Versions Compared

Old Version 125

changes.mady.by.user David Groep

Saved on

compared with

New Version 126

changes.mady.by.user David Groep

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The AARC Research Collaboration model is both the set of technical guidelines and interfaces in the AARC Blueprint Architecture (BPA) as well as the trust framework that helps research collaboration bridge across domains, sectors, and borders: the guidelines for end-to-end trust across the components for collaboration management, user privacy, identity assurance, and operational security. This Policy Development Kit (PDK) helps new and existing collaborations to build those trust relationships into their AAI and benefit from the combined experience of the infrastructures, collaborations, researchers and research managers, and trust and security engineers to quickly build that trust in our AARC connected world.

Practical steps to getting started with Policies for a Research Collaboration

Policy may appear a daunting or overly complex task if you start on your research collaboration journey, but with eight simple steps you can quickly navigate the policy space and avoid the most common pitfalls. Expand each step to learn the why and how of starting with your trusted collaboration quickly and smoothly:

...

Expand
titlePublish your documents and responsible parties at a suitable location

Why? Presenting policies and practices is one thing, but the AARC Blueprint Architecture also introduced a (chain of) AAI platforms or 'proxies' that augment, translate, or otherwise munge information about users and 'sources of authority'. Both for authentication sources and for service providers, it places intermediates in the chain of trust, and the longer the chain is, the more this trust will be diluted. Transparency through documentation can help retain that trust. And at the same time make it easier for the collaboration to engage with the users regarding the AAI. If identity is not bound to the user but to the user's home organisation (employer, university), the home organisation may be reluctant to make any claims for the authentication, even for trivial ones like name and email address (the 'personalised access' attributes that are foundational for research and scholarship). Or refuse to partake in authentication at all.

Recommendation: publish your policies, but especially your contact information, in a place where users, relying parties, and home organisations can find it. If you chose a DNS-based community name, and you can resolve the domain name to point to a web site, that is a good place to present this information. And if confidentiality is needed, you may have your own AAI to help you! 

Applicable guidance: AARC-G071 (AAOPS)AARC-G083 on notice management, REFEDS Research and Scholarship, REFEDS Personalised Access

Maturing your trusted collaboration policy and good practice

The following diagram summarises the full ecosystem of policies relevant for a research infrastructure. It is intended to be used in two scenarios: 

...

Scroll ImageMap
viewSize800.0
makeResponsivetrue
imgWidth1410.0
imgFilenameP3DK-arrowed-authNSources.drawio.png
areasData{"areas":[{"shapeType":"rect","coords":"713,198,130,60","title":"WISE Baseline AUP guidance","pageRefIndex":0,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1075,200,132,62","title":"WISE Baseline AUP guidance","pageRefIndex":0,"linkTarget":"_blank"},{"shapeType":"rect","coords":"711,285,133,66","title":"Attribute authorities and membership services guidance","pageRefIndex":1,"linkTarget":"_blank"},{"shapeType":"rect","coords":"711,119,130,66","title":"Manage your community members","pageRefIndex":2,"linkTarget":"_blank"},{"shapeType":"rect","coords":"711,370,135,66","title":"Operational Security for your services","pageRefIndex":3,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1072,368,130,71","title":"Security for your services","pageRefIndex":3,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1253,370,130,60","title":"Incident Response collaboration","pageRefIndex":4,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1238,117,133,67","title":"Service Levels and data classification","pageRefIndex":5,"linkTarget":"_blank"},{"shapeType":"rect","coords":"874,287,132,60","title":"Incident response procedure","pageRefIndex":6,"linkTarget":"_blank"},{"shapeType":"rect","coords":"872,375,132,55","title":"Sirtfi trust framework","pageRefIndex":4,"linkTarget":"_blank"},{"shapeType":"rect","coords":"711,451,132,66","title":"Privacy (for collaborations)","pageRefIndex":7,"linkTarget":"_blank"},{"shapeType":"rect","coords":"870,447,135,71","title":"Notice Management presentation (for collaborations)","pageRefIndex":8,"linkTarget":"_blank"},{"shapeType":"rect","coords":"874,532,128,54","title":"Privacy notice templates","linkTarget":"_blank","externalLink":"/spaces/AARC/pages/1214906505/The+REFEDS+Data+Protection+Code+of+Conduct#TheREFEDSDataProtectionCodeofConduct-Templatesofprivacynotices"},{"shapeType":"rect","coords":"283,198,124,60","title":"WISE AUP Purpose of Collaboration","pageRefIndex":0,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1245,532,133,58","title":"Privacy notice templates","linkTarget":"_blank","externalLink":"/spaces/AARC/pages/1214906505/The+REFEDS+Data+Protection+Code+of+Conduct#TheREFEDSDataProtectionCodeofConduct-Templatesofprivacynotices"},{"shapeType":"rect","coords":"1064,453,139,60","title":"Data Protection code of conduct","pageRefIndex":7,"linkTarget":"_blank"},{"shapeType":"rect","coords":"716,611,132,64","title":"Requirements on Acceptable Assurance","pageRefIndex":9,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1076,610,132,63","title":"Assurance requirements and risk appetite","pageRefIndex":9,"linkTarget":"_blank"},{"shapeType":"rect","coords":"59,111,128,60","title":"Rules of Participation","pageRefIndex":10,"linkTarget":"_blank"},{"shapeType":"rect","coords":"57,203,130,52","title":"Identification of primary assets","pageRefIndex":11,"linkTarget":"_blank"},{"shapeType":"rect","coords":"61,286,128,64","title":"Research Risk Assessment","pageRefIndex":12,"linkTarget":"_blank"},{"shapeType":"rect","coords":"55,368,137,64","title":"Escalation procedure","pageRefIndex":13,"linkTarget":"_blank"},{"shapeType":"rect","coords":"59,451,135,58","title":"Legal and Regulatory Compliance","pageRefIndex":14,"linkTarget":"_blank"},{"shapeType":"rect","coords":"283,454,137,60","title":"Privacy Notice","pageRefIndex":15,"linkTarget":"_blank"},{"shapeType":"rect","coords":"480,451,137,64","title":"REFEDS Data Protection Code of Conduct","pageRefIndex":7,"linkTarget":"_blank"},{"shapeType":"rect","coords":"483,366,137,73","title":"Sirtfi","pageRefIndex":4,"linkTarget":"_blank"},{"shapeType":"rect","coords":"485,285,133,64","title":"Attribute Authority Operational Security","pageRefIndex":1,"linkTarget":"_blank"},{"shapeType":"rect","coords":"485,530,135,64","title":"Institutional AUP and Privacy Notice","pageRefIndex":16,"linkTarget":"_blank"},{"shapeType":"rect","coords":"483,609,133,60","title":"REFEDS Assurance Framework","pageRefIndex":17,"linkTarget":"_blank"},{"shapeType":"rect","coords":"714,526,128,66","title":"Sensitive Data Access policies","pageRefIndex":18,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1068,528,139,60","title":"Data Access Policy Enforcement","pageRefIndex":18,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1246,452,134,62","title":"Notice Management provision","pageRefIndex":19,"linkTarget":"_blank"},{"shapeType":"rect","coords":"1251,283,128,62","title":"Incident Response Procedure","pageRefIndex":6,"linkTarget":"_blank"}]}
pageReferencesWISE AUP-!!!!!-Attribute Authority Operational Security-!!!!!-Membership Management-!!!!!-Security Operational Baseline-!!!!!-SIRTFI-!!!!!-Service Levels and Data Classification (the "IAC" or "CIA" triad)-!!!!!-Incident Response Procedure-!!!!!-The REFEDS Data Protection Code of Conduct-!!!!!-Notice Management (presentation)-!!!!!-Assurance Requirements-!!!!!-Rules of Participation-!!!!!-Identification of Primary Assets-!!!!!-Research Risk Assessment-!!!!!-Escalation Procedure-!!!!!-Legal and Regulatory Compliance-!!!!!-(EEA) Privacy Notice-!!!!!-AUP and Privacy Notices for Authentication Sources-!!!!!-REFEDS Assurance Framework-!!!!!-Sensitive Data Access Policies-!!!!!-Notice Management (Provision)
imgHeight750.0
imgContainerPagePolicy Development Kit version 2
alwaysHighlightfalse
dataModelVersion3

Snctfi, operational policies, and AAI service providers

Smaller and mid-sized communities may opt to offload some of the more complex aspects of authentication and authorisation to dedicated AAI service providers. And if you operate your own AAI core components, both your users and resource providers may want to have some assurance about the trust and security posture of your AAI platform. The Snctfi suite is the set of assessable and verifiable policies and procedures in the PDK that AAI platform providers can use to make the trustworthiness of their systems transparent to users and relying parties alike.

...

  • Learn more about Snctfi in AARC-I082 "Trust framework for proxies and Snctfi research services"

Background to the Policy Development Kit

The first AARC Policy Development Kit, released in 2017, comprised a set of nine reference documents (mostly templates) addressing the construction and operation of community AAIs in the original AARC "2019" Blueprint Architecture, based on the Community First Approach. A mix of policies and procedures, its primary audience was primarily larger-scale research collaborations, expected to review, augment, and specialise the templates for their own use. With the policy development kit being created prior to or in parallel to other work in the community at large, it duplicated some aspects (privacy in REFEDS DPCoCo, or incident response work parallel to the eduGAIN Security Handbook), while being overly complex for smaller collaborations. Work by the Australian Access Federation, the AARC Community, and in REFEDS, WISE, IGTF, and the e-Infrastructures helped restructure the PDK into the v2 model presented above. 

...