Difference between revisions of "Security Needs for Cross-Organizational Services"
From Earth Science Information Partners (ESIP)
(New page: Many projects are making use of Web Services to access, or provide access to, critical data. To date, most of us seem to have relied on 'security through obscurity' to protect our systems ...) |
|||
| (6 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | Many projects are making use of Web Services to access, or provide access to, critical data. To date, most of us seem to have relied on 'security through obscurity' to protect our systems from unauthorized access and | + | Many projects are making use of Web Services to access, or provide access to, critical data. To date, most of us seem to have relied on 'security through obscurity' to protect our systems from unauthorized access and ab |
| + | use. As service-based approaches become increasingly prevalent, we need to think more carefully about how we are going to manage some of the common security challenges, such as authentication and authorization, particularly where those services are being made available across organizational boundaries. This session will be an open discussion to explore some of the challenges, needs, and possible solutions. | ||
Some suggested ideas that we may want to explore include: (feel free to add or amend) | Some suggested ideas that we may want to explore include: (feel free to add or amend) | ||
| Line 7: | Line 8: | ||
* What are some typical use cases? | * What are some typical use cases? | ||
* What security approaches have people tried so far? And how well did they work? | * What security approaches have people tried so far? And how well did they work? | ||
| − | + | * What about RESTful services? | |
| − | |||
| − | |||
Steve Olding | Steve Olding | ||
GSFC, Technology Infusion Working Group | GSFC, Technology Infusion Working Group | ||
| + | |||
| + | Some useful links: | ||
| + | * OMB - [http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf OMB M-04-04 E-Authentication Guidance for Federal Agencies] (pdf) | ||
| + | * NIST - [http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf SP 800-63 Electronic Authentication Guideline] (pdf) | ||
| + | * GSA - [http://cio.gov/eauthentication/TechSuite.htm The E-Authentication Technical Architecture] - links to various relevant documents | ||
| + | * [http://www.cio.gov/eauthentication/ E-Authentication] | ||
| + | * [http://www.idmanagement.gov/ IDManagement.gov] | ||
| + | * [http://shibboleth.internet2.edu/about.html Shibboleth] | ||
| + | * [http://www.incommonfederation.org/ InCommon] | ||
| + | * [http://www.incommonfederation.org/participants/ Current InCommon Participants] | ||
| + | * JISC - [http://www.jisc.ac.uk/whatwedo/programmes/einfrastructure/reviewofopenid.aspx Review of OpenID] | ||
| + | * JISC - [http://www.jisc.ac.uk/media/documents/programmes/einfrastructure/openid-finalreport-v1.0.pdf OpenID Final Report] (pdf) | ||
Latest revision as of 16:08, July 13, 2009
Many projects are making use of Web Services to access, or provide access to, critical data. To date, most of us seem to have relied on 'security through obscurity' to protect our systems from unauthorized access and ab use. As service-based approaches become increasingly prevalent, we need to think more carefully about how we are going to manage some of the common security challenges, such as authentication and authorization, particularly where those services are being made available across organizational boundaries. This session will be an open discussion to explore some of the challenges, needs, and possible solutions.
Some suggested ideas that we may want to explore include: (feel free to add or amend)
- What are the security requirements when accessing services across organizational boundaries?
- How do we coordinate the security policy across different organizations?
- Are there any service security challenges that are specific to the Earth science community?
- What are some typical use cases?
- What security approaches have people tried so far? And how well did they work?
- What about RESTful services?
Steve Olding
GSFC, Technology Infusion Working Group
Some useful links:
- OMB - OMB M-04-04 E-Authentication Guidance for Federal Agencies (pdf)
- NIST - SP 800-63 Electronic Authentication Guideline (pdf)
- GSA - The E-Authentication Technical Architecture - links to various relevant documents
- E-Authentication
- IDManagement.gov
- Shibboleth
- InCommon
- Current InCommon Participants
- JISC - Review of OpenID
- JISC - OpenID Final Report (pdf)
