2010 Fourth International Conference on Network and System Security

Security-oriented Workflows for the Social Sciences
Prof. Richard O. Sinnott,
University of Melbourne, Melbourne, Victoria, 3010, Australia, rsinnott@unimelb.edu.au

Sardar Hussain
National e-Science Centre University of Glasgow, Glasgow G122 8QQ, Scotland s.hussain@nesc.gla.ac.uk

Abstract — The service-oriented computing paradigm and its application to support e-Infrastructures offers, at least in principle, the opportunity to realise platforms for multi- and inter-disciplinary research. Augmenting the service-oriented model for e-Research are mechanisms for services to be coupled and enacted in a coordinated manner through workflow environments. Typically workflows capture a research process that can be shared and repeated by others. However, existing models of workflow definition and enactment assume that services are directly available and can be accessed and invoked by arbitrary users or enactment engines. In more security-oriented domains, such assumptions rarely hold true. Rather in many domains, service providers demand to be autonomous and define and enforce their own service / resource access control using locally defined policy enforcement points (PEP) and policy decision points (PDP) which allow access and usage of resources to be strictly monitored and enforced. In this paper, we outline how it is possible to support security-oriented workflow definition and enactment through chaining of PDPs to support “workfloworiented” access control. To demonstrate this, we focus on a case study taken from the Economic and Social Science Research Council (ESRC) funded Data Management through e-Social Science (DAMES – www.dames.org.uk) project in the area of depression, self-harm and suicide.

Keywords: Workflows, social sciences, security I. INTRODUCTION Distributed computing technologies such as Grids can be used to realise e-Infrastructure which in turn can be used to support collaborative research platforms. These platforms can be used for e-Science and e-Research more generally and support research activities often crossing discipline and organizational boundaries. The service-oriented architecture (SOA) paradigm has gained widespread acceptance as the primary mechanism to deliver such platforms. Web services represent a standard way of seamlessly and transparently accessing and delivering data and computational resources on such platforms, and as such play a key role in bridging the gap and enabling a variety of applications and researchers to work together. Typical manifestations of e-Infrastructures are in allowing different organizations to host their own web services through which collaborators are able to invoke under the terms and conditions of the collaboration – these rules are themselves normally defined in the
978-0-7695-4159-4/10 $26.00 © 2010 IEEE DOI 10.1109/NSS.2010.72 152

establishment of the virtual organisation (VO) upon which the collaboration is itself defined and subsequently managed. One common mechanism through which services are coupled (linked) and used is through workflows and workflow environments. Workflows within the business community have been widely adopted as a way to dynamically access data from different providers [1]. Workflows in the e-Science/e-Research domain allow definition of couplings of services that typically represent a scientific or research process more generally. Once defined these workflow definitions can be shared and used by others to enact the same process. The driving/enactment of such collections of services are usually achieved through an enactment engine. As a prime example for exploitation of workflows, the social science domain is data rich and has users requiring access to and use of data from multiple distributed and autonomous providers, often from different disciplines. As one example of this, e-Health research into depression, self-harm and suicide can require seamless access to clinical data sets, e.g. hospital visitations, mental health records, and/or death registrations; social science data sets such as the Census or survey micro-data sets, environmental and geospatial data sets such as proximity to parkland or major traffic routes. From the access to and usage of these data sets, numerous socially motivated questions can be raised which can for example, have a direct bearing on understanding the mitigating circumstances on why an individual may self-harm or attempt suicide, and thus allow optimised treatment for other similar cases. The coupling of e-Science technologies and workflow solutions has a major potential role to play in this context. From automating activities such as accessing data, cleaning/filtering data, linking data and capturing metadata from data sets, the same workflow can be used by many researchers both to repeat a scientific process as well as validate scientific results. However it is a fact that many of these data resources have strict security and privacy requirements associated with them. It is also the case that Grid and eInfrastructure security more generally has been typified by authentication-oriented access control. In this model X509-based public key infrastructures (PKI) are used to define and enforce access control to resources based on

possession of a public/private key pair. This model tackles some of primary demands of the e-Research community, e.g. support for single sign-on whereby researchers are able to log in once and access multiple remote resources without further re-authentication challenge/response demands, however this model of security is extremely limited in the level of granularity it offers [2-4]. Instead finer-grained access control is required where access policies can be defined through specific policy enforcement points (PEP) and enforced by specific policy decision points (PDP) which, when combined allow to decide on individual level data access and usage requests according to the terms and conditions of the collaboration. This authorisationoriented model of access and use of resources can be realised in many different ways, e.g. role based access control (RBAC) [5], identity based access control (IBAC) or attribute based access control (ABAC) [6]. Authorised access to individual services has been successfully demonstrated in numerous domains [7], however a challenge remains in defining and enforcing access control coupling multiple services together in particular workflows. This is the focus of this paper. In this paper we review the state of the art in workflows and security in section 2. In section 3, we describe how chaining of PDPs allows to combine authorisation decisions from multiple service providers to decide on whether a given workflow can be enacted (or not). In section 4 we provide a case study of the application of chaining of PDPs in the public health research domain to support research into depression, self-harm and suicide. We outline the key data sets and data providers that need to be combined to support such research. Finally in section 5 we draw some conclusions on the work as a whole and outline areas of future research. II. RELATED WORK The e-Science and e-Research domains more generally have up to now exploited a number of security technologies to ensure user-oriented authentication and authorization (and in turn support trust and policy management) at an individual resource level or for a group of resources shared by multiple users in a virtual organization (VO). Many of these solutions are based on utilising standard X.509 public key certificate-based PKIs [8] and attribute certificates based upon Privilege Management Infrastructures (PMI) [3]. X.509 public key certificates are used for the authentication of users, i.e. where a user's identity is established and digitally signed attribute certificates are used for the authorization of users, e.g. to determine the level of access an individual may have to a resource. Authentication is typically augmented with authorisation. That is, authorization ensures that a user once is authenticated only then should they have controlled access to the resources based on the privileges and access rights assigned to them.

There have been many technologies that have been used to support such authentication and authorisation scenarios: PERMIS [9], VOMS [10], SAML [11], XACML [12], Shibboleth [13], CAS [14], Kerberos [15] and GSI [16] are some examples that have been used to support secure, federated access to a variety of distributed and heterogeneous resources. Most of these technologies work on the assumption that a user having a particular identity or a particular set of attributes (privileges) can access a particular resource. These decisions are typically based on determining the identity of the individual and subsequently ensuring that the privileges that they present (the attribute certificates) are both valid and meet local policy agreements that are in place. There has been far less agreement and experience in finer-grained security of workflows however. Some of the more nascent work in this area include: Proxy Web Service-based approaches as proposed by Chao et al. in [17] where BPEL4WS was used for orchestrating OGSIbased Grid services. According to this approach Grid service invocation is simplified by wrapping Grid service clients as web services called Proxy Web Services and BPEL4WS subsequently used to compose these Proxy Web Services as a workflow process. The Proxy Web Services are designed such that they can trigger and delegate the operations performed on them to the actual Grid services. A similar approach was proposed in [18] by Pichet and Natawut for the orchestration of Grid services using a proxy service as a communication bridge between BPEL processes and Grid Services. In both cases, proxy services can hide the complexity of Grid services and be invoked by the workflow engine instead of the original service. These proxy service approaches support the Globus Security Infrastructure (GSI) security model. As such, the proxy service requires trusted credentials of the target Grid service to be invoked. The work by Dornemann et al. [19] is particularly focused on BPEL processes where they outline some of the shortcoming of BPEL to invoke Web Service Resource Framework (WSRF)-based services and offer extensions to the BPEL engine to enable it to be used for invoking WSRF-based Grid services. They proposed new activities to create state-aware service resources and to invoke state-aware WSRF services and destroy the invoked WS-resource as well. In this implementation a secured Grid service and web services can be invoked in a particular workflow based on used of Grid proxies themselves based on GSISecureMessage, GSISecureConversation and GSITransport [20]. Web Services-Virtual Laboratory Abstract Machine (WS-VLAM) [21] is a Globus Toolkit version 4 (GT4) based workflow management system that provides a GUI as a client for composing workflows and a RunTime System Manager (RTSM) execution engine running as a Grid service in a GT4 container for orchestrating experiment processes (Grid services). The client GUI obtains service information from a repository

153

service (running in the same container) for workflow composition and interacts with the RTSM by submitting workflows for execution. Before submitting a workflow for execution the workflow client sends its Grid credentials (PKI certificate and key) to the delegation service of the GT4 service container and obtains an endpoint reference (EPR), which is then used when executing the workflow for authentication and authorization of the user. The workflow is sent to the RTSM factory service which creates an RTSM instance to execute the workflow. However in this model the security approach is based on GSI, where a user is authenticated and authorized to the Grid container, and once the user is authenticated and authorized they can use any resource in this container and potentially any workflow. As such this approach is impractical where the resources are maintained in remote sites, each with their own custom authentication and authorization policies. Arguably, the mostly widely used workflow system in many e-Research domains is Taverna [22]. The latest release of the Taverna workflow environment can invoke services over Secure Socket Layer (SSL)/Transport Layer Security (TLS) using WSSecurity-based username password for encryption/decryption. The Taverna team and the caGrid project (www.cagrid.org) are collectively working on invoking services using grid proxy certificates. To now they have successfully invoked caGrid-specific Grid services in a workflow using proxy credentials however their work is again GSI specific which in itself does not support the finer grained access control demanded in security-oriented domains such as e-Health. Work is thus needed to address this open challenge. III. WORKFLOW AUTHORIZATION THROUGH PDP CHAINING A workflow can be enacted and executed either through a centralised enactment engine as an orchestration process or through chaining of distributed services (also called choreography.) For the purpose of this paper we consider a centralised workflow environment where different (autonomous) services use their own authorization mechanisms when enacted by a centralised workflow engine. The models put forward can be generalised to decentralised workflow enactment environments. The de facto middleware to build Grids has been the Globus toolkit. The SOA-model of Grids has to now been through Globus toolkit version 4 (GT4). GT4 has its own authorization framework [23] which allows finer grained security for individual services. In our work to now, we have realised an enactment engine as a GT4 service – since our primary goal is to focus on exploring the issues with workflow security, and not to extend a given workflow environment, e.g. Taverna, with finergrained security models.

In our architecture, to support workflow-oriented security, a workflow is associated with a centralised workflow enactment service which has its own local authorization engine (a Master PDP). In this environment, our goal is to ascertain whether a user is able to enact a given workflow based upon the collective decision of the associated services involved in that workflow? To support this, we require collection of the authorization decisions of multiple individual services with their own associated PDP’s. In the current implementation, the decisions returned by individual PDP’s of services can be OR’d, AND’d, and XOR’d depending upon the policy needed at the workflow level, e.g. only enact this workflow if ALL services in the defined workflow agree; only enact this workflow if there is a given path through the workflow (which itself may contain branches) from the root node to a final leaf node. A simplistic model of how such security is supported is shown in Figure 1, where a client wants to execute a workflow comprised of two services.

PDP Enactment Service

PEP

Service1

PEP

MyProxy

MPDP

PDP

Service2

Figure 1: Workflow Authorization using PDP chaining In our current implementation we have largely focused on static workflows and statically defined policies, and their enactment. Building upon a common authentication model (depicted here through the use of a MyProxy credential management service), we are able to define and enforce enactment of the workflow comprised of Service1 and Service2 only if the user has sufficient privileges, e.g. they possess the Service1_role and the Service2_role. At present these roles are statically defined and stored in an LDAP server (attribute authority), but more dynamic models of delegation of roles have also been supported in related work, albeit in a non-workflow environment) [31]. These roles may also be pushed from the client to the enactment engine and onto the services themselves, or pulled by the services from trusted attribute repositories as described in [30]. IV. CASE STUDY To understand how workflow-oriented authorisation security can be applied we consider an on-going area of research in the DAMES project exploring the increasingly common social phenomenon of depression, self harm and suicide. It is currently the case that depression will affect one in five people in Scotland at some stage in their lives and yet it is treatable in most
154

cases [24]. On average two people die of suicide in Scotland per day despite the fact that most people contemplating suicide do not wish to die, they simply wish to stop the pain that they are suffering [25]. In 2002 the Scottish Government launched a strategy and associated action plan aimed to prevent suicide in Scotland. Key to the realisation of this plan was to try to understand what predisposes an individual to suffer from depression or indeed to cause them to try to take their lives. To answer such questions, ideally targeted research environments are required providing seamless access to the necessary distributed (and autonomous) data sets associated with individual backgrounds. For example, did the individual seek medical help prior to an episode or before being admitted for self harming or indeed prior to taking their life? Was the individual previously in psychiatric care? Has there been any related family history of mental health issues, e.g. parents, siblings who might have been previously admitted for counselling? What was their household composition, e.g. did they live alone; married; did they still live with parents? What was their occupation and average household income and how did this compare to the national average and/or the local average for their immediate region? What was their educational background, e.g. were they educated to university level or were they an early school leaver? Had they any previous ailments, e.g. did they suffer from any form of chronic pain; debilitating disease, or did have a history of drug use? Other non-obvious information can also be used to identify patterns in depression, self-harm and suicide, e.g. ethnicity and obesity are increasingly seen as important factors in these areas. All of these and many more factors are potentially significant and may well have a direct impact on depression, self-harm and suicide which in turn can subsequently be used for identification of risk factors and hence to mitigate against these risks. However any e-Infrastructure used to answer such questions requires access to a range of distributed resources from heterogeneous data providers. In the DAMES project much work has focused upon three key areas: x Clinical data from providers such as the National Health Service; x Social data from providers such as the UK Data Archives (www.ukda.ac.uk) and MIMAS (www.mimas.ac.uk); x Geospatial data providers such as EDINA (www.edina.ac.uk). We outline some of these data resources and the information they hold. A. Clinical Data Sets Scottish Morbidity Records (SMR) from the NHS Information Services Division [26] represent one of the most comprehensive clinical data resources in the UK. The data sets capture an almost complete medical history of the Scottish population, often going back over

40 years. SMR data sets are maintained and regularly updated from Scottish-wide hospitals with feeds from primary care (GP) sites. The data itself is structured and catalogued in data marts by the Information Services Division of the NHS and stored in secure and centralised data warehouses maintained by the NHS. There are currently over 70 different data marts covering all aspects of the Scottish population’s health. Of primary importance to DAMES e-Health research are the hospital admissions data sets (SRM01); mental health related data sets (SMR04) and death related data sets (SMR99). Other data sets are also being factored into the scenarios and research areas, e.g. maternity data sets (SMR02). The SMR data sets contain a wide range of clinical and related information. This includes patient identification and demographic data; episode management data; general clinical data and data on all hospital admissions and registered deaths. The main variables used to ascertain if an individual has suffered from depression, self-harm or indeed committed suicide are the diagnosis on admission and the cause of death. These variables are coded using the World Health Organisation International Classification of Diseases (ICD) code which provides the international standard diagnostic classification for all general epidemiological and many health management purposes [27]. The list of ICD codes relevant to depression, self-harm and suicide is complex and complicated since suicide is often not recorded as the cause of death if there is any doubt as to what caused an individuals death. Thus many insurance companies will often not pay out after a suicide. This means that the list of codes required for researchers must include things such as accidental poisoning as well as intentional poisoning. It is noted that all clinical data resources across Scotland (including SMR) incorporate some form of geospatial information, whether it is referring to GP practices, hospitals and/or for the patients themselves. The geospatial data not only allows to understand local, regional and national level data sets but it also provides an opportunity to link and display data based on its geospatial aspect. At present the National e-Science Centre at the University of Glasgow have direct access to a dataset containing 3,719,206 SMR01 hospital admissions records, 241,599 SMR04 mental health discharges records, 171,167 SMR06 cancer registration records and 173,616 SMR99 record death records. Through the ongoing work of the Wellcome Trust funded SHIP project (www.scot-ship.ac.uk), live access to data maintained by the NHS is currently being pursued. This paper is primarily based upon data sets provided by the NHS ISD to be used for research purposes. Subsets of these key data sets have been made available through security-oriented Grid services on a test-bed at NeSC Glasgow. In particular Grid services have been developed that allow secure access to SMR01, SMR04 and SMR99 data sets.
155

B. Social Science Data Sets There are wealth of social science data sets currently existing in the UK (and internationally) that have a direct bearing on mental health related research. The UK Census dataset; the British Household Panel Survey; the Scottish Health Survey and the Scottish Longitudinal Study are some of the largest and most important social science data resources in the UK. Many of these data sets are provided by government organisations such as the Office of National Statistics (ONS – www.ons.gov.uk) and the UK Data Archives (www.ukda.ac.uk). As an example of these data sets, the BHPS provides an annual survey (also called a wave) of around 10,000 households across England, Scotland and Wales. As a panel survey, the same individuals are surveyed yearly. The core questionnaire covers a broad range of social science and policy interests and of particular interest to mental health research these include: household composition, education, general health and the usage of health services. The data is itself available from the UK Data Archive to registered users, i.e. those users who have signed up to special conditions on access and usage. Different licenses exist which give access to data sets at different levels of geospatial resolution. The UK Census is a count of all people in the UK and takes place every 10 years with the next Census scheduled for 2011. The Census provides unique population statistics. Census records for Scotland are available from the General Register Office for Scotland and from MIMAS (www.mimas.ac.uk) via CASWEB Both the Census and the BHPS include numerous tables and variables of direct relevance to research into depression, self-harm and suicide. These include household composition, e.g. whether a household was made up of pensioners, married couples, married couples with children, co-habiting couples, lone parents or other household composition; general health variables; occupational variables and lifestyle variables. Subsets of the Census and BHPS data sets are made available through security-oriented Grid services on a test-bed at NeSC Glasgow. B. Geospatial Data Sets Geospatial information is essential to both understanding and visualising trends in data. Identification of clusters or patterns in data over particular time periods is crucial to mental health related research. The EDINA at the University of Edinburgh (www.edina.ac.uk) makes available a wide variety of geospatial data resources and services to researchers. The UKBORDERS resource provides digitised boundary datasets and geographical look up tables for the UK offering local authority level data sets and allows exploration of these boundaries, e.g. how they have changed over time.

The data itself has historically been under license from the UK Ordnance Survey (although we note that this has now been relaxed since March 2010 and these resources are now available for wider public use). The data can be visualised and used through a variety of Geographical Information System (GIS) software packages. Of particular importance are geospatial vector data (shapefile) formats. A shapefile refers to a collection of files associated with a main shapefile, representing geometric points, lines and polygons. A shapefile representing UK Census output areas provides geometric information that allows plotting of individual output areas as polygons on a map or image. It is possible to use a shapefile to visualise (overlay) a variety of data on maps. Shapefiles for the UK, Scotland and for the various regions of Scotland have been made available as security-oriented Grid services on a test-bed at NeSC. D. Security-oriented Workflow Architecture The overall architecture that has been developed within the DAMES project is presented in Figure 2. At the heart of this work is establishment of a Virtual Research Environment (VRE) and support for a Secure Data Playground (SDP). The architecture itself builds directly on the results of the SPAM-GP project and the Content Configuration Portlet [32]. In this architecture, targeted clients (portlets PG, PS, PC) allow access to individually secured geospatial, social and clinical services respectively, but essentially for the context of this paper, a portlet client is available (PGSC) that allows access to and invocation of a targeted enactment engine (EEGSC). As described below, this enactment is currently realised by a targeted Globus-based Grid service offering different service enactments based upon individual methods which, when invoked, interact with the remote services in particular scenarios (workflows).

VRE
PGSC
MyProxy
MPDP
PDP PEP
PDP PEP

PG

PS

PC

SDP

RGSC

SAT

DRT

EEGSC

DGSC

PDP

PDP PEP

SG
Geospatial Data (EDINA)

SS
Social Data (UKDA)

SC
Clinical Data (SMR)

Figure 2: DAMES Service Architecture
156

In the ALL scenario, the invocation of this enactment engine demands that all local services (SG, SS, SC) allow the associated Enactment Engine Grid service method invocation to be enacted. To achieve this, a Master PDP (MPDP) is used to obtain local authorisation decisions from the individually protected services which each have their own PEP/PDP. To support this process, a MyProxy service is available that provides (transparently to the end user of the VRE) X509 proxy credentials used for identification and ultimately as the basis for authorisation of the individuals in the VRE (this information is provided through the UK Access Management Federation and a targeted Identity Provider). That is, MyProxy credentials are used by the PEP/PDPs to extract the distinguished name (DN) of the users and subsequently as the basis for obtaining the appropriate attribute certificates for those individuals. To support this process, DAMES-specific attribute certificates are issued and associated with attribute authorities (LDAP servers) used by the VRE (services) to make authorisation decisions at the individual level services, and importantly by the groupings and orderings of the services themselves through targeted workflows. DAMES_Census_role, DAMES_SMR01_role, DAMES_SMR04_role, DAMES_SMR99_role and DAMES_EDINA_role roles have been defined and are used by the services themselves for this purpose. A representative scenario in the use of this architecture is to discover the number of individuals who are: x suicide completers, i.e. they are present in the SMR99 data set which is itself accessible through a protected SMR99 Grid service to those with the DAMES_SMR99_role; x who have previously been to hospital for selfharm reasons, i.e. they are present in the SMR01 data set which is itself accessible through a protected SMR01 Grid service to those with the DAMES_SMR01_role; x who have undergone psychiatric treatment, i.e. they are present in the SMR04 data set which is itself accessible through a protected SMR04 Grid service to those with the DAMES_SMR04_role; x who lived in a socially deprived area, i.e. where the annual salary as described in the Census (and available through a targeted Census Grid service available to those with the DAMES_Census_role) is below the national average and where the average qualifications for those in that area is also below the national average; x and to display this information comparing suicide completers across Scotland at the regional and national data level (through targeted Grid services offering access to geospatial shapefiles to those with DAMES_EDINA_role);

In this scenario, the workflow itself is based on invocation of the clinical Grid data services to return the matching data sets from the SMR01, SMR04 and SMR99 Grid services. These data sets themselves can be linked directly through a common index that exists across Scotland – the Community Health Index (CHI) number. Associated with these returned results are geospatial data information (postcodes and output areas) that can be used for further linkage with the Census for national and regional deprivation and educational indicators. Finally the returned data sets for those matching individuals and their regional/national comparisons are visualized and overlaid across UK Border data. The final results showing the successful enactment of this workflow with results from individual services (outer portlets) and their combination (central portlet) is shown in Figure 3 and their visualized in figure 4

Figure 3: Workflow Results

Figure 4: Suicide-related results visualised across Scotland (left) and Greater Glasgow (right) The above scenario has been successfully demonstrated on a test-bed at the NeSC in Glasgow. Ideally of course the services would themselves be hosted by the data providers themselves, e.g. the UK Data Archives, the NHS and EDINA. The technology transfer and education required to achieve this remains an open challenge which is currently being explored in the SHIP project.

157

The above scenario is based upon a master PDP associated with an enactment engine (Grid service) using information (local authorization decisions) from multiple individual services. In the current realization, this enactment engine is itself implemented as a Grid service. This service has multiple different methods, each of which represents a way to interact (enact) with the different remote services. This is currently a contrived solution and not one that is in the spirit of workflow environments where arbitrary workflows can be defined and enforced. Rather, the service methods are coded and protected. The authorization decisions required to invoke the particular methods are also currently based on all associated services to be invoked through this method agreeing to the invocation, i.e. their PDP returns an ALLOW decision. This is simplistic and more complex scenarios are likely in a real workflow environment. The work currently does not yet attempt to deal with finer grained workflow logic, e.g. where workflow branches based on values of outputs are defined. Thus it might well be the case that a workflow might only be enacted provided a given number of matching records are returned. This can obviously be coded into the enactment service itself, but a more user-oriented mechanism is obviously needed especially if workflow sharing is to be supported. The services described and hosted thus far have predominantly been data access services which return data when authorization demands are satisfied. It is equally possible to incorporate computational services into this environment, e.g. data processing and statistical analysis services using software tools such as R, STATA or SPSS to support recoding of variables and statistical disclosure risk assessments. Work is currently on-going to support such scenarios in the next phase of the DAMES project. One final comment on the status of the work thus far is that the policies defined and enforced at the Grid service enactment level and the local service level are currently based around the possession of a valid and authentic attribute certificate, e.g. a digitally signed role that the service requires before a local access control decision is needed. At present the enactment engine demands that all services agree to the workflow being enacted before the enactment itself takes place. This is overly restrictive and it may well be the case that workflows can be enacted provided there exists at least one branch of the workflow that can be enacted, i.e. from the starting service (root) to the final service (leaf node) of the workflow graph. These issues are described in more detail in [28]. V. CONCLUSION This work has shown that it is indeed quite possible to define and enforce security-oriented workflows, where the security model supports finer grained, authorisation-oriented, access control. PDP chaining has

direct advantages in this regard for linkage of multiple PDPs. The next phase of this work is to explore these models in heterogeneous service environments where pull-oriented and push-oriented authorisation models are required, i.e. where the services are configured to pull attribute certificates from known and trusted attribute authorities. The issues in supporting this are described in [28, 30] . Whilst the security-oriented solutions in this paper are sufficient to explore the issues in defining and enforcing security-oriented workflows, the real world of data providers such as the NHS is much more challenging. Direct access through hospital firewalls or into clinical systems more generally albeit where targeted PEP/PDPs are supported is still a fraught process. To address these kinds of scenarios, solutions such as the VANGUARD model of clinical data access and linkage are being developed [29]. Furthermore it should be emphasised that the DAMES scenarios outlined here are still proof of concept – albeit based on actual data models. At the moment a full ethics application has been submitted to realise these scenarios with real/live clinical data sets. ACKNOWLEDGMENT This work is supported by the ESRC DAMES project. We gratefully acknowledge their support. REFERENCES [1].Taylor, I.J., et al., Workflows for e-Science, Scientific Workflows for Grids. 1st ed. 2007: Springer. [2].Sinnott, R.O., et al., Experiences of Applying Advanced Grid Authorisation Infrastructures. Lecture Notes in Computer Science. Vol. 3470/2005. 2005: Springer Berlin / Heidelberg. 265-274. [3].Watt, J., R.O. Sinnott, and A.J. Stell. Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange. in UK e-Science All Hands Meeting. 2005. Nottingham, England: NeSC. [4].Sinnott, R.O., et al. Advanced Security for Virtual Organizations: The Pros and Cons of Centralized vs Decentralized Security Models. in 8th IEEE International Symposium on Cluster Computing and the Grid. 2008. Lyon, France: IEEE Computer Society. [5].Chadwick, D.W., A. Otenko, and E. Ball. RoleBased Access Control With X.509 Attribute Certificates. in IEEE Internet Computing. April 2003: IEEE. [6].Lang, B., et al., Attribute Based Access Control for Grid Computing. 2006-. [7].Stell, A.J., R.O. Sinnott, and D.J.P. Watt. Comparison of Advanced Authorisation Infrastructures for Grid Computing. in 19th International Symposium on High Performance

158

Computing Systems and Applications. 2005: IEEE Computer Society. [8].Housely, R. and T. Polk, Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure, in Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure. 2001, Willey Computer Publishing. [9].Chadwick, D.W. and O.Otenko. The PERMIS X.509 Role Based Privilege Management Infrastructure. in ACM symposium on Access control models and technologies SACMAT '02. 2003: ACM Press. [10]. Alfieri, R., et al., VOMS, an Authorization System for Virtual Organizations. 2004, Springer Berlin / Heidelberg. [11]. Anderson, A., SAML 2.0 profile of XACML. 2004, Sun Microsystems. [12]. Lorch, M., S. Procter, and R. Lepro. First Experiences Using XACML for Access Control in Distributed Systems. in ACM Workshop on XML Security. 2003. [13]. Internet2. Internet Shibboleth Technology. 2009 [cited 2009]; Available from: http://shibboleth.internet2.edu/. [14]. Pearlman, L., et al. A Community Authorization Service for Group Collaboration. in Policies for Distributed Systems and Networks, 2002. Proceedings. Third International Workshop. 2002. Monterey, CA, USA: IEEE Computer Society. [15]. Kerberos: The Network Authentication Protocol. [cited; Available from: http://web.mit.edu/Kerberos/. [16]. Globus Grid Security Infrastructure (GSI). [cited; http://wwwAvailable from:

[23]. Lang, B., et al., A Multipolicy Authorization Framework for Grid Security. 2006, Argonne National Laboratory [24]. DAS 2009 Depression alliance scotland. [cited; Available from: http://www.dascot.org. [25]. ChooseLife 2003 The national strategy and action plan to prevent suicide in Scotland. [cited; Available from:

http://www.chooselife.net/Statistics/Overvie w.asp.
[26]. NHS National Services Scotland 2009 Information Services Division Scotland. [cited; Available from: http://www.isdscotland.org. [27]. World Health Organisation 2003 International classification of diseases (ICD). [cited; Available from: http://www.who.int/classifications/icd/en/. [28]. Sinnott, R.O.-. and S. Hussain. Architectural Design Patterns for Security-oriented Workflows in the Social Science Domain. in Fifth International Conference on e-Social Science. 24-26 June 2009. Cologne, Germany. [29]. Stell, A., et al., Designing Privacy for Scalable Electronic Healthcare Linkage, in 2009 International Conference on Computational Science and Engineering. 2009. [30]. Sinnott, R.O., Chadwick, D., Doherty, T., Martin, D., Stell, A., Stewart, G., Su, L., J. Watt, J., Advanced Security for Virtual Organizations: Exploring the Pros and Cons of Centralized vs Decentralized Security Models, 8th IEEE Symposium on Cluster Computing and the Grid (CCGrid 2008), May 2008, Lyon, France. [31].Sinnott, R.O., Stell, A.J., Watt, J., Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange, Proceedings of UK eScience All Hands Meeting, September 2005, Nottingham, England. [32]. Watt, J. Sinnott, R.O., Jiang, J., Stewart, G., Stell, A., Martin, D., Doherty, T., Federated Authentication and Authorisation for e-Science, in Proceedings of APAC 2007 conference, Perth, Australia, September 2007.

unix.globus.org/toolkit/docs/4.0/security/op enssh/.
[17]. Chao, K.-M., et al., Analysis of Grid Service Composition with BPEL4WS, in 18th International Conference on Advanced Information Networking and Applications (AINA 2004). 2004, IEEE. p. 284289. [18]. Amnuaykanjanasin, P. and N. Nupairoj. The BPEL Orchestrating Framework for Secured Grid Services. in Proceedings of the International Conference on Information Technology: Coding and Computing (ITCC'05). 2005: IEEE Computer Society. [19]. Dörnemann, T., et al. Grid Workflow Modelling Using Grid-Specific BPEL Extensions. in Proceedings of German e-Science Conference 2007. [20]. The Globus Security Team, Globus Toolkit Version 4 Grid Security Infrastructure: A Standards Perspective. July 29, 2005. [21]. Wibisono, A., et al., WS-VLAM: A GT4 Based Workflow Management System. Lecture Notes in Computer Science, 2007. 4489/2007: p. 191-198. [22]. Taverna project website. [cited; Available from: http://taverna.sourceforge.net/.

159