24 September 2015- BREAKOUT 5 - 13:30
RDA Security and Trust BoF - Proposal
Stefan Pröll, Rudolf Mayer, Peter Kieseberg, Andreas Rauber, Vasily Bunakov, Mike Priddy, Jens Jensen
Draft from 16th September 2015
The RDA aims to promote and facilitate global data sharing across international, institutional and technological boundaries. The exchange of information is based on a very fundamental concept: mutual trust.
Trust is difficult to establish and easy to lose. In order to be able to trust each other, research facilities, companies and institutions need to agree on and ensure minimum data protection standards. This requires a verifiable layer of trustworthiness, which goes beyond paying lip service. Only if the partners can agree on data authenticity and integrity standards, only if they can show that the privacy of sensitive data meets the policy needs of the data owners and if access can be granted and revoked based on valid criteria, trustworthy data exchange is possible.
So far the topics of data security and trust are dealt with in isolation in the existing RDA working groups, with some essential aspects potentially not covered. What we want is a common arena for understanding and harmonizing various notions of data security and trust across research domains, which should facilitate common agreements on standards, best practices and policies. This, in turn, should allow access to, and/or exchange, of sensitive data without disclosure to unauthorised parties and according to clearly defined and verifiable protocols.
We expect that various stakeholders will benefit from the proposed working group. From data reuse perspective, the group is going to cover the initial phases of data involvement in research: before you get, aggregate, analyze or otherwise handle data, you have to access it first, and ensure that it is trustworthy. For data owners and publishers, the group will develop a body of knowledge about data security and establishing and maintaining trust in data exchange. For regulators and research funding agencies, the security audit recommendations should be a valuable output of the group activities.
It is clear that the RDA Working Group for Data Security and Trust (WGDST) cannot address all relevant questions from the very start. Our aim is to focus on a few practical topics which immediately allow to improve security and identify opportunities for the controlled sharing of sensitive research data. These topics initially include:
* Policies on data access and data release for research data that is deemed sensitive because of privacy or commercial considerations, or other concerns
* Authentication and authorisation protocols for data access
* Protocols for data integrity and authenticity
Further topics are the long term view of encryption standards, security audit of data repositories and collaboration in research environments that involve sensitive data. A challenging yet promising topic to explore can be the definition, the application and the verification of machine-executable policies on data access and data release.
Our aim with this proposal of a BoF for Data Security and Trust is to gather the different aspects of research data security and trust, then distil the common questions and issues that are related to the protection and verification of data and the information it represents. We want to learn what works for most of the participants and where they see deficits for the security of their data or opportunities for the controlled sharing of sensitive data. We want to identify the current best practices and find commonalities which may then lead to an agreement about minimum standards. As an output we want to come up with a set of guidelines on how institutions define security requirements and how they can exchange their data in a secure way. Already existing best practices should be made more visible by providing user stories that highlight the benefits and pitfalls of secure data exchange. Expertise from existing RDA groups will provide further inputs.
We will present these ideas and goals during the P6 in Paris, where we have registered for a BoF group. The aim is to create a caste statement and establish a Working Group for Data Security and Trust under the umbrella of RDA.
Goals for this BoF Session
The aim of this BoF session is to define our scope and drafting a case statement, which is needed for establishing a working group on data security and trust. A Case Statement describes:
- What is the research case (will the WG produce something useful)?
- What is the business case (will people use it)?
- Is there capacity (are the right people involved to adopt and implement).
Therefore we need to agree on what we focus on within our WG and discuss what we want to achieve as a result. The RDA offers a limited timeframe of 18 months for WG to demonstrate our results. Thus we are encouraged to focus on tangible outcomes and practical solutions. We must not reinvent the wheel, therefore we will build on top of existing solutions and best practices. Thus we need to collect use cases and user stories, which then will serve as the basis for our guidelines. A template for collecting use cases is attached as a file below.
13:30 - Welcome and introduction of the WGDST
13:40 - Round of introductions (participants)
13:50 - Example use cases
14:00 - User stories and use cases from participants (brief)
14:30 - Discussion of aims, scope and results
14:50 - Wrap up and definition of next steps
15:00 - Closing of BoF