Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | allan-cunningham |
View: | 214 times |
Download: | 0 times |
SOA Technology Briefing
MITRE, McLean, VA October 2006
Comparing USPS PostalOne, NIH eReceipts and
Amazon.com for eGov and SOA
Dr. Alan Harbitter
David RR Webber
2
Overview
Nortel Government Solutions (NGS) staff has implemented two widely differing solutions for high visibility e-Government systems.
How do these two approaches compare and contrast and what are the lessons learned compared to a commercial approach such as Amazon.com?
Special Focus - eGovernment Security aspects
Q&A
3
Quick History
Notion of using Internet to securely exchange business information
XML started in 1997
B2B work on XML/edi and ebXML
ebXML specification – May 11th, 2001
Web services – started 2000 as ‘quick fix’
WSDL and XSD developed by W3C
Web services used by Amazon and eBay
Marketing of SOA emerges
4
What exactly is SOA?
SOA still very much dependent on the focus of the advocate
Some commonly accepted wisdoms
Using internet TCP/IP based exchanges
Both “real time” and “batch” services
Need registry to manage content / services
Robust Security and Authentication
Partner profiles - MoU, roles, context
Rule based business information handling
Business process formalization
5
CIO’s perception of SOA Today
Independent of underlying technology
A general model for offering computing and information services in large, loosely coupled, highly distributed environment.
The standardized and probably most widely associated implementation technology is web services
But many look to implement SOA with specific vendor legacy technologies e.g. IBM MQ series, BEA, Oracle, SAP, etc
6
Where is SOA Today?
Many camps of vendor driven interests
WS/I ,W3C, OMG, OASIS, more
Many components as open specifications
Marketplace still sorting out winners and losers of key components
security, registry, messaging, transactions, business process
Loose coupling – concept but not reality
Poor understanding of applicability of B2B batch delivery – push / pull / staged
7
Quick look - what exactly is SOA?
Using Amazon web services
Contrast and compare simple web service model to SOA requirements
Web Services – Amazon AWS
(TALKING POINTS)
Rapid deployment
Simplicity of Content
Transient value-less content
Security / Role / Access?
Legal position
Degrading content at peak times
Agility / loose coupling
AWS
1
2
3
8
NIH eRECEIPTS NIH eRECEIPTS
&&
USPS POSTALONEUSPS POSTALONE
9
NIH Grants Management
NIH issues billions of dollars in grant awards to investigators worldwide annually
Receives 70,000+ research and training grant applications
Handling 20,000,000+ pages of paper
To electronically receive, verify and accept ALL Research/Research related Grant Applications
Securely manage each step of the process
10
Grant Applications Process and EERP
End-to-End Resource PlanningPosting
Submission
Evaluation
Award
Tracking
Outcomes
KM / Research
Budget
Grant
Opportunities
($4B+ annually)
Submissions
Templates + XML
Grantor Org
Delivery
NIH
Agency
Agency
Verification,
Validation
Notification
Grantee
Review &
Sign-off
Peer review,
Evaluation
KM
Award
Management
Security:
Role, Policy,
Access
11
NIH Exchange - Design Goals
Automated registration of participants
Ability to self-certify exchange transactions
Version control and ability to approve partners
Centralized registry for participant management
Alignment of policy and security
Declared and shared business rule scripting
Integration through messaging services
Backend application integration services
Uses open public specifications and open source
12
NIH Partner Services Architecture Vision
13
NIH Layered Deployment Model
14
PostalOne!® – Web-Based Enterprise Application
To electronically verify and accept ALL Business Mailings nationwide
30,000+ users
$32 Billion in annual revenue collection for USPS
100,000+ transactions per day
Mission Critical application for USPS
15
PostalOne!® – Current Web Services Implementation
USPS Appointment Scheduling
Application (FAST)PostalOne!(Scheduling Gateway)
User Authentication & Authorization
IBM WebSphere MQ
Business Mailers
Appointment Scheduling
Request/Response via Web Services
USPS Appointment Scheduling Business process
PostalOne!(Postage Wizard Web Service)
Business MailersElectronic Documentation & Payment via Web Services
USPS Electronic Postage Statement Submission Business process
16
PostalOne!® – A Service Oriented Architecture Approach
17
Security Considerations
for
Real World SOA Systems
Dr. Alan HarbitterCTO, Nortel Government Solutions([email protected])
18
High-level Thoughts on Security and SOA
Probably the number one paranoia in SOA pilot-to-production transition is security—and rightly so.
SOA (web services), is generally thought of as service producer-to-consumer, not system-to-user. But security has to be user-focused.
The mechanisms suggested by many of the standards assume in place security infrastructure beyond the “as-is.”
The ROI for SOA is based on applications, so that’s how an organization is likely to start
But security should be institutionalized—beyond single applications.
19
Security Services Requirements
Confidentiality Services and information provided are not accessible to
unauthorized parties
Traffic patterns do not provide a “covert channel”
Integrity Service and information provided is not inappropriately
modified
Availability Service is reliably provided at advertised hours
Authentication Server, Service, User
Non-repudiation Parties exchanging information can be positively identified
and can not deny providing or receiving services
20
Very Basic Security
Governmentdata
repository
Internet or Intranet
SOA Transport Protocols
Registry of Services
1. ---
2. ---
I haveinfo
you mightbe interested
in!
Stakeholderdata
repository
Registry of Services
1. ---
2. ---
So do I!
SSL
Authentication at user level is typically handled by the application
SSL
SSL covers
confidentiality and
service authentication
21
How well does SSL support requirements?
Confidentiality Secret key and symmetric algorithm are negotiated for the
session Integrity
MAC can be negotiated into the session Availability
Not specifically addressed, requires at least normal DDoS precautions and an application-aware firewall
IA&A (Identification, Authentication, Authorization) Typically, SSL handles the server/service level (application
handles the user level) Non-repudiation
Inherent in the session, but can not be shown later Attack resilience
What ever is in place for enterprise websites
22
Functionally, what’s missing?
Fine grained confidentiality
Under SSL, the entire session is encrypted
In wide scale information sharing applications, subset of provided information may have unique security characteristics (e.g., HIPAA data)
Institutional representation of the user
Doesn’t provide IA&A beyond the first application
23
What else is missing?
Non-repudiation is limited to the duration of the session (or application based)
Limited persistent security associations
There is no enterprise-wide statement and enforcement of policy
Security is dependent upon the organizational dynamic between application developers and infrastructure managers
Protection mechanisms befitting a mission critical application
24
A Universe of Standards
WS-Security: Framework for building security protocols
WS-Policy: Policy assertions
WS-Trust: Defines how to broker trust relationships
WS-Privacy: a model for how a privacy language may be embedded into WS-Policy descriptions and how WS-Security may be used to associate privacy claims with a message
WS-SecureConversation: Allows participants to establish a shared context
WS-Federation: Single sign on and attribute service WS-Authorization: will describe how to manage authorization data and authorization
policies.
SOAP Foundation
WS-Security
WS-Policy WS-Trust WS-Privacy
WS-SecureConversation
WS-Federation WS-Authorization
WS
Sec
uri
ty
WS
Sec
uri
ty
Sp
ecif
icat
ion
sS
pec
ific
atio
ns
25
The SOA-enabled Security Infrastructure
Nationwide Sensitive But Unclassified (SBU) Backbone
Federal Networks
State, Local & Regional Networks
Identity Server
Certificate Authority Local
Authentication & Auditing
CertificateAuthority
Identity Server
Service Consumers
Service Provider
Service Provider
Application-aware Firewalls
In the context of SOA-based secure information sharing in the public sector justice community
26
Work for Government Implementers
For service owners, focus on application-specific details (where the devil is)
XML-based expression of identity, attributes, and privileges
Subject matter specific privacy tags
For infrastructure owners, focus on building the SOA-enabled infrastructure
27
SUMMARYSUMMARY
28
Lessons Learned
Providing self-service facilities is key to rapid adoption
Infrastructure exists today off-the-shelf to create pre-built templates for industry domains
Using open specifications allows integration into wide range of environments
Open source solutions allows partners to readily obtain technology
Use of partner id concept to manage partners and versioning interchanges
29
Challenges / Opportunities Today
Exposing synchronous and asynchronous interfacing to control content access
Open source solution components to allow unrestricted integration by partners
Leveraging loose coupling of web services
Combining best-of-breed solution with both ebXML and Web services working together as formal model (e.g. Oracle SOA 10g v3 upgrade)
Industry best-practices and lessons learned (who has solved similar needs?)
30
SOA – Future Challenges
As marketplace matures customers will demand core enabling components and features
Trend continuing toward services as solution not software (that’s good for services providers like us!)
Supporting complex infrastructure demands – such as ERP and BAM – will need robust rule-based solutions and tools
Integration with cool new desktop tools and services (Microsoft & Nortel)
Q & A
Discussion
Nortel Government Solutions
For more information
Visit our Website:
http://www.nortelgov.com
32
Acronym Soup
WSDL – web service description language
SOAP – simple object access protocol
ebXML – e-Business XML
REST – Representational State Transfer – http-based exchanges
XSD – XML Schema (structure / layout) Definition
XML – eXtensible Markup Language
W3C – World Wide Web consortium
B2B – business to business
MoU – Memorandum of Understanding
TCP/IP – internet communications syntax
33
Project and Technology Resources
NIH eRA Project site – http://era.nih.gov
NIH S2S Resources site - http://era.nih.gov/ElectronicReceipt/
Commons online site – https://commons.era.nih.gov/commons/
Grants.gov online site – http://www.grants.gov/
34
Technology Resources
www.oasis-open.org
www.ebxml.org
www.freebXML.org
www.ebxmlforum.org
www.apache.org