Secure Grid Services for Cooperative Work in Medicine and Life Science Anette Weisbecker, Fraunhofer IAO, Stuttgart International Symposium on Grid Computing – Taipei, 11 th April 2008
Overview � MediGRID Application Classes and Applications � Security in MediGRID � Services@MediGRID � Service Engineering � Role and Business Models
Reasons for Grids in Life Sciences – Increasing Data: � Genomic diagnostics � Dynamic biosignal recording � High-quality diagnostic imaging � Clinical documentation � Life Course Data; 10-20 PByte / Year / University Hospital � high performance research methods are necessary – Service oriented Approaches: � Change from closed systems to services � Medical research and health care based on the same data sources � Traditional Compute Center Structures will change : � Purchase of services for medical research and health care � Cooperative research based on collaboration platforms � Grid and SOA has came together � Reseacher are customers of service providers � Quality of Services and billing are essential
MediGRID Application Classes with their Applications Bioinformatics – Genome Sequence Analysis (Augustus/Agrippa) – Single nucleotide polymorphisms selection (SNPSelection) – Ribonucleic acid interference screening (RNAi) – Sequence correlation (SequCorr) Medical Image Processing – 3D Prostate Biopsy (USI) – Statistical Analysis of Functional Brain Images (fMRI) – Virtual Vascular Surgery (VirtSurgery) Clinical Research – QRS analyses of sleep electrocardiograms (ECGs) (CR-QRS) Ontologies – Biomedical ontologies – Integration of different ontologies with heterogeneous formats – D-Grid ontology
MediGRID and its Applications Bioinformatics Augustus Agrippa SequCorr SNPselect Berlin MediGRID core site being part of D-Grid Medical Image Processing Göttingen USI Leipzig Dresden Portal fMRI VirtSurgery D-Grid core site Clinical Research Karlsruhe CR-QRS
Specific Requirements in MediGRID – Highest requirements on data protection and privacy (patient data, data from biosamples, genome data) – The data basis is relatively inhomogenious as the standardization of data formats (e.g. in medical imaging or clinical studies) is so far not very advanced. Lack of semantic interoperability. – Virtualisation for grid resources – Heterogenouse User Community which needs user friendly interfaces for the usage of grid services MediGRID users and their main tasks: � Doctor (looking for data, providing data, processing data) � Assistant Medical Technician (providing data) � Researcher doing bioinformatics (processing data) � Researcher doing clinical studies (processing data) � Radiologist (providing and processing data – e.g. mammograms -> medical image processing) � etc.
MediGRID User MediGRID Developer MediGRID Admin Grid Certificate Medical Image Bioinformatics MediGRID Portal Processing Credential Management Clinical Research Ontology Application Portlets File Browser StandardGrid Portlets Resource Monitoring Workflow D-GRDL Metadata D-GRDL Metadata Resource Management Creation Management Management MediGRID-specific Services Administration Services Grid Grid Certificate MediGRID User Certificate MediGRID CLI CLI MediGRID Developer Admin Applications
Secure Access to MediGRID identify against MediGRID Registration User Authority request account MediGRID Guest mail registration link sign request request certificate Certification issue certificate login Authority User Certificate MediGRID Portal request VO Membership VO Manager limited guest grant VO Membership in VOMRS grid use add user to whitelist MediGRID Service Application User Certificate Services, Whitelist Resources, etc. <DN> <role> <DN> <role> Upload Proxy … (Validation: 7 days) MyProxy Server login (Proxy Certificate Guest-User Registration Database) create account authorization MediGRID Portal Standard-User Registration retrieve Credential MediGRID grid use Application User according to Services, Credential granted role Resources, etc. Validation: 2h
Credential Upload to the Grid Grid Gri MediGRID Applicat Application ion User er PC PC 4. Portal Portal Portlets Portlets 1. Grid Proxy id Proxy Upload Upload Tool Tool Gr Grid id Portal rtal certificat certif cate Cred eden entials 2. Lifet Lifetime me: 2 2 years years Lifeti Li time : 2 : 2 hours rs 3. Pro Proxy y Lifetime : 7 Lifetime : 7 days ys MyProxy Server MyProx y Server Grid Resources and Applications id Resources and Applications Advantage: Grid users do not 1. Portal authentication and download of proxy upload tool via Java Webstart need direct access to a Grid node / 2. Creation of certificate proxy and upload to the MyProxy Server no middleware 3. Creation of credentials via Credential Management Portlet installation required 4. Usage of portal applications that require credential-based authorization
Credential Upload to the Grid
Certificate based portal login Situation so far: – Gridsphere login with username/password � users need to keep passwords in mind � only medium security as passwords can be spied, guessed or cracked Fraunhofer IAO solution: – Certificate based login with browser certificate � User needs to keep Portal detects I D certificate anyway from certificate DN for Grid A&A � cannot forget password � higher security level as it is much more difficult to steal the private key � DN-based self-registration One Click login at portal is possible
Automatic VO-based Portal User Management Situation so far: – Users register at Virtual Organisation (VO) – Resource Providers can automatically create accounts and user mappings using the Grid Resource Registration Service (in D-Grid) – Portal accounts need to be created separately (by hand) Fraunhofer IAO solution: – similar to resource account management – portal retrieves VOMRS data for VO � user DN / VO membership / group membership – portal accounts created automatically – advantage: user management in only one place (i.e. VOMRS) -> grid-wide consistency
Service Certificates – Certificates are necessary for job submission to distributed resource and execution. – Guest user don‘t have certificates. – The E-Mail adress of the guest user is known and verified. Thus each user has a unique ID which is attached as job parameter. – Application services act on behalf of the users. – Solution: services certificates
Data Protection and Data Security Data Protection Issues within in MediGRID: – Multi-Level Pseudonymization – Strict separation between IDAT (identification data) and MDAT (medical data) by means of – Central Pseudonymization Service separate databases – Re-Allocation only possible for clinical sites providing data for analysis Recoding Sites of polysomnographic data in the sleep disorders centre Network-Switch Central (De-) Pseudonymization Service NO DIRECT CONNECTION!!! PatID PSN Firewall Grid-enabled Research PSN PatID Database Database for Hospital Information PSN = Identifier polysomnographic System (KIS) storing recordings (INTRANET) PatID + IDAT PatID = Identifier Concept from: Reng CM, Debold P, Specker Ch, Pommerening K. Generische Lösungen zum Datenschutz für die Forschungsnetze in der WAN-Connection Medizin. Medizinisch Wissenschaftliche Verlagsgesellschaft, 2006. Source: Drepper J, Semler SC, Mohammed Y, Sax U. Aktuelle Themen des Datenschutzes und der Datensicherheit in der biomedizinischen Forschung. In: Sax U, Mohammed Y, Viezens F, Rienhoff O, editors. Grid-Computing in der biomedizinischen Forschung - Datenschutz und Datensicherheit. München: Urban&Vogel, 2006: 25-36.
Services@MediGRID: verticale service grid for biomedical research Service Service Customer Customer Partners and Applications provider provider MediGRID Vertical Services MediGRID Vertical Services Genom- Genom- BTS EVOTEC BTS EVOTEC BTS BTS – SFB 680 (University of Cologne): Browser Browser c.a.r.u.s c.a.r.u.s HCS HCS Moleculare Basis of Evolutionary Innovations MoBi MoBi Mikro- Mikro- InVitro- InVitro- SFB SFB gen gen 680 680 Tec Tec skopie skopie – University of Heidelberg (KIP), MoBiTec, Invitrogen: Molecular and cell biology – University of Heidelberg / Rotterdam: Services (WSRF) Services (WSRF) Genome Browser Portal (GridSphere) Portal (GridSphere) Middleware and Resource fusion Middleware and Resource fusion – Bayer Technology Services: in MediGRID in MediGRID Identification of dynamic models of biological systems D-Grid D-Grid – University of Kiel / c.a.r.u.s / European Services@MediGRID MediGRID Screening Port: volume oriented billing of genetic and high- Haplotype: genetic constitution of a throughput screening analysis chromosome Phenotype: any observed quality of an organism
Recommend
More recommend
