Web Services and SOA for Secure Information Infrastructure 2005 Secure E-Business CxO Security Summit “ Roadmaps for Secure Information Sharing and Critical Information Infrastructure” Solutions Roadmap Track, June 30 th , 10:30-11:30 a.m. Panelist: Brand Niemann, Chair, Semantic Interoperability Community of Practice (SICoP) Best Practices Committee (BPC), CIO Council, and Enterprise Architecture Team, Office of Environmental Information U.S. Environmental Protection Agency
XML for the data and for the messages.
The IBM model for Web Services interactions simply summarized as “publish, find, and bind.”
Secure Information Sharing:
The Federal Enterprise Architecture’s Data Reference Model.
Critical Information Infrastructure:
The Federal Enterprise Architecture’s Security & Privacy Profile and the new IT Security Line of Business.
Best Practices and Lessons Learned:
What I do in my SICoP Leadership and EPA Enterprise Architecture Team roles.
1. Why is SOA superior?
Uses open standards for services, not objects, on the Internet. See next slide.
2. Early Successes?
Led CIO Council award winning VoiceXML Web Service for EPA Emergency Response pilot that has subsequently been commercialized and implemented as Infrastructure.
3. Data Governance?:
Using the ontology paradigm for collaboration and commitments.
4. Involve Vendor Community:?
Fostering “open collaboration with open standards” in pilots for the Federal CIO Council, the Federal Enterprise Architecture, and Agencies (U.S. EPA).
5. Vendor Opportunities?
Delivering citizen-centric services with ontology-based interoperability using public-private partnerships.
SOA in a Nutshell
Think services, not objects.
The services are defined in XML, unlike objects, which are defined by classes.
Creating a pure SOA environment will take a long time – it may never happen.
The initial task is to create service-oriented applications – SOA grows out of this!
A service and its client may not belong to the same security domain.
An object and its client typically do.
Reuse, security, and organizational issues are hard
Work Toward Business Process Management (BPM) and Aggregating Services.
SOA is a means to these ends.
SOA in a Nutshell
The "Big Bet“:
Has anyone ever tried to create a complete, multi-vendor security framework before? Will this work? Keep an eye on the progress of WS-Security implementations - The success of SOA may depend on this technology.
Source: David Chappell, Federal Architect Council, April 8, 2004, and May 11, 2005.
Panel Preparation Discussions:
Greg Lomow (Bearing Point) is working on a multi-vendor security SOA framework for DHS. That is the only one I know of this magnitude. Note: Greg Lomow is co-author with Eric Newcomer of the book “Understanding SOA with Web Services,” Addison—Wesley, 2005.
Source: J.P. Morgenthal, Managing Director, Ethink Systems, Inc.
Some Conference Highlights
ESRI ArcGIS Enterprise Security White Paper:
E.g. STRIDE (p. 4), Web Services Architecture (p. 29), WS-Security (p. 34), WS-Enhancements (p. 35), and Trust (p. 43).
Praise for NIST Staff and Documents (Several).
Test Software Components for Security, Develop Secure Operating Systems, and Work with Vendors to Build in Security.
Need Ontologies (John Weiler).
Need “Knowledge Management: A Practical Solution for Emerging Global Security Requirements” (Dr. Charlie Bixler).
How to Share and Exchange Secure Information When You Can’t Afford to Own the Infrastructure? (General Meyerrose)
Integration Versus Interoperability
Participant systems are assimilated into a larger whole
Systems must conform to a specific way of doing things
Connections (physical and logical) are brittle
Rules are programmed in custom code, functions, or scripts
Standard data vocabularies are encouraged
Participant systems remain autonomous and independent
Systems may share information without strict standards conformance
Connections (physical and logical) are loosely coupled
Rules are modeled in schemas, domain models, and mappings
Local data vocabularies are encouraged
Source: Semantic Information Interoperability in Adaptive Information, by Jeffrey Pollack and Ralph Hodgson, Wiley Inter-Science, 2004, page 38.
Dimensions of Interoperability:
Organizational Interoperability is about streamlining administrative processes and information architecture top the institutional goals we want to achieve – and to facilitate the interplay of technical and organizational concerns. It requires the identification of “business interfaces”, and coordination throughout Member States and the European Union.
Technical Interoperability is about knitting together IT-systems and software, defining and using open inter-faces, standards, and protocols. It relies on cooperation as well as on technical infrastructures.
Semantic Interoperability is about ensuring that the meaning of the information we exchange is contained and understood by the involved people, applications, and institutions. It needs the know-how of sector institutions and publication of specifications.
Source: Barbara Held, The European Interoperability Framework for pan-European eGovernment Services, IDABC, Enterprise & Industry Directorate-General, European Commission, February 17-18, 2005:
Evolution of the SOA Platform:
Simple Web Services – exposing data and actions
Composite Applications – business processes consumed by portals
Sources: (1) David Chappell, Business Process Management in a Service-Oriented World, Federal Architect Forum, May 11, 2005, (2) Bruce Graham, Taking SOA from Pilot to Production with Service Infrastructure, May 12, 2005; and (3) David Martin, Semantic Web Services: Promise, Progress, and Challenges, SWANS Conference Tutorial, April 8, 2005.
Suggested Roadmap Simple Composite Infrastructure Organizational Technical Semantic Dimensions of Interoperability Evolution of the SOA Platform Line of Sight 1 2 3
Example 1 - Web Services for E-Government:
Led CIO Council award winning VoiceXML Web Service for EPA Emergency Response pilot that has subsequently been commercialized and implemented as Infrastructure (see below).
Lead the CIO Council’s E-Forms for E-Gov Pilot that saw 13 E-forms vendors each build an XML Web Service using a common XML Schema for E-Grants to increase their collective technical interoperability with one another.
Our recent Semantic Web for Military Applications Conference featured 40 vendors implementing RDF/OWL including the “Putting Context to Work: Semantic Keys to Improve Rapid First Response” that used an event ontology to achieve semantic interoperability across five vendors.
Caution: Be Prepared to Slow Down – Road Work Ahead:
David Martin, SRI International, April 8, 2005: Sociological (crossing the chasm) – getting to where the payoff exceeds the overhead (for significant numbers).
Rob Vietmeyer, DISA Net-Centric Enterprise Services, April 18, 2005 – We are two years into SOA efforts with only some small pilot tests being conducted so far, Federal Computer Week story.
Russ Reopell, MITRE, Intelligence Community Metadata Working Group Meeting, May 4-5, 2005: The SOA Threat.
SOA Leaders, Building the Business Case for SOA, June 9, 2005. (New consortium of XML Web Services hardware and software vendors.)
1. Use the Federal Enterprise Architecture:
Data Reference Model, Security & Privacy Profile, and the new IT Security Line of Business.
2. Separate hype from reality:
Build the business case focusing on business process management and aggregating services.
3. Follow a “line of sight”:
Semantic Interoperability Architecture (SIA) and Infrastructure.
Web Services Platform Architecture, Sanjiva Weerawarana, et al, 2005, Prentice Hall.
EPA East Building, 1301 Constitution Avenue, NW, Washington, DC 20460