Web Services SecuritySensorWeb Requirements

Pat Cappelaere

NASA EO-1 Team

1

Definitions

Web Service:

From Wikipedia, the free encyclopedia

It is defined by the W3C as "a software system designed to support interoperable machine-to-machine interaction over a network

It communicates over the HTTP protocol used on the Web. Such services tend to fall into one of two camps: SOAP/WSDL and RESTful Web Services.

Both need to be supported [But our preference is to RESTful WEb Services to reduce cost of implementations/operations]

2

Major RequirementThe RESTFul Way 安らぎの道

3

Scope

Web Services Need To Be Accessible From An Open Network BUT Are Not (necessarily) On The NASA Network

They Are Used To Access Data And/or Assets In A Bi-directional Manner

They May Need To Communicate With Many Communities On A Permanent Or Temporary Basis (Disaster Management)

Some Data To Be Exchanged May Be:

Mostly Public

Some Data May Be For Restricted Dissemination For Some Time Period (60days)

TBD License Agreements

4

Outside Of Scope

Direct Access To NASA Satellite Assets Or Sensitive Data

User Scope: Web 2.0

Web Security Protocol Needs To Be Easy To Implement (Many Users Will Have Low-IT Capabilities)

Target: Web 2.0 Mass Market Accessible

Implementable in Less Than Half a Day By Neo-Geographer

Leverage Existing Web 2.0 Standards As Possible To Lower Cost And Speed Up Acceptance

6

NASADOD

Red CrossSERVIR/CATHALAC

IKHANA

CA Firefighters

SPOT

RCMRD

AFRICOM

NGIT

GMU

JPL

GEOSS

NOAA

USGSMODIS

Users

Services

Sensors

Hubs

SensorWebCollaboration

Challenge

7

Federated Approach

Trust Relationships Between Communities Can Be

Permanent

Temporary (Under Admin Control)

[Permission Policies May Need To Be Exchanged Across Domains]

Local Trust Relationship Must Be Easiliy Discoverable By Local Service Providers

8

Federated Management

Each Community Needs to Manage its Users and Services In a Satisifactory Manner (But Not Necessarily Identitical)

Provide a Recognizable Handle for a User or a Service (passport-like, openid...)

Provide An Accessable Profile for User/Service Attributes

Some attributes may be read-write

User Privacy Issue? User Consent May Be Required To Release Info

9

User Profile

Standard Organizational Profile

Example: http://www.axschema.org/types/

Plus:

One or More Notification URI (SMS, XMPP...)

Roles/Permissions Granted By Organization

Some User Profile Attributes May Need To Be Writeable By Outside Services

DRM/License Agreements...

10

Service Profile

Name / Description...

Main URL Web Page End Point

RSA Public Key

11

Secure Transactions

Data Providers Need To Make Sure That:

Message Transaction Has Not Been Tampered With

Message Has Not Been Playedback

Message Is In The Clear

Message Comes From Valid Service Consumer

Message Comes From Valid User

User Has Proper Permission To Access Specified Security Realm

User Has Delegated Authority To Consumer (Confirmation May be Necessary)

User Has Agreed To Access/License Agreement

12

Problems

NASA

SPS

SOS

WPS

First Responder Dispatch Office

(FRDO)

First Responder: Andy

Consumer

NOAA

GFS Model WeatherNGIT

WPS (Plume)

31: User SSO2: Secure Transactions3: Delegation

13Firewall

Orchestrating Worflow

User Security Management

User Needs To Have One Place To Go To:

Manage Authorized Sites

Manage Grants

Access/Manage Profile Access (Some of the Attributes Only)

Access/Manage Services

14

Max Degree Of Separation

2 1 2

Two Degrees

15

THANK YOUPat G. Cappelaere

Contact Information:

=cappelaerehttp://blog.geobliki.com

Cell:410-340-4868pat@cappelaere.com

16