SlideShare a Scribd company logo

Federated SOA Security Example From the Dutch National Healthcare Exchange

CA API Management
CA API Management
TechnologyBusiness
1 of 19
Download to read offline
Federated SOA SECURITY Example from the Dutch Healthcare Exchange Program
1. The business rationale People can receive care during their whole life Care is often provided by multiple care institutions Care institutions are in charge of their own registrations + Information about one patient is distributed over many information systems over many care institutions •  There is no complete and accurate “patient record” Federated SOA Security © CSC 2010
For example: “the total hip” •  A woman of 67 years old suffers from heavy pain when she walks, cycles or dances Family doctor •  She visits her family doctor and he prescribes a painkiller •  She takes the painkiller during some time. First with good results but after a while she needs more and more. Her doctor sends her to a physiotherapist •  The physiotherapist sends her to a hospital for an X-ray Pharmacist •  The X-ray shows a worn hip. She’s placed on the waiting list for the hospital for hip replacement •  During the intake for the operation the woman remembers that in her youth she has had allergic reactions against penicillin Physiotherapist •  She is operated on and after that receives therapy from another physiotherapist Hospital Federated SOA Security © CSC 2010
2. Business Constraints •  Security is key. The patient can grant or deny access to his information and may forbid to exchange his patient data •  Healthcare institutions have their own responsibilities. The way information is registered and stored is part of their responsibility for the quality of care provision. So we can’t “replace” their applications with prescribed information systems •  The solution should support small care providers (like family doctors with one PC) as well as the very big ones (like university hospitals with their own dual data center) •  Authorization should be fine-grained. The information available for a healthcare provider should be dependant of his role and the care institution he’s working for Federated SOA Security © CSC 2010
3. Some more detail The Netherlands CSC 2010 © Federated SOA Security
The Netherlands (“Holland”) •  23rd most densely populated country in the world –  almost 1500 people per square mile •  High life expectancy –  82 years for newborn girls, 77 years for boys •  16th largest economy in the world •  Aging population –  More and longer demand for (health-)care –  Working population decreases •  Challenges for healthcare –  Doing more with less –  Growing demand for extramural care Federated SOA Security © CSC 2010
The National Switchboard for healthcare Federated SOA Security © CSC 2010
Smartcard for care providers Federated SOA Security © CSC 2010
4. Architectural starting points - 1 •  Patients’ information stays at the source •  The Dutch National Switchpoint is a pointer index •  The Switch Point also retrieves the information from local healthcare information systems and transfers the information to requesting healthcare information systems •  Importance of authentication and autorization – privacy aspects – reliability of information (responsibility) – Citizen Service Number for patients identification – UZI pass for the identification, role and working relationship of doctors etc. •  Importance of logging •  The patient in the driving seat – final autorization of healthcare professionals by the patient – right to see logged information by law Federated SOA Security © CSC 2010
Architectural starting points - 2 •  HL7v3 is the protocol to be used for the exchange of information with the National Switchpoint – HL7 is one of the leading standardization organizations within international healthcare – HL7v3 offers semantic interoperability – HL7v3 supports web services / Service Oriented Architecture •  The Switchpoint acts as a “ broker” for the underlying healthcare information systems – Requesting systems don’t have knowledge about addresses etc. this is all handled by the Switchpoint •  The network connections are encrypted using SSL – Authentication on the network layer (SSL) done with the organization’s “ service certificate” – Authentication for the message (token) done with the healthcare providers personal “UZI pass” Federated SOA Security © CSC 2010
Result: The‘virtual patient record’ Information from Healthcare System A Information from Healthcare System B Information from Healthcare System C Federated SOA Security © CSC 2010
5. Basic Security architecture Perimeter 1 Use of private networks End-to-end Token based authentication on message level Perimeter 2 Perimeter 2 SSL based on server SSL based on server certificates certificates Healthcare Healthcare organization organization National Switchpoint Federated SOA Security © CSC 2010
Implementation challenges •  Large number of SSL connections to take care of •  2000 concurrent connections growing towards 10.000 connections •  Security token to be checked in every message •  2000 messages/minute growing towards 40.000 messages/minute •  Multiple changes expected in authentication •  SHA-2 for better security •  Support needed for other means of authentication than the UZI-pass •  Other smart cards for public officers •  Delegated authentication for patients portal Federated SOA Security © CSC 2010
Solutions  architectural principles •  “Offload” core system – Move simple tasks, not requiring business logic, to the “outside’ of the switchpoint – Use dedicated (hardware) components when appropriate •  SSL offloaders •  XML security gateways [Layer7] •  Keep communication layers separated •  Define and design “generic authentication and authorization” – Independent from specific implementations of means of authentication – Creating flexibility for changes in the future Federated SOA Security © CSC 2010
Offload Core System Outside world XML Autori- validation SSL zation & Core Business Logic handling & Token handling Consent Generic authentication and autorization Switchpoint Federated SOA Security © CSC 2010
Keep communication layers separated SOAP/XML Application HL7v3 Presentation Layer Session Layer Transport Layer (TCP) SSL Network Layer (IP) Data Layer Physical Layer OSI model Federated SOA Security © CSC 2010
Keep communication layers separated Autori- XML zation validation SSL & & handling Consent Token handling Core Business Logic SSL XML validation HL7 HL7 wrappers content Federated SOA Security © CSC 2010
Generic authentication & authorization Generic authentication & authorization XML Autori- validation SSL & zation handling Token & Core Business Logic handling Consent Federated SOA Security © CSC 2010
7. Experiences and lessons learned 1.  Develop “generic components” for authentication and authorization. This results in flexibility and better maintainability 2.  “Offload” specific tasks, like handling SSL connections, verifying XML structures and handling tokens to dedicated components. This results in scalability 3.  Use “Commercial Of The Shelf” products for specific tasks. Invest in learning to know and appreciate these components: they are part of your system 4.  It is good practice to put “security” on every layer in your system. However, also put “security” on the relationship between those layers. Federated SOA Security © CSC 2010

Recommended

Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
Medsphere.org: Extending the Platform
Medsphere.org: Extending the PlatformMedsphere.org: Extending the Platform
Medsphere.org: Extending the Platformbmehling
 
FMN summary
FMN summaryFMN summary
FMN summaryKaren Bennett
 
Seeing through the clouds themed competition 30 June 2016
Seeing through the clouds themed competition 30 June 2016Seeing through the clouds themed competition 30 June 2016
Seeing through the clouds themed competition 30 June 2016Defence and Security Accelerator
 
Microsoft Azure in 5 minutes
Microsoft Azure in 5 minutesMicrosoft Azure in 5 minutes
Microsoft Azure in 5 minutesBrian Blanchard
 
NATO Federated Mission Networking
NATO Federated Mission NetworkingNATO Federated Mission Networking
NATO Federated Mission NetworkingJohn Palfreyman
 
Engineering Geology
Engineering GeologyEngineering Geology
Engineering GeologyGAURAV. H .TANDON
 
Tweak Your Resume
Tweak Your ResumeTweak Your Resume
Tweak Your ResumeChiara Ojeda
 

Recommended

Identity Federation on JBossAS
Identity Federation on JBossASIdentity Federation on JBossAS
Identity Federation on JBossASRoger CARHUATOCTO
 
Medsphere.org: Extending the Platform
Medsphere.org: Extending the PlatformMedsphere.org: Extending the Platform
Medsphere.org: Extending the Platformbmehling
 
FMN summary
FMN summaryFMN summary
FMN summaryKaren Bennett
 
Seeing through the clouds themed competition 30 June 2016
Seeing through the clouds themed competition 30 June 2016Seeing through the clouds themed competition 30 June 2016
Seeing through the clouds themed competition 30 June 2016Defence and Security Accelerator
 
Microsoft Azure in 5 minutes
Microsoft Azure in 5 minutesMicrosoft Azure in 5 minutes
Microsoft Azure in 5 minutesBrian Blanchard
 
NATO Federated Mission Networking
NATO Federated Mission NetworkingNATO Federated Mission Networking
NATO Federated Mission NetworkingJohn Palfreyman
 
Engineering Geology
Engineering GeologyEngineering Geology
Engineering GeologyGAURAV. H .TANDON
 
Tweak Your Resume
Tweak Your ResumeTweak Your Resume
Tweak Your ResumeChiara Ojeda
 
intel_soae-h_data_sheet
intel_soae-h_data_sheetintel_soae-h_data_sheet
intel_soae-h_data_sheetAlan Boucher
 
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...Health Identity Management & Role-Based Access Control in a Federated NHIN - ...
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...Richard Moore
 
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 ConferenceSecuring eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 ConferenceThodoris Bais
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems Maganathin Veeraragaloo
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscapeSagara Gunathunga
 
WEB SERVICE BASED RELIABLE - SHELTERED MEDI HELPER
WEB SERVICE BASED RELIABLE - SHELTERED MEDI HELPERWEB SERVICE BASED RELIABLE - SHELTERED MEDI HELPER
WEB SERVICE BASED RELIABLE - SHELTERED MEDI HELPERcscpconf
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfAngelicaPantaleon3
 
Securing eHealth, eGovernment and eBanking with Java - JCON Conference
Securing eHealth, eGovernment and eBanking with Java - JCON Conference Securing eHealth, eGovernment and eBanking with Java - JCON Conference
Securing eHealth, eGovernment and eBanking with Java - JCON ConferenceThodoris Bais
 
SOA Security
SOA Security SOA Security
SOA Security Pauli Kauppila
 
Securing Web Application, Services and Servers
Securing Web Application, Services and ServersSecuring Web Application, Services and Servers
Securing Web Application, Services and ServersDr.S.Jagadeesh Kumar
 
Security patterns with wso2 esb
Security patterns with wso2 esbSecurity patterns with wso2 esb
Security patterns with wso2 esbHasiniG
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBWSO2
 
BLOCKCHAIN-scribd.pptx
BLOCKCHAIN-scribd.pptxBLOCKCHAIN-scribd.pptx
BLOCKCHAIN-scribd.pptxWaterFalls2
 
Blockchain use cases in health and education
Blockchain use cases in health and educationBlockchain use cases in health and education
Blockchain use cases in health and educationNetcetera
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Pistoia Alliance Blockchain Webinar 20 June 2017
Pistoia Alliance Blockchain Webinar 20 June 2017Pistoia Alliance Blockchain Webinar 20 June 2017
Pistoia Alliance Blockchain Webinar 20 June 2017Pistoia Alliance
 
ELECTRONIC HEALTH RECORD SYSTEM BY ADOPTING BLOCKCHAIN
ELECTRONIC HEALTH RECORD SYSTEM BY ADOPTING BLOCKCHAINELECTRONIC HEALTH RECORD SYSTEM BY ADOPTING BLOCKCHAIN
ELECTRONIC HEALTH RECORD SYSTEM BY ADOPTING BLOCKCHAINIRJET Journal
 
Securing eHealth, eGovernment and eBanking with Java - DWX '21
Securing eHealth, eGovernment and eBanking with Java - DWX '21Securing eHealth, eGovernment and eBanking with Java - DWX '21
Securing eHealth, eGovernment and eBanking with Java - DWX '21Werner Keil
 
Stealth solution for healthcare
Stealth solution for healthcareStealth solution for healthcare
Stealth solution for healthcarePeter de Bruijn
 
Maarten Stultjens (Elephant Security) @ PIDS seminar
Maarten Stultjens (Elephant Security) @ PIDS seminarMaarten Stultjens (Elephant Security) @ PIDS seminar
Maarten Stultjens (Elephant Security) @ PIDS seminarAlmereDataCapital
 
Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 

More Related Content

Similar to Federated SOA Security Example From the Dutch National Healthcare Exchange

intel_soae-h_data_sheet
intel_soae-h_data_sheetintel_soae-h_data_sheet
intel_soae-h_data_sheetAlan Boucher
 
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...Health Identity Management & Role-Based Access Control in a Federated NHIN - ...
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...Richard Moore
 
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 ConferenceSecuring eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 ConferenceThodoris Bais
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems Maganathin Veeraragaloo
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscapeSagara Gunathunga
 
WEB SERVICE BASED RELIABLE - SHELTERED MEDI HELPER
WEB SERVICE BASED RELIABLE - SHELTERED MEDI HELPERWEB SERVICE BASED RELIABLE - SHELTERED MEDI HELPER
WEB SERVICE BASED RELIABLE - SHELTERED MEDI HELPERcscpconf
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfAngelicaPantaleon3
 
Securing eHealth, eGovernment and eBanking with Java - JCON Conference
Securing eHealth, eGovernment and eBanking with Java - JCON Conference Securing eHealth, eGovernment and eBanking with Java - JCON Conference
Securing eHealth, eGovernment and eBanking with Java - JCON ConferenceThodoris Bais
 
Securing Web Application, Services and Servers
Securing Web Application, Services and ServersSecuring Web Application, Services and Servers
Securing Web Application, Services and ServersDr.S.Jagadeesh Kumar
 
Security patterns with wso2 esb
Security patterns with wso2 esbSecurity patterns with wso2 esb
Security patterns with wso2 esbHasiniG
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBWSO2
 
BLOCKCHAIN-scribd.pptx
BLOCKCHAIN-scribd.pptxBLOCKCHAIN-scribd.pptx
BLOCKCHAIN-scribd.pptxWaterFalls2
 
Blockchain use cases in health and education
Blockchain use cases in health and educationBlockchain use cases in health and education
Blockchain use cases in health and educationNetcetera
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Pistoia Alliance Blockchain Webinar 20 June 2017
Pistoia Alliance Blockchain Webinar 20 June 2017Pistoia Alliance Blockchain Webinar 20 June 2017
Pistoia Alliance Blockchain Webinar 20 June 2017Pistoia Alliance
 
ELECTRONIC HEALTH RECORD SYSTEM BY ADOPTING BLOCKCHAIN
ELECTRONIC HEALTH RECORD SYSTEM BY ADOPTING BLOCKCHAINELECTRONIC HEALTH RECORD SYSTEM BY ADOPTING BLOCKCHAIN
ELECTRONIC HEALTH RECORD SYSTEM BY ADOPTING BLOCKCHAINIRJET Journal
 
Securing eHealth, eGovernment and eBanking with Java - DWX '21
Securing eHealth, eGovernment and eBanking with Java - DWX '21Securing eHealth, eGovernment and eBanking with Java - DWX '21
Securing eHealth, eGovernment and eBanking with Java - DWX '21Werner Keil
 
Stealth solution for healthcare
Stealth solution for healthcareStealth solution for healthcare
Stealth solution for healthcarePeter de Bruijn
 
Maarten Stultjens (Elephant Security) @ PIDS seminar
Maarten Stultjens (Elephant Security) @ PIDS seminarMaarten Stultjens (Elephant Security) @ PIDS seminar
Maarten Stultjens (Elephant Security) @ PIDS seminarAlmereDataCapital
 

Similar to Federated SOA Security Example From the Dutch National Healthcare Exchange (20)

intel_soae-h_data_sheet
intel_soae-h_data_sheetintel_soae-h_data_sheet
intel_soae-h_data_sheet
 
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...Health Identity Management & Role-Based Access Control in a Federated NHIN - ...
Health Identity Management & Role-Based Access Control in a Federated NHIN - ...
 
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 ConferenceSecuring eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference
Securing eHealth, eGovernment and eBanking with Java - IT-Tage 2020 Conference
 
Development of Digital Identity Systems
Development of Digital Identity Systems Development of Digital Identity Systems
Development of Digital Identity Systems
 
Microservices Security landscape
Microservices Security landscapeMicroservices Security landscape
Microservices Security landscape
 
WEB SERVICE BASED RELIABLE - SHELTERED MEDI HELPER
WEB SERVICE BASED RELIABLE - SHELTERED MEDI HELPERWEB SERVICE BASED RELIABLE - SHELTERED MEDI HELPER
WEB SERVICE BASED RELIABLE - SHELTERED MEDI HELPER
 
What is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdfWhat is Advanced Web Servicels.pdf
What is Advanced Web Servicels.pdf
 
Securing eHealth, eGovernment and eBanking with Java - JCON Conference
Securing eHealth, eGovernment and eBanking with Java - JCON Conference Securing eHealth, eGovernment and eBanking with Java - JCON Conference
Securing eHealth, eGovernment and eBanking with Java - JCON Conference
 
SOA Security
SOA Security SOA Security
SOA Security
 
Securing Web Application, Services and Servers
Securing Web Application, Services and ServersSecuring Web Application, Services and Servers
Securing Web Application, Services and Servers
 
Security patterns with wso2 esb
Security patterns with wso2 esbSecurity patterns with wso2 esb
Security patterns with wso2 esb
 
Security Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESBSecurity Patterns with the WSO2 ESB
Security Patterns with the WSO2 ESB
 
BLOCKCHAIN-scribd.pptx
BLOCKCHAIN-scribd.pptxBLOCKCHAIN-scribd.pptx
BLOCKCHAIN-scribd.pptx
 
Blockchain use cases in health and education
Blockchain use cases in health and educationBlockchain use cases in health and education
Blockchain use cases in health and education
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Pistoia Alliance Blockchain Webinar 20 June 2017
Pistoia Alliance Blockchain Webinar 20 June 2017Pistoia Alliance Blockchain Webinar 20 June 2017
Pistoia Alliance Blockchain Webinar 20 June 2017
 
ELECTRONIC HEALTH RECORD SYSTEM BY ADOPTING BLOCKCHAIN
ELECTRONIC HEALTH RECORD SYSTEM BY ADOPTING BLOCKCHAINELECTRONIC HEALTH RECORD SYSTEM BY ADOPTING BLOCKCHAIN
ELECTRONIC HEALTH RECORD SYSTEM BY ADOPTING BLOCKCHAIN
 
Securing eHealth, eGovernment and eBanking with Java - DWX '21
Securing eHealth, eGovernment and eBanking with Java - DWX '21Securing eHealth, eGovernment and eBanking with Java - DWX '21
Securing eHealth, eGovernment and eBanking with Java - DWX '21
 
Stealth solution for healthcare
Stealth solution for healthcareStealth solution for healthcare
Stealth solution for healthcare
 
Maarten Stultjens (Elephant Security) @ PIDS seminar
Maarten Stultjens (Elephant Security) @ PIDS seminarMaarten Stultjens (Elephant Security) @ PIDS seminar
Maarten Stultjens (Elephant Security) @ PIDS seminar
 

More from CA API Management

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterpriseCA API Management
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIsCA API Management
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarCA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...CA API Management
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataCA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device UniverseCA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinCA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...CA API Management
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer appsCA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceCA API Management
 

More from CA API Management (20)

Api architectures for the modern enterprise
Api architectures for the modern enterpriseApi architectures for the modern enterprise
Api architectures for the modern enterprise
 
Mastering Digital Channels with APIs
Mastering Digital Channels with APIsMastering Digital Channels with APIs
Mastering Digital Channels with APIs
 
Takeaways from API Security Breaches Webinar
Takeaways from API Security Breaches WebinarTakeaways from API Security Breaches Webinar
Takeaways from API Security Breaches Webinar
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
 
API Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your DataAPI Monetization: Unlock the Value of Your Data
API Monetization: Unlock the Value of Your Data
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
Enabling the Multi-Device Universe
Enabling the Multi-Device UniverseEnabling the Multi-Device Universe
Enabling the Multi-Device Universe
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & WinAdapting to Digital Change: Use APIs to Delight Customers & Win
Adapting to Digital Change: Use APIs to Delight Customers & Win
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
 
5 steps end to end security consumer apps
5 steps end to end security consumer apps5 steps end to end security consumer apps
5 steps end to end security consumer apps
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
 
Using APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail ExperienceUsing APIs to Create an Omni-Channel Retail Experience
Using APIs to Create an Omni-Channel Retail Experience
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Federated SOA Security Example From the Dutch National Healthcare Exchange

  • 1. Federated SOA SECURITY Example from the Dutch Healthcare Exchange Program
  • 2. 1. The business rationale People can receive care during their whole life Care is often provided by multiple care institutions Care institutions are in charge of their own registrations + Information about one patient is distributed over many information systems over many care institutions •  There is no complete and accurate “patient record” Federated SOA Security © CSC 2010
  • 3. For example: “the total hip” •  A woman of 67 years old suffers from heavy pain when she walks, cycles or dances Family doctor •  She visits her family doctor and he prescribes a painkiller •  She takes the painkiller during some time. First with good results but after a while she needs more and more. Her doctor sends her to a physiotherapist •  The physiotherapist sends her to a hospital for an X-ray Pharmacist •  The X-ray shows a worn hip. She’s placed on the waiting list for the hospital for hip replacement •  During the intake for the operation the woman remembers that in her youth she has had allergic reactions against penicillin Physiotherapist •  She is operated on and after that receives therapy from another physiotherapist Hospital Federated SOA Security © CSC 2010
  • 4. 2. Business Constraints •  Security is key. The patient can grant or deny access to his information and may forbid to exchange his patient data •  Healthcare institutions have their own responsibilities. The way information is registered and stored is part of their responsibility for the quality of care provision. So we can’t “replace” their applications with prescribed information systems •  The solution should support small care providers (like family doctors with one PC) as well as the very big ones (like university hospitals with their own dual data center) •  Authorization should be fine-grained. The information available for a healthcare provider should be dependant of his role and the care institution he’s working for Federated SOA Security © CSC 2010
  • 5. 3. Some more detail The Netherlands CSC 2010 © Federated SOA Security
  • 6. The Netherlands (“Holland”) •  23rd most densely populated country in the world –  almost 1500 people per square mile •  High life expectancy –  82 years for newborn girls, 77 years for boys •  16th largest economy in the world •  Aging population –  More and longer demand for (health-)care –  Working population decreases •  Challenges for healthcare –  Doing more with less –  Growing demand for extramural care Federated SOA Security © CSC 2010
  • 7. The National Switchboard for healthcare Federated SOA Security © CSC 2010
  • 8. Smartcard for care providers Federated SOA Security © CSC 2010
  • 9. 4. Architectural starting points - 1 •  Patients’ information stays at the source •  The Dutch National Switchpoint is a pointer index •  The Switch Point also retrieves the information from local healthcare information systems and transfers the information to requesting healthcare information systems •  Importance of authentication and autorization – privacy aspects – reliability of information (responsibility) – Citizen Service Number for patients identification – UZI pass for the identification, role and working relationship of doctors etc. •  Importance of logging •  The patient in the driving seat – final autorization of healthcare professionals by the patient – right to see logged information by law Federated SOA Security © CSC 2010
  • 10. Architectural starting points - 2 •  HL7v3 is the protocol to be used for the exchange of information with the National Switchpoint – HL7 is one of the leading standardization organizations within international healthcare – HL7v3 offers semantic interoperability – HL7v3 supports web services / Service Oriented Architecture •  The Switchpoint acts as a “ broker” for the underlying healthcare information systems – Requesting systems don’t have knowledge about addresses etc. this is all handled by the Switchpoint •  The network connections are encrypted using SSL – Authentication on the network layer (SSL) done with the organization’s “ service certificate” – Authentication for the message (token) done with the healthcare providers personal “UZI pass” Federated SOA Security © CSC 2010
  • 11. Result: The‘virtual patient record’ Information from Healthcare System A Information from Healthcare System B Information from Healthcare System C Federated SOA Security © CSC 2010
  • 12. 5. Basic Security architecture Perimeter 1 Use of private networks End-to-end Token based authentication on message level Perimeter 2 Perimeter 2 SSL based on server SSL based on server certificates certificates Healthcare Healthcare organization organization National Switchpoint Federated SOA Security © CSC 2010
  • 13. Implementation challenges •  Large number of SSL connections to take care of •  2000 concurrent connections growing towards 10.000 connections •  Security token to be checked in every message •  2000 messages/minute growing towards 40.000 messages/minute •  Multiple changes expected in authentication •  SHA-2 for better security •  Support needed for other means of authentication than the UZI-pass •  Other smart cards for public officers •  Delegated authentication for patients portal Federated SOA Security © CSC 2010
  • 14. Solutions  architectural principles •  “Offload” core system – Move simple tasks, not requiring business logic, to the “outside’ of the switchpoint – Use dedicated (hardware) components when appropriate •  SSL offloaders •  XML security gateways [Layer7] •  Keep communication layers separated •  Define and design “generic authentication and authorization” – Independent from specific implementations of means of authentication – Creating flexibility for changes in the future Federated SOA Security © CSC 2010
  • 15. Offload Core System Outside world XML Autori- validation SSL zation & Core Business Logic handling & Token handling Consent Generic authentication and autorization Switchpoint Federated SOA Security © CSC 2010
  • 16. Keep communication layers separated SOAP/XML Application HL7v3 Presentation Layer Session Layer Transport Layer (TCP) SSL Network Layer (IP) Data Layer Physical Layer OSI model Federated SOA Security © CSC 2010
  • 17. Keep communication layers separated Autori- XML zation validation SSL & & handling Consent Token handling Core Business Logic SSL XML validation HL7 HL7 wrappers content Federated SOA Security © CSC 2010
  • 18. Generic authentication & authorization Generic authentication & authorization XML Autori- validation SSL & zation handling Token & Core Business Logic handling Consent Federated SOA Security © CSC 2010
  • 19. 7. Experiences and lessons learned 1.  Develop “generic components” for authentication and authorization. This results in flexibility and better maintainability 2.  “Offload” specific tasks, like handling SSL connections, verifying XML structures and handling tokens to dedicated components. This results in scalability 3.  Use “Commercial Of The Shelf” products for specific tasks. Invest in learning to know and appreciate these components: they are part of your system 4.  It is good practice to put “security” on every layer in your system. However, also put “security” on the relationship between those layers. Federated SOA Security © CSC 2010