SOA Technology Briefing

MITRE, McLean, VA October 2006

Comparing USPS PostalOne, NIH eReceipts and

Amazon.com for eGov and SOA

Dr. Alan Harbitter

Alan.harbitter@nortelgov.com

David RR Webber

webberd@od.nih.gov

2

Overview

Nortel Government Solutions (NGS) staff has implemented two widely differing solutions for high visibility e-Government systems. 

How do these two approaches compare and contrast and what are the lessons learned compared to a commercial approach such as Amazon.com?

Special Focus - eGovernment Security aspects

Q&A

3

Quick History

Notion of using Internet to securely exchange business information

XML started in 1997

B2B work on XML/edi and ebXML

ebXML specification – May 11th, 2001

Web services – started 2000 as ‘quick fix’

WSDL and XSD developed by W3C

Web services used by Amazon and eBay

Marketing of SOA emerges

4

What exactly is SOA?

SOA still very much dependent on the focus of the advocate

Some commonly accepted wisdoms

Using internet TCP/IP based exchanges

Both “real time” and “batch” services

Need registry to manage content / services

Robust Security and Authentication

Partner profiles - MoU, roles, context

Rule based business information handling

Business process formalization

5

CIO’s perception of SOA Today

Independent of underlying technology

A general model for offering computing and information services in large, loosely coupled, highly distributed environment.

The standardized and probably most widely associated implementation technology is web services

But many look to implement SOA with specific vendor legacy technologies e.g. IBM MQ series, BEA, Oracle, SAP, etc

6

Where is SOA Today?

Many camps of vendor driven interests

WS/I ,W3C, OMG, OASIS, more

Many components as open specifications

Marketplace still sorting out winners and losers of key components

security, registry, messaging, transactions, business process

Loose coupling – concept but not reality

Poor understanding of applicability of B2B batch delivery – push / pull / staged

7

Quick look - what exactly is SOA?

Using Amazon web services

Contrast and compare simple web service model to SOA requirements

Web Services – Amazon AWS

(TALKING POINTS)

Rapid deployment

Simplicity of Content

Transient value-less content

Security / Role / Access?

Legal position

Degrading content at peak times

Agility / loose coupling

AWS

1

2

3

8

NIH eRECEIPTS NIH eRECEIPTS

&&

USPS POSTALONEUSPS POSTALONE

9

NIH Grants Management

NIH issues billions of dollars in grant awards to investigators worldwide annually

Receives 70,000+ research and training grant applications

Handling 20,000,000+ pages of paper

To electronically receive, verify and accept ALL Research/Research related Grant Applications

Securely manage each step of the process

10

Grant Applications Process and EERP

End-to-End Resource PlanningPosting

Submission

Evaluation

Award

Tracking

Outcomes

KM / Research

Budget

Grant

Opportunities

($4B+ annually)

Submissions

Templates + XML

Grantor Org

Delivery

NIH

Agency

Agency

Verification,

Validation

Notification

Grantee

Review &

Sign-off

Peer review,

Evaluation

KM

Award

Management

Security:

Role, Policy,

Access

11

NIH Exchange - Design Goals

Automated registration of participants

Ability to self-certify exchange transactions

Version control and ability to approve partners

Centralized registry for participant management

Alignment of policy and security

Declared and shared business rule scripting

Integration through messaging services

Backend application integration services

Uses open public specifications and open source

12

NIH Partner Services Architecture Vision

13

NIH Layered Deployment Model

14

PostalOne!® – Web-Based Enterprise Application

To electronically verify and accept ALL Business Mailings nationwide

30,000+ users

$32 Billion in annual revenue collection for USPS

100,000+ transactions per day

Mission Critical application for USPS

15

PostalOne!® – Current Web Services Implementation

USPS Appointment Scheduling

Application (FAST)PostalOne!(Scheduling Gateway)

User Authentication & Authorization

IBM WebSphere MQ

Business Mailers

Appointment Scheduling

Request/Response via Web Services

USPS Appointment Scheduling Business process

PostalOne!(Postage Wizard Web Service)

Business MailersElectronic Documentation & Payment via Web Services

USPS Electronic Postage Statement Submission Business process

16

PostalOne!® – A Service Oriented Architecture Approach

17

Security Considerations

for

Real World SOA Systems

Dr. Alan HarbitterCTO, Nortel Government Solutions(Alan.Harbitter@nortelgov.com)

18

High-level Thoughts on Security and SOA

Probably the number one paranoia in SOA pilot-to-production transition is security—and rightly so.

SOA (web services), is generally thought of as service producer-to-consumer, not system-to-user. But security has to be user-focused.

The mechanisms suggested by many of the standards assume in place security infrastructure beyond the “as-is.”

The ROI for SOA is based on applications, so that’s how an organization is likely to start

But security should be institutionalized—beyond single applications.

19

Security Services Requirements

Confidentiality Services and information provided are not accessible to

unauthorized parties

Traffic patterns do not provide a “covert channel”

Integrity Service and information provided is not inappropriately

modified

Availability Service is reliably provided at advertised hours

Authentication Server, Service, User

Non-repudiation Parties exchanging information can be positively identified

and can not deny providing or receiving services

20

Very Basic Security

Governmentdata

repository

Internet or Intranet

SOA Transport Protocols

Registry of Services

1. ---

2. ---

I haveinfo

you mightbe interested

in!

Stakeholderdata

repository

Registry of Services

1. ---

2. ---

So do I!

SSL

Authentication at user level is typically handled by the application

SSL

SSL covers

confidentiality and

service authentication

21

How well does SSL support requirements?

Confidentiality Secret key and symmetric algorithm are negotiated for the

session Integrity

MAC can be negotiated into the session Availability

Not specifically addressed, requires at least normal DDoS precautions and an application-aware firewall

IA&A (Identification, Authentication, Authorization) Typically, SSL handles the server/service level (application

handles the user level) Non-repudiation

Inherent in the session, but can not be shown later Attack resilience

What ever is in place for enterprise websites

22

Functionally, what’s missing?

Fine grained confidentiality

Under SSL, the entire session is encrypted

In wide scale information sharing applications, subset of provided information may have unique security characteristics (e.g., HIPAA data)

Institutional representation of the user

Doesn’t provide IA&A beyond the first application

23

What else is missing?

Non-repudiation is limited to the duration of the session (or application based)

Limited persistent security associations

There is no enterprise-wide statement and enforcement of policy

Security is dependent upon the organizational dynamic between application developers and infrastructure managers

Protection mechanisms befitting a mission critical application

24

A Universe of Standards

WS-Security: Framework for building security protocols

WS-Policy: Policy assertions

WS-Trust: Defines how to broker trust relationships

WS-Privacy: a model for how a privacy language may be embedded into WS-Policy descriptions and how WS-Security may be used to associate privacy claims with a message

WS-SecureConversation: Allows participants to establish a shared context

WS-Federation: Single sign on and attribute service WS-Authorization: will describe how to manage authorization data and authorization

policies.

SOAP Foundation

WS-Security

WS-Policy WS-Trust WS-Privacy

WS-SecureConversation

WS-Federation WS-Authorization

WS

Sec

uri

ty

WS

Sec

uri

ty

Sp

ecif

icat

ion

sS

pec

ific

atio

ns

25

The SOA-enabled Security Infrastructure

Nationwide Sensitive But Unclassified (SBU) Backbone

Federal Networks

State, Local & Regional Networks

Identity Server

Certificate Authority Local

Authentication & Auditing

CertificateAuthority

Identity Server

Service Consumers

Service Provider

Service Provider

Application-aware Firewalls

In the context of SOA-based secure information sharing in the public sector justice community

26

Work for Government Implementers

For service owners, focus on application-specific details (where the devil is)

XML-based expression of identity, attributes, and privileges

Subject matter specific privacy tags

For infrastructure owners, focus on building the SOA-enabled infrastructure

27

SUMMARYSUMMARY

28

Lessons Learned

Providing self-service facilities is key to rapid adoption

Infrastructure exists today off-the-shelf to create pre-built templates for industry domains

Using open specifications allows integration into wide range of environments

Open source solutions allows partners to readily obtain technology

Use of partner id concept to manage partners and versioning interchanges

29

Challenges / Opportunities Today

Exposing synchronous and asynchronous interfacing to control content access

Open source solution components to allow unrestricted integration by partners

Leveraging loose coupling of web services

Combining best-of-breed solution with both ebXML and Web services working together as formal model (e.g. Oracle SOA 10g v3 upgrade)

Industry best-practices and lessons learned (who has solved similar needs?)

30

SOA – Future Challenges

As marketplace matures customers will demand core enabling components and features

Trend continuing toward services as solution not software (that’s good for services providers like us!)

Supporting complex infrastructure demands – such as ERP and BAM – will need robust rule-based solutions and tools

Integration with cool new desktop tools and services (Microsoft & Nortel)

Q & A

Discussion

Nortel Government Solutions

For more information

Visit our Website:

http://www.nortelgov.com

32

Acronym Soup

WSDL – web service description language

SOAP – simple object access protocol

ebXML – e-Business XML

REST – Representational State Transfer – http-based exchanges

XSD – XML Schema (structure / layout) Definition

XML – eXtensible Markup Language

W3C – World Wide Web consortium

B2B – business to business

MoU – Memorandum of Understanding

TCP/IP – internet communications syntax

33

Project and Technology Resources

NIH eRA Project site – http://era.nih.gov

NIH S2S Resources site - http://era.nih.gov/ElectronicReceipt/

Commons online site – https://commons.era.nih.gov/commons/

Grants.gov online site – http://www.grants.gov/

34

Technology Resources

www.oasis-open.org

www.ebxml.org

www.freebXML.org

www.ebxmlforum.org

www.apache.org