1. DECIDE DECIDE ( Diagnostic Enhancement of Confidence by an International Distributed Environment ) Valeria Ardizzone Consorzio COMETA (DECIDE Technical Coordinator) IWSG-Life2011, London, 09.06.2011 From neurological research to clinical praxis: a European e-Service to support the early diagnosis of neurodegeneration

2. 2 Outline Project overview Project goals Project e-Infrastructure Science Gateway services deployed Authentication and Authorization (SAML, SSO, IDEM Federation) Robot Certificate Applications and Grid services interfaces within Liferay portlet (JSAGA, REST) Data management service( gLibrary, Secure Storage System) Summary and Conclusion

3. 3 DECIDE at a glance ➡ Submitted to EC Call: FP7-INFRASTRUCTURES-2010-2 – Virtual Research Communities ➡ Started on the 1 st September 2010 ➡ Duration: 24 Months ➡ Requested EC contribution: ~2.4 M€ ➡ GARR provides overall coordination ➡ COMETA does the technical coordination ➡ The DECIDE Scientific Coordinator is the neuGRID Principal Investigator ➡ Involves 13 European Partners + a European network of major reference centers in Neurology, and patient advocate societies all across Europe ➡ All stakeholders involved, from the network layer to end-users

4. 4 DECIDE Partners 1 CONSORTIUM GARR Italy 3 CONSORZIO COMETA Italy Network and GRID Infrastructure Partners 2 CNR 6 UNIVERSITY OF GENOA - UNIGE Italy 7 UNIVERSITY OF FOGGIA - UNIFG Italy 9 MAAT FRANCE - maat G France 10 IMPERIAL COLLEGE– United Kingdom 11 UNIWERSYTET WARSZAWSKI - Poland Application Layer Partners 4 FATEBENEFRATELLI - Italy 5 UNIVERSITY SAN RAFFAELE - Italy 8 FONDAZIONE SDN - Italy 12 CENTRE HOSPITALIER UNIVERSITAIRE DE TOULOUSE - France 13 ALZHEIMER EUROPE - Luxembourg Clinical and Patient Layer Partners A vertical approach to e-Health, targeting the needs of neuroscientists community through the provisioning of an e-Infrastructure aimed at supporting them in the daily execution of the diagnosis.

5. 5 The DECIDE project goals ➡ To provide the Neuroscientific and Medical community with a dedicated e- A Infrastructure ➡ relying on GEANT, EGI and NeuGrid ➡ To deploy a secure and user-friendly service for the early diagnosis and research on dementia and other brain diseases ➡ linking large distributed DBs of multi-modal neuro-images ➡ To validate the e-Infrastructure and the services ➡ with real patients in day-by-day clinical practice ➡ To propose a long-term vision for the sustainability of the infrastructure of the project ➡ and its extension to new communities and pathologies ➡ To disseminate the results and provide training programmes ➡ promoting the adoption of the DECIDE infrastructure and services.

6. 6 DECIDE service architecture

7. Memorandum of Understanding (MoU) A

8. 8 DECIDE Science Gateway Liferay is currently the most used framework to build Science Gateway in the “Grid world” It is fully compliant with the JSR 268 (portlet 2.0) It can be easily combined to build complex and appealing e- collaboration environments. It will allow clinicians to change how they work and grow scientists research activity. http://applications.eu-decide.euhttp://applications.eu-decide.eu/ Requirement : “To ease the access to the distributed computing and storage resources by the largest possible community of (Grid non-expert) clinicians through a set of well defined and domain specific applications.”

9. 9 User Registration Request (http://applications.eu-decide.eu/register)http://applications.eu-decide.eu/register ➡ GrIDP is a catch-all identity federation for Grid users

10. 10 Authentication mechanism

11. 11 The GARR-IDEM Identity Federation (www.idem.garr.it)www.idem.garr.it IDEM figures: 45 IDPs (not only in Italy): 31 in production; 14 in tests; >2,700,000 end users (as of October 2010) ; ~50% of the Italian higher education & research community

12. Authorization and Roles The Scientific Board of DECIDE has decided that a board of people designed grants authorisations. A centralised LDAP server provides the authorisations by associating users with roles so a user can perform on the Science Gateway all the activities designed for the roles he/she is associated with. Different Roles : Users with no expertise: Generic Users, Trainees; Users with expertise: Neurologists, Physicians, Scientists; Others: Data Managers, Trainers Manager; The educational and training programmes of DECIDE will be required as pre- requisite for the authorization to the e-services usage.

13. 13 Applications’ GUI

14. 14 ROBOT certificate The core of the new library is represented by the eTokenServer Java class, a multithreaded server which accepts all the requests coming from a list of authorized clients and manages a list of robot certificates kept in the USB token. SSL protocol is used between Client/Server token

15. 15 Physician workflow Physician Is able to run the analysist. Once the execution will be completed a report is sent by the Grid to the DECIDE service. SE 3 4 1 2 Parameters (Gender, age, etc.) 5 Parameters (Gender, age, etc.) 6 7 + 8 9

16. 16 Data and Metadata Management services 5 The project will design and implement a multimodal imaging repository, to include MRI, PET and EEG datasets and made them available for exploitation to the data analysis software at the basis of the diagnostic/prognostic service. Secure Storage System: a service to manage confidential data. It is the unique system providing these features and compliant with the gLite middleware. gLibrary: gLibrary is one of the first robust solutions and easy-to-use system available to provide access to digital repositories on grid infrastructures.

17. 17 Normals Database Upload workflow Server with Robot SE 1 2 3 5 Secure Storage Keystore 4 6 + Images Metadata

18. 18 Data management: Secure Storage System It provides users with suitable and simple tools to save confidential data in storage elements; It provides encryption/decryption functions and other utility functions; The keystore is a new grid element used to store and retrieve the users’ keys in a secure way; The keystore is installed inside the data owner’s trusted environment; The keystore is not accessible from the external world to guarantee a good security level.

19. 19 Data management: gLibrary Flexibility and exstensibility offered for many cataloguing purposes; Input files can be read from local disks, network shared folders, HTTP/FTP servers, etc. and replicated to one or more SE; Can be manage assets already present on Grid resources, through direct accesso to FC; Fine-grained authorization mechanism is used to set permission: each assets, type and category has a set of ACLS that restricts its usage. Even if at the moment gLibrary is very gLite centric, it can be easily integrated with other storage technologies such or cloud platforms, as far they provides some kind of URL for referring to files and supports common transfer protocols such as HTTP/HTTPS, FTP, GSIFTP and so on.

20. 20 Summary & Conclusion The main difference of the DECIDE Science Gateway with current Grid portal available in other projects is the use of two different security systems linked together by the portal, providing users an easy access to resources without their own certificates. Since users cannot access without Shibboleth and the available services do not provide direct access to resources it is almost impossible for the users perform malicious operation through the portal. Middleware interfaces are exposed to end users through standard portlets embedded in the Liferay container. Grid transactions are secured by proxy certificates created by the robot server. Data management services are used through the Representational State Transfer (REST) functions of the gLibrary and together with the encryption/decryption Secure Storage functionalities: the data confidentiality is guaranteed.

21. 21 Thank you for your kind attention! For further information please contact Laura Leone (laura.leone@garr.it)laura.leone@garr.it (DECIDE project coordinator) and/or visit www.eu-decide.eu