Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

PHINMS: Application Integration
Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Lousy Introduction into SWITCHaai
Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
NRL Security Architecture: A Web Services-Based Solution
DIRECT TRANSPORT FOR QH 10/18-19 F2F NOTES (SPN).
Copyright © 2003 Jorgen Thelin / Cape Clear Software Identity, Security and XML Web Services Jorgen Thelin Chief Scientist Cape Clear Software Inc.
SOAP.
Inter-Institutional Registration UNC Cause December 4, 2007.
Authentication & Kerberos
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Centers for Disease Control and Prevention Office of the Associate Director for Communication Electronic Health Records/Meaningful Use and Public Health.
WHY CENTRALIZED DATA BANKS WON’T WORK FOR HEALTH INFORMATION EXCHANGE (A Lightweight Approach to Implementing a Federated Model for HIE) Rex E. Gantenbein.
Web services security I
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
CSC8320. Outline Content from the book Recent Work Future Work.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Planning the Future of CDC Secure Public Health Transactions and Public Health Information Network Messaging System (PHINMS) Jennifer McGehee, Tim Morris,
1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
ACM 511 Introduction to Computer Networks. Computer Networks.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Shibboleth: An Introduction
Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Living in a Network Centric World Network Fundamentals – Chapter 1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Living in a Network Centric World Network Fundamentals – Chapter 1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Living in a Network Centric World Network Fundamentals – Chapter 1.
Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.
Presence Networking: XMPP and Jabber Joe Hildebrand Chief Architect Jabber, Inc. Networld+Interop 1 May 2003.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Emerging Infectious Program (EIP) Web Service CHIIC Update May 12, 2015 Jason Hall – NCEZID, CDC Sreeni Kothagundu, Northrop Grumman – NCEZID, CDC National.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
Version 4.0 Living in a Network Centric World Network Fundamentals – Chapter 1.
F5 APM & Security Assertion Markup Language ‘sam-el’
 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.
1 The Future of Secure, Reliable Message (SRM) Transport for Exchanging Health Information Gautam Kesarinath – PHINMS Project Sponsor Asst. Director of.
Implementing and Supporting the Oregon Public Health Information Network Messaging System (PHINMS) One developer’s perspective. John E. McAdams Development.
1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Network Architecture Characteristics  Explain four characteristics that are addressed by.
Secure Single Sign-On Across Security Domains
Law Enforcement Information Sharing Program (LEISP) Federated Identity Management Pilot February 27, 2006.
Grid Computing Security Mechanisms: the state-of-the-art
HMA Identity Management Status
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
NAAS 2.0 Features and Enhancements
The DAMe’s First Steps: eduroam and NAS-SAML
Tim Bornholtz Director of Technology Services
HIMSS National Conference New Orleans Convention Center
Presentation transcript:

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent the views of the Centers for Disease Control and Prevention/the Agency for Toxic Substances and Disease Registry. Raja Kailar, Ph.D. CTO, Business Networks International Inc. Tim Morris – PHINMS Project Sponsor CDC/NCPHI Director, DISS

2 Overview PHINMS Web Services extension phases Interoperability considerations –Scalable Messaging Architectures –Non-PHIN Networks

3 PHINMS Web-Services Adapter

4 PHINMS Web-Services Reliable Messaging

Current Message Transport Modes Route-not-Read Direct-Send

Maintainability/Scalability: Current Challenges Route-not-Read has single point of failure, performance bottleneck Direct-Send difficult to install (Firewall, DMZ etc) Lifecycle management of client certificates used for Sender authentication by Receivers proxy web-server

7 Transport - Long Term Goals Scalability –Support for thousands of messaging nodes Maintainability –Adding new nodes, or renewing certificates at a node should not require manual updates at all other nodes

Transport Architectures Under Consideration Option 1: –Identity provider based Centralized/Federated authentication Option 2: –Regional gateways with routing capability

Option 1: Identity Provider based Centralized/Federated Authentication

10 What is an Identity Provider? User identity proofing –e.g., Is this John Doe living at 123 Main St, TN? Identity binding to digital credentials –e.g., John Doe = Certificate with Serial No Periodic renewal of credentials, re-binding of identities Online authentication Service –e.g., Client-Certificates, Login and Password Standard based authentication and/or authorization (session) tokens –e.g., SAML assertions

What is SAML? Security Assertion Markup Language Open standard for communicating information: –Authentication –Authorization –Attribute Platform and Language independent (XML based) Can be used to support single sign-on and identity federation

12 Identity Provider and SAML Based Authentication Approach

Identity Providers – Advantages and Challenges Advantages Centralized control over authentication and/or authorization User identity management burden shifted from services that use identity Challenges Establishing trusted identity providers –More than technology –Service requestor and responder need to agree on same authentication/authorization mechanisms Centralizing trust can create single point of failure, target for hack attacks Standards (e.g., SAML, WSS) are evolving Where is authorization performed?

Option 2: Regional Gateways with Routing Capability

15 Regional Gateways Messaging/routing –Nodes authenticate to gateway –Send/Poll model at each regional gateway –Gateways perform message routing

Regional Gateways – Advantages and Challenges Advantages –No single point of failure –Local control of identities and processes –De-couples intra-regional interfaces from inter-regional ones Challenges –Authentication/authorization not necessarily end-to-end Gateways may act as trusted intermediaries (transitive trust) Need policies, binding agreements between regional gateways –End-to-End routing, encryption –Acknowledgements in multi-hop mode

Interoperation with Non-PHIN Networks

18 Approach 1: Multiple Protocol Support

Multiple Protocol Support: Challenges Addition of each new protocol requires upgrade of messaging node software Complexity of messaging nodes go up (multiple security credentials, protocols etc)

20 Approach 2: Inter-Network Gateways

21 Example – Non-PHIN to PHIN Message Flow

22 Inter-Network Gateway Architecture

Inter-Network Gateways – Advantages and Challenges Advantages –Facilitates re-use of existing messaging systems to support new data routes and business use cases Challenges –Agreements (policy, business, service-level) between different networks on gateway protocols, routing, security –Trust on gateways End-to-end messaging security properties –Authentication –Confidentiality

24 Summary Current models are secure but may not scale to large number of nodes New models are scalable/maintainable, but there are security challenges: Centralizing authentication / authorization Regional gateways (transitive trust) Security - Technology is a small part of the problem. Bigger challenges are: Establishing trust in identity proofing, authentication and authorization Policy, Governance, Agreements on inter- organizational or inter-regional entities

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.