Title: Web Services and SOA for Secure Information Infrastructure
1Web Services and SOA for Secure Information
Infrastructure
- 2005 Secure E-Business CxO Security Summit
- Roadmaps for Secure Information Sharing and
Critical Information Infrastructure - Solutions Roadmap Track, June 30th, 1030-1130
a.m. - Panelist Brand Niemann, Chair, Semantic
Interoperability Community of Practice (SICoP) - Best Practices Committee (BPC), CIO Council, and
- Enterprise Architecture Team, Office of
Environmental Information - U.S. Environmental Protection Agency
2My Context
- Web Services
- XML for the data and for the messages.
- SOA
- The IBM model for Web Services interactions
simply summarized as publish, find, and bind. - Secure Information Sharing
- The Federal Enterprise Architectures Data
Reference Model. - Critical Information Infrastructure
- The Federal Enterprise Architectures Security
Privacy Profile and the new IT Security Line of
Business. - Best Practices and Lessons Learned
- What I do in my SICoP Leadership and EPA
Enterprise Architecture Team roles.
3Questions
- 1. Why is SOA superior?
- Uses open standards for services, not objects, on
the Internet. See next slide. - 2. Early Successes?
- Led CIO Council award winning VoiceXML Web
Service for EPA Emergency Response pilot that has
subsequently been commercialized and implemented
as Infrastructure. - 3. Data Governance?
- Using the ontology paradigm for collaboration and
commitments. - 4. Involve Vendor Community?
- Fostering open collaboration with open
standards in pilots for the Federal CIO Council,
the Federal Enterprise Architecture, and Agencies
(U.S. EPA). - 5. Vendor Opportunities?
- Delivering citizen-centric services with
ontology-based interoperability using
public-private partnerships.
4SOA in a Nutshell
- Think services, not objects.
- The services are defined in XML, unlike objects,
which are defined by classes. - Creating a pure SOA environment will take a long
time it may never happen. - The initial task is to create service-oriented
applications SOA grows out of this! - A service and its client may not belong to the
same security domain. - An object and its client typically do.
- Manage Expectations.
- Reuse, security, and organizational issues are
hard - Work Toward Business Process Management (BPM) and
Aggregating Services. - SOA is a means to these ends.
5SOA in a Nutshell
- The "Big Bet
- Has anyone ever tried to create a complete,
multi-vendor security framework before? Will this
work? Keep an eye on the progress of WS-Security
implementations - The success of SOA may depend
on this technology. - Source David Chappell, Federal Architect
Council, April 8, 2004, and May 11, 2005. - Panel Preparation Discussions
- Greg Lomow (Bearing Point) is working on a
multi-vendor security SOA framework for DHS. That
is the only one I know of this magnitude. Note
Greg Lomow is co-author with Eric Newcomer of the
book Understanding SOA with Web Services,
AddisonWesley, 2005. - Source J.P. Morgenthal, Managing Director,
Ethink Systems, Inc.
6Some Conference Highlights
- ESRI ArcGIS Enterprise Security White Paper
- E.g. STRIDE (p. 4), Web Services Architecture (p.
29), WS-Security (p. 34), WS-Enhancements (p.
35), and Trust (p. 43). - Praise for NIST Staff and Documents (Several).
- Test Software Components for Security, Develop
Secure Operating Systems, and Work with Vendors
to Build in Security. - Need Ontologies (John Weiler).
- Need Knowledge Management A Practical Solution
for Emerging Global Security Requirements (Dr.
Charlie Bixler). - How to Share and Exchange Secure Information When
You Cant Afford to Own the Infrastructure?
(General Meyerrose)
7Integration Versus Interoperability
- Integration
- Participant systems are assimilated into a larger
whole - Systems must conform to a specific way of doing
things - Connections (physical and logical) are brittle
- Rules are programmed in custom code, functions,
or scripts - Standard data vocabularies are encouraged
- Interoperability
- Participant systems remain autonomous and
independent - Systems may share information without strict
standards conformance - Connections (physical and logical) are loosely
coupled - Rules are modeled in schemas, domain models, and
mappings - Local data vocabularies are encouraged
Source Semantic Information Interoperability in
Adaptive Information, by Jeffrey Pollack and
Ralph Hodgson, Wiley Inter-Science, 2004, page 38.
8Suggested Roadmap
- Dimensions of Interoperability
- Organizational Interoperability is about
streamlining administrative processes and
information architecture top the institutional
goals we want to achieve and to facilitate the
interplay of technical and organizational
concerns. It requires the identification of
business interfaces, and coordination
throughout Member States and the European Union. - Technical Interoperability is about knitting
together IT-systems and software, defining and
using open inter-faces, standards, and protocols.
It relies on cooperation as well as on technical
infrastructures. - Semantic Interoperability is about ensuring that
the meaning of the information we exchange is
contained and understood by the involved people,
applications, and institutions. It needs the
know-how of sector institutions and publication
of specifications.
Source Barbara Held, The European
Interoperability Framework for pan-European
eGovernment Services, IDABC, Enterprise
Industry Directorate-General, European
Commission, February 17-18, 2005
9Suggested Roadmap
- Evolution of the SOA Platform
- Simple Web Services exposing data and actions
- Composite Applications business processes
consumed by portals - Service Infrastructure
Sources (1) David Chappell, Business Process
Management in a Service-Oriented World, Federal
Architect Forum, May 11, 2005, (2) Bruce Graham,
Taking SOA from Pilot to Production with Service
Infrastructure, May 12, 2005 and (3) David
Martin, Semantic Web Services Promise, Progress,
and Challenges, SWANS Conference Tutorial, April
8, 2005.
10Suggested Roadmap
Dimensions of Interoperability
Line of Sight
3
Semantic
2
Technical
1
Organizational
Simple
Composite
Infrastructure
Evolution of the SOA Platform
11Suggested Roadmap
- Example 1 - Web Services for E-Government
- 1. Organizational-Simple
- Led CIO Council award winning VoiceXML Web
Service for EPA Emergency Response pilot that has
subsequently been commercialized and implemented
as Infrastructure (see below). - 2. Technical-Composite
- Lead the CIO Councils E-Forms for E-Gov Pilot
that saw 13 E-forms vendors each build an XML Web
Service using a common XML Schema for E-Grants to
increase their collective technical
interoperability with one another. - 3. Semantic-Infrastructure
- Our recent Semantic Web for Military Applications
Conference featured 40 vendors implementing
RDF/OWL including the Putting Context to Work
Semantic Keys to Improve Rapid First Response
that used an event ontology to achieve semantic
interoperability across five vendors.
12Suggested Roadmap
- Caution Be Prepared to Slow Down Road Work
Ahead - David Martin, SRI International, April 8, 2005
Sociological (crossing the chasm) getting to
where the payoff exceeds the overhead (for
significant numbers). - Rob Vietmeyer, DISA Net-Centric Enterprise
Services, April 18, 2005 We are two years into
SOA efforts with only some small pilot tests
being conducted so far, Federal Computer Week
story. - Russ Reopell, MITRE, Intelligence Community
Metadata Working Group Meeting, May 4-5, 2005
The SOA Threat. - SOA Leaders, Building the Business Case for SOA,
June 9, 2005. (New consortium of XML Web Services
hardware and software vendors.)
13Suggested Roadmap
- Bottom Line
- 1. Use the Federal Enterprise Architecture
- Data Reference Model, Security Privacy Profile,
and the new IT Security Line of Business. - 2. Separate hype from reality
- Build the business case focusing on business
process management and aggregating services. - 3. Follow a line of sight
- Semantic Interoperability Architecture (SIA) and
Infrastructure. - Suggested Reading
- Web Services Platform Architecture, Sanjiva
Weerawarana, et al, 2005, Prentice Hall.
14Contact Information
- Email
- niemann.brand_at_epa.gov
- Web Sites
- http//web-services.gov
- http//colab.cim3.net/cgi-bin/wiki.pl?SICoP
- Voice Mail
- 202-564-9491
- Location
- EPA East Building, 1301 Constitution Avenue, NW,
Washington, DC 20460