Role-based Access Control Framework for Geospatial Cloud Services NSDI Cooperative Agreements Program (CAP) 2008 Best Practices in Geospatial Service Oriented Architecture (SOA) Project Contacts: Joel Schlagel, US Army Corps of Engineers, [email_address] Jeff Harrison, CubeWerx USA, [email_address] This work is 3.0

Topics Why Role-based Access Control? Project Overview General Scenarios (Disaster & SSO) Regulatory Demos (w/John, Paul & George) Best Practices Questions?

Why Role-based Access Control?

Project Overview

General Scenarios (Disaster & SSO)

Regulatory Demos (w/John, Paul & George)

Best Practices

Questions?

Introduction Geospatial SOA based on OGC®/ISO influencing Federal Enterprise Architecture (FEA) Geospatial Profile. Efforts have matured to point where broad acceptance is dependent on capacity to secure data resources. Organizations like USACE participating in NSDI must also consider how to establish distributed security frameworks for role-based access control to SOA resources.

Geospatial SOA based on OGC®/ISO influencing Federal Enterprise Architecture (FEA) Geospatial Profile. Efforts have matured to point where broad acceptance is dependent on capacity to secure data resources. Organizations like USACE participating in NSDI must also consider how to establish distributed security frameworks for role-based access control to SOA resources.

Why Role-based Access Control? Geospatial SOA supporting NSDI, Enterprise GIS, … Moving from on-premise computing to access, discovery, processing & collaboration services on Internet cloud Transforming into agile frameworks driven by collaborative partnerships

Geospatial SOA supporting NSDI, Enterprise GIS, …

Moving from on-premise computing to access, discovery, processing & collaboration services on Internet cloud

Transforming into agile frameworks driven by collaborative partnerships

Service Providers Service Consumers Geospatial SOA … Regulatory … Infrastructure … other needs Access Processing Discovery Collaboration Security

Project Participants US Army Corps of Engineers, Water Resources Institute CubeWerx USA The Carbon Project Collaboration with EPA, Image Matters, Montana Dept of IT, USGS Framework Data Services

US Army Corps of Engineers, Water Resources Institute

CubeWerx USA

The Carbon Project

Collaboration with EPA, Image Matters, Montana Dept of IT, USGS Framework Data Services

Project Scope Design, deploy and document reusable services and applications for one of the most important (but least understood) areas of Geospatial SOA – Role-based Access Control. Satisfy multi-agency requirements through modeling business processes and related service components. Advance technology for regulatory data interoperability between organizations like USACE and EPA.

Design, deploy and document reusable services and applications for one of the most important (but least understood) areas of Geospatial SOA – Role-based Access Control.

Satisfy multi-agency requirements through modeling business processes and related service components.

Advance technology for regulatory data interoperability between organizations like USACE and EPA.

Project Objectives Define Best Practices in Geospatial SOA for Role-based Access Control as a key component of USACE and NSDI Business Process requirements. Leverage CubeWerx’s investment in developing solutions to solve this important security challenge. Demonstrate capabilities that have value across all application and spatial data stewardship domains, including development of Access Control Rules. Collaboratively document Best Practices .

Define Best Practices in Geospatial SOA for Role-based Access Control as a key component of USACE and NSDI Business Process requirements.

Leverage CubeWerx’s investment in developing solutions to solve this important security challenge.

Demonstrate capabilities that have value across all application and spatial data stewardship domains, including development of Access Control Rules.

Collaboratively document Best Practices .

Geospatial SOA Access Security Project Design Outreach & Collaboration Scenarios & Business Processes Develop DT&E Lab Document Best Practices Services DT&E Lab

SDI Access Control Service NSDI Data Access Service and SDI Access Control Service WFS WMS SACS Role-based Access Control DT&E Lab WFS Request & Response Client Authentication Login Cookie WFS Response Access Control WFS Request

Virtual SACS Other Client SDI Access Control Service NSDI Data Access Service and SDI Access Control Service Other NSDI Service with Virtual SACS WFS WMS SAC WFS WMS SAC Role-based Access Control DT&E Lab WFS Request & Response Client Authentication Login Cookie WFS Response WFS Request & Response WFS Request Access Control Federation Fine-grained A ccess C ontr ol Rules : SDI Client : Feature Constraints Geographic Constraints Role-based Contstraints Operations Constaints Access Control

So what does that mean?

Disaster Scenario Texas Coast Hurricane Roles Public User – ‘Jeff’ EOC User – ‘Keith’ NSDI Service Provider – ‘Edric’ Access Control by Geography Role Feature Service Operation Island of Galveston Jeff Edric Keith

Texas Coast Hurricane

Roles

Public User – ‘Jeff’

EOC User – ‘Keith’

NSDI Service Provider – ‘Edric’

Access Control by

Geography

Role

Feature

Service Operation

Geographic Access Control

Geographic Access Control

Geographic Access Control Jeff

Geographic Access Control Jeff

Geographic Access Control Jeff

Geographic Access Control Jeff

Geographic Access Control Jeff

Geographic Access Control

Geographic Access Control

Geographic Access Control

EOC Users – Access by Role, Geography, Feature, Operations Public Users – May be limited by Role, Geography, Feature, Operations

Access Control Rules for Cloud-based Services Established by Service Providers

Free Secure SDI client available at www.thecarbonportal.net Feature Level Security Jeff

Feature Level Security Jeff

Feature Level Security Keith

Feature Level Security Keith

By OGC Operation

By OGC Operation

By OGC Operation

By OGC Operation

Free Secure SDI client available at www.thecarbonportal.net By OGC Operation

Established by Service Providers Access Control Rules for Cloud-based Services

NSDI WFS in DT&E Lab

International Planning Commission reviewing plans for new oil pipeline. Carry crude oil from western Canada provinces to refineries in US. Planning Corridor crosses Montana/Saskatchewan border. Review infrastructure in Planning Corridor & rapidly develop a report. Single Sign-On Scenario

International Planning Commission reviewing plans for new oil pipeline.

Carry crude oil from western Canada provinces to refineries in US.

Planning Corridor crosses Montana/Saskatchewan border.

Review infrastructure in Planning Corridor & rapidly develop a report.

The following takes place between 10 AM and 10:15 AM… … events happen in real time. Canada US

Keith and Brenda are on the staff of the Commission Keith Brenda Roles

The commission just sent us a package by email Keith Brenda 10:00 AM

OK, let me zoom & connect to the Cross-Border SDI Network 10:00 AM

Got it, lets connect to the Cross-Border SDI Network 10:01 AM

Oops, forget to log-in… 10:01 AM

No problem, I got it, logging in now… Me too, with my account… 10:02 AM

OK, let me zoom & connect to the Cross-Border SDI 10:03 AM

Got it, Montana done… Just got a note, they want gas storage, comm towers in report 10:04 AM

Accessing NRCAN WFS with the single-sign on 10:04 AM

Canada done 10:04 AM

Got it, accessed Montana and NRCAN WFS, done They say add schools to report 10:05 AM

Done… 10:09 AM

NRCan Service* Montana Service* NSDI Data Services CGDI Services SACS with Single Sign-On* Geospatial SOA

Public – demonstrates unprotected access to a subset of data elements on issued permits to all EPA Region II - demonstrates providing jurisdictional information on Pending Actions to EPA Region II State of California - demonstrates authenticated access to consistent view of USACE data in State of California, across 3 USACE districts USFWS Region IV - demonstrates providing permanent wetland impact data to USFWS Region IV USACE Regulatory Scenarios

Public – demonstrates unprotected access to a subset of data elements on issued permits to all

EPA Region II - demonstrates providing jurisdictional information on Pending Actions to EPA Region II

State of California - demonstrates authenticated access to consistent view of USACE data in State of California, across 3 USACE districts

USFWS Region IV - demonstrates providing permanent wetland impact data to USFWS Region IV

Demos illustrate role-based access to USACE regulatory data, using four different scenarios, four roles and four demo users – one Cloud-based Service. Each user belongs to one role – Public : ‘Public’ California : ‘Paul’ EPA Region II : ‘John’ USFWS Region IV : ‘George’ (the password for each user is the same as the username) Each role's access rules demonstrates a different spatial & non-spatial filter (details for each scenario appear in the bottom panel). USACE Regulatory Demos

USACE Public Scenario

USACE - California Scenario

USACE-EPA Region II Scenario

USFWS Region IV Scenario

USACE - California Rules

USACE - California Rules

USACE - California Rules

Questions on Demos?

Before – Many Roles, Many Services Datastore HTTPS Username/PW WFS WMS Datastore HTTPS Username/PW WFS WMS Datastore HTTPS Username/PW WFS WMS

Datastore HTTPS SACS WFS WMS SDI Access Control Rules After – Many Roles, One Service

USACE Data Provider Portal Provider Security Manager NSDI Data Provider USACE End User NSDI End User (Public) Manage Users Manage Roles Manage Credentials Manage Groups Manage SDI Access Control Rules Authorize Users Access by Feature Access by Role Deploy Data Access by Geography Update by Feature Update by Role Update by Operation Type Access by Operation Type Use Cases… NSDI End User (Govt)

SDI Access Control Rules SACR - an XML file that defines SDI Access Control Rules. SDI Access Control Service applies these rules when someone tries to access data or services under its control. XACML/geoXACML is a standard for expressing access control rules in XML. SACR is a simple, functional subset of XACML/geoXACML - specifically focused on the requirements of OGC SDI (WMS, WFS, WCS, GSS, CS-W, etc.). May be beneficial for this type of simple Access Control Rules encodings to advance for NSDI.

SACR - an XML file that defines SDI Access Control Rules.

SDI Access Control Service applies these rules when someone tries to access data or services under its control.

XACML/geoXACML is a standard for expressing access control rules in XML.

SACR is a simple, functional subset of XACML/geoXACML - specifically focused on the requirements of OGC SDI (WMS, WFS, WCS, GSS, CS-W, etc.).

May be beneficial for this type of simple Access Control Rules encodings to advance for NSDI.

User Relying Party Identity Provider Relying Party Identity Provider Security Token Service WS-SecurityPolicy Security Token Service WS-SecurityPolicy Identity Selector SDI Access Control Rules (SACR) Framework… WS-Trust, WS-MetadataExchange Kerberos SAML SACS X.509

Level of Maturity and Implementation The referenced SOA/Cloud solutions are mature and viable, suitable for deployment in a governmental computing environment – either internally or via Cloud. Services, Web-based and Desktop Clients have been deployed in multiple operational settings – and are effective for Role-based Access Control. Greatest challenge may not be the technical solution – May be identifying specific Access Control Rules in coordination with multiple stakeholders – this challenge can be overcome, it is only a matter of working collaboratively to define them. In addition, importing and adapting Roles from existing databases takes Enterprise commitment Education to help stakeholders realize it is not “all or nothing”

The referenced SOA/Cloud solutions are mature and viable, suitable for deployment in a governmental computing environment – either internally or via Cloud.

Services, Web-based and Desktop Clients have been deployed in multiple operational settings – and are effective for Role-based Access Control.

Greatest challenge may not be the technical solution –

May be identifying specific Access Control Rules in coordination with multiple stakeholders – this challenge can be overcome, it is only a matter of working collaboratively to define them.

In addition, importing and adapting Roles from existing databases takes Enterprise commitment

Education to help stakeholders realize it is not “all or nothing”

Project Deliverables Distributed DT&E Lab Working Services, candidate Schemas Web-based and Desktop Clients Processes and Use Cases Best Practices Web-based Demos for NSDI Community

Distributed DT&E Lab

Working Services, candidate Schemas

Web-based and Desktop Clients

Processes and Use Cases

Best Practices

Web-based Demos for NSDI Community

Questions?

Role-based Access Control Framework for Geospatial Cloud Services NSDI Cooperative Agreements Program (CAP) 2008 Best Practices in Geospatial Service Oriented Architecture (SOA) Project Contacts: Joel Schlagel, US Army Corps of Engineers, [email_address] Jeff Harrison, CubeWerx USA, [email_address] This work is 3.0