Infrastructure-originating service operations security policies target a collection of coordinated services that are aiming for a common coherent service level by aligning policies and practices. Whilst this ensures a predictable response by all contributing service providers to an infrastructure, this model is less suited for a loosely coupled 'ecosystem' of providers that do not necessarily share a common audience - and thus where expectations are different bewteen providers of services (and even between providers of similar services).

The 'baseline model' for service operational security explicitly addresses the diversity of ecosystems by following a risk-based approach, and the Hippocratesian principle of 'do no harm'.

Initiated by the EOSC Future project, and leveraging the 'infrastructure' oriented service operations security policy from the AARC PDK and the UK-IRIS improvements thereof, the AARC Policy community is developing an operational security baseline that will, e.g. be incorporated in the requirements to connect to the EOSC Core AAI Proxy and to participate in the EOSC AAI Federation:

"This Security Baseline supports these goals by defining minimum expectations and requirements of the behaviour of those offering services to users and communities connected to the EOSC, of those providing access to and composing services through the EOSC. It thereby applies to all participants in the EOSC authentication and authorization infrastructure (EOSC AAI). It aims to establish a sufficient level of trust between all Participants in the Infrastructure to enable reliable and secure Infrastructure operation."

Timeline

  • June-July 2021: initial adaptation from the AARC PDK and UK-IRIS Service Operations Policy
  • August 2021: consultation round with EOSC AAI TF members, EOSCF WP7 task leads, and AARC Policy Area
  • September 7th: consolidation of initial feed-back (PDF)
  • September 7th: created the FAQ skeleton page for the Annotated Baseline

Documents

  • No labels