T. Doherty

Advanced Security for Virtual Organizations: The Pros and Cons of Centralized vs Decentralized Security Models

Grids allow for collaborative e-Research to be undertaken, often across institutional and national boundaries. Typically this is through the establishment of virtual organizations (VOs) where policies on access and usage of resources across partner sites are defined and subsequently enforced. For many VOs, these agreements have been lightweight and erred on the side of flexibility with minimal constraints on the kinds of jobs a user is allowed to run or the amount of resources that can be consumed. For many new domains such as e-Health, such flexibility is simply not tenable. Instead, precise definitions of what jobs can be run, and what data can be accessed by who need to be defined and enforced by sites. The role based access control model (KBAC) provides a well researched paradigm for controlling access to large scale dynamic VOs. However, the standard RBAC model assumes a single domain with centralised role management. When RBAC is applied to VOs, it does not specify how or where roles should be defined or made known to the distributed resource sites (who are always deemed to be autonomous to make access control decisions). Two main possibilities exist based on either a centralized or decentralized approach to VO role management. We present the advantages and disadvantages of the centralized and decentralized role models and describe how we have implemented them in a range of security focused e-Research domains at the National e-Science Centre (NeSC) at the University of Glasgow.

The ATLAS metadata interface

AMI was chosen as the ATLAS dataset selection interface in July 2006. It is the main interface for searching for ATLAS data using physics metadata criteria. AMI has been implemented as a generic database management framework which allows parallel searching over many catalogues, which may have differing schema. The main features of the web interface will be described; in particular the powerful graphic query builder. The use of XML/XLST technology ensures that all commands can be used either on the web or from a command line interface via a web service. We also describe the overall architecture of ATLAS metadata and the different actors and granularity involved, and the place of AMI within this architecture. We discuss the problems involved in the correlation of metadata of differing granularity, and propose a solution for information mediation.

Towards a Virtual Research Environment for Language and Literature Researchers

Language and literature researchers use variety of data resources in order to conduct their day-to-day research. Such resources include dictionaries, thesauri, corpora, images, audio and video collections. These resources are typically distributed, and comprise non-interoperable repositories of data that are often license protected. In this context, researchers conduct their research through direct access to individual resources. This form of research is non-scalable, time consuming and often frustrating to the researchers. The JISC funded project Enhancing Repositories for Language and Literature Researchers (ENROLLER, http://www.gla.ac.uk/enroller/) aims to address by provision of an interactive, research infrastructure providing seamless access to major language and literature repositories. This paper describes this infrastructure and the services that have been developed to overcome the issues in access and use of digital resources in humanities. In particular, we describe how high performance computing facilities including the UK e-Science National Grid Service (NGS, http://www.ngs.ac.uk) have been exploited to support advanced, bulk search capabilities, implemented using Google’s MapReduce algorithm. We also describe our experiences in the use of the resource brokering Workload Management System (WMS) and the Virtual Organization Membership Service (VOMS) solutions in this space. Finally we outline the experiences from the arts and humanities community on the usage of this infrastructure.

Tool Support for Security-Oriented Virtual Research Collaborations

Collaboration is at the heart of e-Science and e-Research more generally. Successful collaborations must address both the needs of the end user researchers and the providers that make resources available. Usability and security are two fundamental requirements that are demanded by many collaborations and both concerns must be considered from both the researcher and resource provider perspective. In this paper we outline tools and methods developed at the National e-Science Centre (NeSC) that provide users with seamless, secure access to distributed resources through security-oriented research environments, whilst also allowing resource providers to define and enforce their own local access and usage policies through intuitive user interfaces. We describe these tools and illustrate their application in the ESRC-funded Data Management through e-Social Science (DAMES) and the JISC-funded SeeGEO projects

e-Infrastructures supporting research into depression, self-harm and suicide.

The Economic and Social Research Council (ESRC)-funded Data Management through e-Social Sciences (DAMES) project is investigating, as one of its four research themes, how research into depression, self-harm and suicide may be enhanced through the adoption of e-Science infrastructures and techniques. In this paper, we explore the challenges in supporting such research infrastructures and describe the distributed and heterogeneous datasets that need to be provisioned to support such research. We describe and demonstrate the application of an advanced user and security-driven infrastructure that has been developed specifically to meet these challenges in an on-going study into depression, self-harm and suicide.

Broadwick: a framework for computational epidemiology

BackgroundModelling disease outbreaks often involves integrating the wealth of data that are gathered during modern outbreaks into complex mathematical or computational models of transmission. Incorporating these data into simple compartmental epidemiological models is often challenging, requiring the use of more complex but also more efficient computational models. In this paper we introduce a new framework that allows for a more systematic and user-friendly way of building and running epidemiological models that efficiently handles disease data and reduces much of the boilerplate code that usually associated to these models. We introduce the framework by developing an SIR model on a simple network as an example.ResultsWe develop Broadwick, a modular, object-oriented epidemiological framework that efficiently handles large epidemiological datasets and provides packages for stochastic simulations, parameter inference using Approximate Bayesian Computation (ABC) and Markov Chain Monte Carlo (MCMC) methods. Each algorithm used is fully customisable with sensible defaults that are easily overridden by custom algorithms as required.ConclusionBroadwick is an epidemiological modelling framework developed to increase the productivity of researchers by providing a common framework with which to develop and share complex models. It will appeal to research team leaders as it allows for models to be created prior to a disease outbreak and has the ability to handle large datasets commonly found in epidemiological modelling.

Integrating Security Solutions to Support nanoCMOS Electronics Research

The UK Engineering and Physical Sciences Research Council (EPSRC) funded project ¿Meeting the Design Challenges of nanoCMOS Electronics¿ (nanoCMOS) is developing a research infrastructure for collaborative electronics research across multiple institutions in the UK with especially strong industrial and commercial involvement. Unlike other domains, the electronics industry is driven by the necessity of protecting the intellectual property of the data, designs and software associated with next generation electronics devices and therefore requires fine-grained security. Similarly, the project also demands seamless access to large scale high performance compute resources for atomic scale device simulations and the capability to manage the hundreds of thousands of files and the metadata associated with these simulations. Within this context, the project has explored a wide range of authentication and authorization infrastructures facilitating compute resource access and providing fine-grained security over numerous distributed file stores and files. We conclude that no single security solution meets the needs of the project. This paper describes the experiences of applying X.509-based certificates and public key infrastructures, VOMS, PERMIS, Kerberos and the Internet2 Shibboleth technologies for nanoCMOS security. We outline how we are integrating these solutions to provide a complete end-to-end security framework meeting the demands of the nanoCMOS electronics domain.

Supporting Security-Oriented, Collaborative nanoCMOS Electronics Research

Grid technologies support collaborative e-Research typified by multiple institutions and resources seamlessly shared to tackle common research problems. The rules for collaboration and resource sharing are commonly achieved through establishment and management of virtual organizations (VOs) where policies on access and usage of resources by collaborators are defined and enforced by sites involved in the collaboration. The expression and enforcement of these rules is made through access control systems where roles/privileges are defined and associated with individuals as digitally signed attribute certificates which collaborating sites then use to authorizeaccess to resources. Key to this approach is that the roles are assigned to the right individuals in the VO; the attribute certificates are only presented to the appropriate resources in the VO; it is transparent to the end user researchers, and finally that it is manageable for resource providers and administrators in the collaboration. In this paper, we present a security model and implementation improving the overall usability and security of resources used in Grid-based e-Research collaborations through exploitation of the Internet2 Shibboleth technology. This is explored in the context of a major new security focused project at the National e-Science Centre (NeSC) at the University of Glasgow in the nanoCMOS electronics domain.

Manipulation of contact network structure and the impact on foot-and-mouth disease transmission

The movements of livestock between premises and markets can be characterised as a dynamic network where the structure of the network itself can critically impact the transmission dynamics of many infectious diseases. As evidenced by the 2001 foot-and-mouth disease (FMD) epidemic in the UK, this can involve transmission over large geographical distances and can result in major economic loss. One consequence of the FMD epidemic was the introduction of mandatory livestock movement restrictions: a 13-day standstill in Scotland for cattle and sheep after moving livestock onto a farm (allowing many exemptions) and a 6-day standstill for cattle and sheep in England and Wales (with minor exemptions, e.g. direct movements to slaughter). Such standstills are known to be effective but commercial considerations result in pressures to relax them. When contemplating legislative changes such as a change in length of movement restrictions we need to consider the consequent effect these could have on the emergent properties of the system, i.e. the network structure itself. In this study, we investigate how disease dynamics change when the local contact structure of the recorded livestock movement network in Scotland is altered through rewiring movements between premises. The network rewiring used here changes the structure of the recorded trade network through a combination of altered movement restrictions and redirection of movements between holdings and markets to avoid nonsensical activity (e.g. movements to markets on days when they are inactive) while conserving other characteristics (e.g. movement date as closely as possible and market sales of the correct animal production type). Rewiring results in networks with higher clustering coefficients and lower network density. The impact of rewiring on a hypothetical foot-and-mouth disease outbreak in Scotland was assessed by stochastic simulation, considering scenarios with and without exemptions to the standstill rules. As expected, rewiring leads to a decrease in outbreak size and - if standstill exemptions are prohibited - higher probability of smaller outbreaks. Without exemptions, a shorter movement standstill is almost as effective as a longer standstill period, indicating that a simpler biosecurity system would offer minimal additional risk for FMD. These results suggest that explicitly manipulating the contact network structure in a sensible way has the potential to significantly impact disease control.

Taking the C out of CVMFS

The Cern Virtual Machine File System is most well known as a distribution mechanism for the WLCG VOs@@ experiment software; as a result, almost all the existing expertise is in installing clients mount the central Cern repositories. We report the results of an initial experiment in using the cvmfs server packages to provide Glasgow-based repository aimed at software provisioning for small UK-local VOs. In general, although the documentation is sparse, server configuration is reasonably easy, with some experimentation. We discuss the advantages of local CVMFS repositories for sites, with some examples from our test VOs, vo.optics.ac.uk and neiss.org.uk.