Web Services and SOA for Secure Information Infrastructure

1
Web Services and SOA for Secure Information
Infrastructure

• 2005 Secure E-Business CxO Security Summit
• Roadmaps for Secure Information Sharing and
  Critical Information Infrastructure
• Solutions Roadmap Track, June 30th, 1030-1130
  a.m.
• Panelist Brand Niemann, Chair, Semantic
  Interoperability Community of Practice (SICoP)
• Best Practices Committee (BPC), CIO Council, and
• Enterprise Architecture Team, Office of
  Environmental Information
• U.S. Environmental Protection Agency

2
My Context

• Web Services
• XML for the data and for the messages.
• SOA
• The IBM model for Web Services interactions
  simply summarized as publish, find, and bind.
• Secure Information Sharing
• The Federal Enterprise Architectures Data
  Reference Model.
• Critical Information Infrastructure
• The Federal Enterprise Architectures Security
  Privacy Profile and the new IT Security Line of
  Business.
• Best Practices and Lessons Learned
• What I do in my SICoP Leadership and EPA
  Enterprise Architecture Team roles.

3
Questions

• 1. Why is SOA superior?
• Uses open standards for services, not objects, on
  the Internet. See next slide.
• 2. Early Successes?
• Led CIO Council award winning VoiceXML Web
  Service for EPA Emergency Response pilot that has
  subsequently been commercialized and implemented
  as Infrastructure.
• 3. Data Governance?
• Using the ontology paradigm for collaboration and
  commitments.
• 4. Involve Vendor Community?
• Fostering open collaboration with open
  standards in pilots for the Federal CIO Council,
  the Federal Enterprise Architecture, and Agencies
  (U.S. EPA).
• 5. Vendor Opportunities?
• Delivering citizen-centric services with
  ontology-based interoperability using
  public-private partnerships.

4
SOA in a Nutshell

• Think services, not objects.
• The services are defined in XML, unlike objects,
  which are defined by classes.
• Creating a pure SOA environment will take a long
  time it may never happen.
• The initial task is to create service-oriented
  applications SOA grows out of this!
• A service and its client may not belong to the
  same security domain.
• An object and its client typically do.
• Manage Expectations.
• Reuse, security, and organizational issues are
  hard
• Work Toward Business Process Management (BPM) and
  Aggregating Services.
• SOA is a means to these ends.

5
SOA in a Nutshell

• The "Big Bet
• Has anyone ever tried to create a complete,
  multi-vendor security framework before? Will this
  work? Keep an eye on the progress of WS-Security
  implementations - The success of SOA may depend
  on this technology.
• Source David Chappell, Federal Architect
  Council, April 8, 2004, and May 11, 2005.
• Panel Preparation Discussions
• Greg Lomow (Bearing Point) is working on a
  multi-vendor security SOA framework for DHS. That
  is the only one I know of this magnitude. Note
  Greg Lomow is co-author with Eric Newcomer of the
  book Understanding SOA with Web Services,
  AddisonWesley, 2005.
• Source J.P. Morgenthal, Managing Director,
  Ethink Systems, Inc.

6
Some Conference Highlights

• ESRI ArcGIS Enterprise Security White Paper
• E.g. STRIDE (p. 4), Web Services Architecture (p.
  29), WS-Security (p. 34), WS-Enhancements (p.
  35), and Trust (p. 43).
• Praise for NIST Staff and Documents (Several).
• Test Software Components for Security, Develop
  Secure Operating Systems, and Work with Vendors
  to Build in Security.
• Need Ontologies (John Weiler).
• Need Knowledge Management A Practical Solution
  for Emerging Global Security Requirements (Dr.
  Charlie Bixler).
• How to Share and Exchange Secure Information When
  You Cant Afford to Own the Infrastructure?
  (General Meyerrose)

7
Integration Versus Interoperability

• Integration
• Participant systems are assimilated into a larger
  whole
• Systems must conform to a specific way of doing
  things
• Connections (physical and logical) are brittle
• Rules are programmed in custom code, functions,
  or scripts
• Standard data vocabularies are encouraged

• Interoperability
• Participant systems remain autonomous and
  independent
• Systems may share information without strict
  standards conformance
• Connections (physical and logical) are loosely
  coupled
• Rules are modeled in schemas, domain models, and
  mappings
• Local data vocabularies are encouraged

Source Semantic Information Interoperability in
Adaptive Information, by Jeffrey Pollack and
Ralph Hodgson, Wiley Inter-Science, 2004, page 38.
8
Suggested Roadmap

• Dimensions of Interoperability
• Organizational Interoperability is about
  streamlining administrative processes and
  information architecture top the institutional
  goals we want to achieve and to facilitate the
  interplay of technical and organizational
  concerns. It requires the identification of
  business interfaces, and coordination
  throughout Member States and the European Union.
• Technical Interoperability is about knitting
  together IT-systems and software, defining and
  using open inter-faces, standards, and protocols.
  It relies on cooperation as well as on technical
  infrastructures.
• Semantic Interoperability is about ensuring that
  the meaning of the information we exchange is
  contained and understood by the involved people,
  applications, and institutions. It needs the
  know-how of sector institutions and publication
  of specifications.

Source Barbara Held, The European
Interoperability Framework for pan-European
eGovernment Services, IDABC, Enterprise
Industry Directorate-General, European
Commission, February 17-18, 2005
9
Suggested Roadmap

• Evolution of the SOA Platform
• Simple Web Services exposing data and actions
• Composite Applications business processes
  consumed by portals
• Service Infrastructure

Sources (1) David Chappell, Business Process
Management in a Service-Oriented World, Federal
Architect Forum, May 11, 2005, (2) Bruce Graham,
Taking SOA from Pilot to Production with Service
Infrastructure, May 12, 2005 and (3) David
Martin, Semantic Web Services Promise, Progress,
and Challenges, SWANS Conference Tutorial, April
8, 2005.
10
Suggested Roadmap
Dimensions of Interoperability
Line of Sight
3
Semantic
2
Technical
1
Organizational
Simple
Composite
Infrastructure
Evolution of the SOA Platform
11
Suggested Roadmap

• Example 1 - Web Services for E-Government
• 1. Organizational-Simple
• Led CIO Council award winning VoiceXML Web
  Service for EPA Emergency Response pilot that has
  subsequently been commercialized and implemented
  as Infrastructure (see below).
• 2. Technical-Composite
• Lead the CIO Councils E-Forms for E-Gov Pilot
  that saw 13 E-forms vendors each build an XML Web
  Service using a common XML Schema for E-Grants to
  increase their collective technical
  interoperability with one another.
• 3. Semantic-Infrastructure
• Our recent Semantic Web for Military Applications
  Conference featured 40 vendors implementing
  RDF/OWL including the Putting Context to Work
  Semantic Keys to Improve Rapid First Response
  that used an event ontology to achieve semantic
  interoperability across five vendors.

12
Suggested Roadmap

• Caution Be Prepared to Slow Down Road Work
  Ahead
• David Martin, SRI International, April 8, 2005
  Sociological (crossing the chasm) getting to
  where the payoff exceeds the overhead (for
  significant numbers).
• Rob Vietmeyer, DISA Net-Centric Enterprise
  Services, April 18, 2005 We are two years into
  SOA efforts with only some small pilot tests
  being conducted so far, Federal Computer Week
  story.
• Russ Reopell, MITRE, Intelligence Community
  Metadata Working Group Meeting, May 4-5, 2005
  The SOA Threat.
• SOA Leaders, Building the Business Case for SOA,
  June 9, 2005. (New consortium of XML Web Services
  hardware and software vendors.)

13
Suggested Roadmap

• Bottom Line
• 1. Use the Federal Enterprise Architecture
• Data Reference Model, Security Privacy Profile,
  and the new IT Security Line of Business.
• 2. Separate hype from reality
• Build the business case focusing on business
  process management and aggregating services.
• 3. Follow a line of sight
• Semantic Interoperability Architecture (SIA) and
  Infrastructure.
• Suggested Reading
• Web Services Platform Architecture, Sanjiva
  Weerawarana, et al, 2005, Prentice Hall.

14
Contact Information

• Email
• niemann.brand_at_epa.gov
• Web Sites
• http//web-services.gov
• http//colab.cim3.net/cgi-bin/wiki.pl?SICoP
• Voice Mail
• 202-564-9491
• Location
• EPA East Building, 1301 Constitution Avenue, NW,
  Washington, DC 20460