COmanage Developers List

["Christopher J. Hubing" <>]

On Mon, 28 Apr 2008, Scotty Logan wrote:

> On Apr 28, 2008, at 3:43 PM, Heather Flanagan wrote:
> > As we're moving forward with comanage, a few nifty questions have come up 
> > both in specific for one of our use-cases (OOI) and in general for 
> > comanage.
> >
> > 1 - Does OOI want to run comanage internally, or do they want to be able to 
> > go somewhere for this?
> > ** I suggest that any VO that wants to use comanage should have at least 
> > one of their institutions hosting the service.  I think there would be 
> > issues in terms of branding of the service and resources being used at an 
> > institution not part of the VO that makes the hosting model less than 
> > ideal.  Other thoughts?
>
> Serendipitously, OOI wants to run CoManage as a virtual machine on their own 
> servers.
>
> Since we didn't get funding to run a service center, and since I2 probably 
> doesn't have the resources to run one, I think it's up to VOs to find a place 
> to run their CoManage instance(s) - either at a participating institution, on 
> the VOs own servers, or at some other provider (who's up for priming Amazon 
> EC2 with a CoManage image when it's ready?)

We're game for the EC2 experiment.... we should receive our account info 
soon and I thought this would be a great application for it. We can pop 
it into Incommon fed. I'll send a note out when this comes to fruition.


> > 2 - Given the interest in Confluence as one of the possible wikis, what do 
> > we need from Altassian to roll Confluence in to the appliance that is 
> > comanage?
> > ** My biggest worry here is what kind of blessings would we need to roll 
> > Confluence in to a virtual appliance?  How would the licensing work?
>
> It looks like you can strip the license from Confluence, so the question is 
> really about (re)distribution rights.  Ken is going to check with Steven 
> Carmody, since Steven is already working with Atlassian on general 
> Shibbification.
>
> There might be a fairly straightforward way around the distribution 
> issue: we just make CoManage download a specific EAR/WAR tarball from 
> Atlassian, then munge its configuration as needed.
>
> > 3 - Given that comanage is targeting researchers, how do we need to handle 
> > the security issues for the data?  (See FISMA)
> > ** One take on this is that the hosting institution needs to handle 
> > security, but we may be ready/willing/able to do more in this area.  It's 
> > certainly something to talk about!  What do you all think?
>
>
> IANAL, but it's not clear that researchers will need to be "FISMA compliant". 
> From http://www.sunysb.edu/research/resnew/resnew080212.html:
> > Given the nature of the relationship between the NIH and its grantees 
> > (which differs from a contractual relationship), the question arose as to 
> > whether data collected in the course of NIH-funded research through grants 
> > and cooperative agreements fall under the FISMA regulations.  The 
> > applicability of FISMA to grantees funded by the Department of Health and 
> > Human Services (including the NIH) has been addressed by the HHS Chief 
> > Information Security Officer in an October 29 memo clarifying federal 
> > regulations governing the management and protection of the data the federal 
> > government collects for grants.
> >
> > The memo states that:
> >
> > > FISMA (Federal Information Security Management Act) applies to grantees 
> > > only when they collect, store, process, transmit or use information on 
> > > behalf of HHS or any of its component organizations.
> > >
> > > In all other cases, FISMA is not applicable to recipients of grants, 
> > > including cooperative agreements with grantees. The grantee retains the 
> > > original data and intellectual property, and is responsible for the 
> > > security of this data, subject to all applicable laws protecting security, 
> > > privacy and research. If and when information collected by a grantee is 
> > > provided to HHS, responsibility for the protection of the HHS copy of the 
> > > information is transferred to HHS and it becomes the agency’s 
> > > responsibility to protect that information and any derivative copies as 
> > > required by FISMA.
> Another take is that researchers don't keep that information "inside" 
> CoManage.  They can keep that data, and the apps that they use to access the 
> data, on a separate server running a Shibboleth SP in a bilateral
> configuration with their CoManage IdP.
>
> Either way, we still need to provide some security documentation with / for 
> CoManage.
>
> Scotty
>
> --
> Scotty Logan

______________________________________________________________________
Christopher J. Hubing                Information Technology Services

                          Emerging Technologies
+1 814 865 8772                      Pennsylvania State University
http://www.personal.psu.edu/cjh