...
Authorization models might include something like VOMS or a central database to manage allocations and a corresponding process to decide which projects or communities get allocations. Another important process is how PIs authorize who can be on their projects.
Access control example Dave?
DaveK - from minutes of the 1st June 2016 meeting - "Access control" for files relates to role-based authZ to read/write/delete/control files. For XSEDE, Adam comments that their most important example of central access control is to for accounting.
Confidentiality example Dave?
DaveK - No access unless authorised. Hide the existence of jobs and their details
Integrity example Dave?
models may be as simple default file permissions for protecting user home directories and shared project spaces on filesystems.
Confidentiality models might describe how job and user details are hidden from the public or other users.
Integrity models may be as simple as providing tools for integrity at rest or in transit (e.g., encrypted GridFTP) that users can use to ensure data integrity. It does not require controls to be mandatory.DaveK - Researchers like to be sure that their data has not been tampered with. It is interesting to know what has been done to ensure integrity during data transfer and then also during storage
Examples of compliance mechanisms are top-level security policies, resource provider agreements, and terms of service that allow the organization to enforce policies for entities bypassing the model. For example, a resource provider setting up a gateway which bypasses authentication and authorization by sharing an account might be cut off from resources for breaking the model.
Dave, does this just duplicate OS7?
DaveK - I guess it could do but I think the idea was that OS1 talks more about the management commitment to ensure compliance and the policies requiring this, whereas OS7 is more about the escalation and enforcement procedures. The words don't make this clear so we need to modify These are the foundational organization commitments to compliance, not the technical mechanisms of enforcement itself.
[OS2]
A process that ensures that security patches in operating system and application software are applied in a timely manner, and that patch application is recorded and communicated to the appropriate contacts.
...