organizational : Participation and Interaction for Effective, Efficient, and Agile Authorization

Restrictions and permissions in information systems -- Authorization -- can cause problems for those interacting with the systems. Often, the problems materialize as an interference with the primary tasks, for example, when restrictions prevent the efficient completing of work and cause frustration. Conversely, the effectiveness can also be impacted when staff is forced to circumvent the measure to complete work -- typically sharing passwords among each other. This is the perspective of functional staff and the organization. There are further perspectives involved in the administration and development of the authorization measure. For instance, functional staff need to interact with policy makers who decide on the granting of additional permissions, and policy makers, in turn, interact with policy authors who actually implement changes. This thesis analyzes the diverse contexts in which authorization occurs, and systematically examines the problems that surround the different perspectives on authorization in organizational settings. Based on prior research and original research in secure agile development, eight principles to address the authorization problems are identified and explored through practical artifacts

A Careful Design for a Tool to Detect Child Pornography in P2P Networks

This paper addresses the social problem of child pornography on peer-to-peer (P2P) networks on the Internet and presents an automated system with effective computer and telematic tools for seeking out and identifying data exchanges with pedophilic content on the Internet. The paper analyzes the social and legal context in which the system must operate and describes the processes by which the system respects the rights of the persons investigated and prevents these tools from being used to establish processes of surveillance and attacks on the privacy of Internet users