Many of your questions will not be solved by defining your technical stack - arguably some of the most difficult issues relate to policy. Regardless of what software you choose, those responsible for your research community will need to be able to show that the following considerations, among others, have been addressed:

• How are members identified, verified and removed from the collaboration? 
• Are all services within the AAI implementing security patches? 
• What will happen when there is a security incident?
• Who has access to user data?

AARC’s Policy guidelines are a compilation of best practices and recommendations that help research and e-Infrastructures to implement scalable and cost-effective policy and operational frameworks for their AARC BPA compliant AAIs. These documents aim to ensure three core capabilities for Research Infrastructures: Operational Security, Trustworthy Membership Management and Data Protection. 

The set of necessary policies has been reviewed in AARC-I082 following several years of experience of running the AARC BPA in practice. This document addresses trust across the entire chain of AAI components and aims to remove difficulties in tracing back any information to its original source. Establishing trust becomes more challenging when it is not possible to see which link in the ‘chain’ asserts which information and how trustworthy that link is.

Practical steps for adopting AARC’s policy recommendations

Please visit the Policy Development Kit.