Security Needs for Cross-Organizational Services
Many projects are making use of Web Services to access, or provide access to, critical data. To date, most of us seem to have relied on 'security through obscurity' to protect our systems from unauthorized access and ab use. As service-based approaches become increasingly prevalent, we need to think more carefully about how we are going to manage some of the common security challenges, such as authentication and authorization, particularly where those services are being made available across organizational boundaries. This session will be an open discussion to explore some of the challenges, needs, and possible solutions.
Some suggested ideas that we may want to explore include: (feel free to add or amend)
- What are the security requirements when accessing services across organizational boundaries?
- How do we coordinate the security policy across different organizations?
- Are there any service security challenges that are specific to the Earth science community?
- What are some typical use cases?
- What security approaches have people tried so far? And how well did they work?
- What about RESTful services?
Steve Olding GSFC, Technology Infusion Working Group
Some useful links:
- OMB - OMB M-04-04 E-Authentication Guidance for Federal Agencies (pdf)
- NIST - SP 800-63 Electronic Authentication Guideline (pdf)
- GSA - The E-Authentication Technical Architecture - links to various relevant documents
- Current InCommon Participants
- JISC - Review of OpenID
- JISC - OpenID Final Report (pdf)