European Life Sciences Infrastructure for Biological Information ELIXIR and Identity Management 2 nd Workshop on Federated Identity Systems for Scientific Collaboration STFC Rutherford Appleton Laboratory, Harwell Wednesday 2 November, 2011 Andrew Lyall, PhD

ELIXIR : Europe’s emerging infrastructure for biological information AIM – To build a sustainable European infrastructure for biological information, supporting life science research and its translation to medicine, the environment, the bio- industries and society. Services: Management of Europe’s growing volume and variety of biological data which are heterogeneous, complex and heavily linked Interaction with and support for data in other ESFRI projects in medicine, agriculture and environment. Biological domain expertise Computer Tools Infrastructure Computational infrastructure Training centres for users of ELIXIR. Industry translational services 3 million users growing to 10 million in 2020 Petabytes now growing to exabytes in 2020

Life sciences Medicine Agriculture Pharmaceuticals Biotechnology Environment Bio-fuels Cosmaceuticals Neutraceuticals Consumer products Personal genomes Etc… Comprehensive, universal, integrated…

ELIXIR: Requirements for access control The Human Genome belongs to the Human Race and must be freely available to everyone without any authentication Access to personally identifiable data is a political and societal problem and will require special measures, including authorisation, certification and authentication

European Genome-Phenome Archive (EGA) Stores data collected for investigations involving variants of genes that may be of clinical significance including information about participants who are potentially identifiable Primary archive for research data that is not for public distribution – all data must be de-identified and must be handled and utilized in accordance with the specific informed consent associated with them Controlled access to the data – distributed access policy – access granted by a Data Access Committee (DAC): currently 20+ – data release policy: data access application and data access agreement – any attempt to re-identify is specifically prohibited EGA supports only data access decisions that are based on original consent – authorized users have personal accounts in our system – access to the data requires account password – data decryption requires a separate key that must be requested and is sent off line

Data Access Committees grant access to EGA

EGA Security Infrastructure Schematic 7 Authentication of FTP clients is inherently insecure; we may have to require FTPS compliant clients (RFC 4217)RFC 4217 Secure Server EGA provides archival encryption key and file path in the archive. This requires a secure API to facilitate access into the EGA master database EGA secure layer (3) EGA secure layer FTP Client Request for whole file for download (with username/ password) (1) EGA verifies user and provides list of authorized list of files. (2) (4) Requested BAM data decrypted, and re-encrypted using client key (5) Secure Server responds to FTP requests directly; FTP client downloads the custom-encrypted file EGA Security Infrastructure Schematic

Thank you for your attention... Next: Steps towards IDF – bio-SP pilot Tommi Nyrönen CSC (NCP for ELIXIR Finland)

Recommendations from IRISC 2011 Helsinki IDFs should pay attention to outreach activities among the biological service providers and infrastructures – Raising overall awareness of technical and non-technical issues – Increase coordination in – largely unconnected – community Attribute release to bio SP’s should be easy, and SP’s should not need to contact individual IdP’s to get attributes Encourage federations to adopt a “zero-cost” funding model for academic service providers Pilot use case on federated access management could be established with biomedical data provider together with EGA, eduGAIN and relevant IDFs and e-Infrastructures

Data produced from national biobank collections (BBMRI) will require restricted secure access management Integration of this data with fully open access (ELIXIR) reference data is needed – data processing and interpretation e.g. cancer diagnostics Federated identity management e-Infrastructure can support biomedical data services achieve this – National identity federations and eduGAIN service for correctly identifying academic data access applicants – Common ways for management of authenticated users' entitlements to data and IT resource access – Automating a process for granting access to biomedical data sets with data owners like ethical committees – Pilot preparations are ongoing Steps towards IDF use case

Everything should interoperate without forgetting …