Presentation is loading. Please wait.

Presentation is loading. Please wait.

NIH eReceipts and Amazon.com

Published byColleen Mosley Modified over 6 years ago

Similar presentations

Presentation on theme: "NIH eReceipts and Amazon.com"— Presentation transcript:

1 NIH eReceipts and Amazon.com
SOA Technology Briefing MITRE, McLean, VA October 2006 Comparing USPS PostalOne, NIH eReceipts and Amazon.com for eGov and SOA David RR Webber Dr. Alan Harbitter

2 Overview Nortel Government Solutions (NGS) staff has implemented two widely differing solutions for high visibility e-Government systems.  How do these two approaches compare and contrast and what are the lessons learned compared to a commercial approach such as Amazon.com? Special Focus - eGovernment Security aspects Q&A

3 Notion of using Internet to securely exchange business information
Quick History Notion of using Internet to securely exchange business information XML started in 1997 B2B work on XML/edi and ebXML ebXML specification – May 11th, 2001 Web services – started 2000 as ‘quick fix’ WSDL and XSD developed by W3C Web services used by Amazon and eBay Marketing of SOA emerges

4 SOA still very much dependent on the focus of the advocate
What exactly is SOA? SOA still very much dependent on the focus of the advocate Some commonly accepted wisdoms Using internet TCP/IP based exchanges Both “real time” and “batch” services Need registry to manage content / services Robust Security and Authentication Partner profiles - MoU, roles, context Rule based business information handling Business process formalization

5 CIO’s perception of SOA Today
Independent of underlying technology A general model for offering computing and information services in large, loosely coupled, highly distributed environment. The standardized and probably most widely associated implementation technology is web services But many look to implement SOA with specific vendor legacy technologies e.g. IBM MQ series, BEA, Oracle, SAP, etc

6 Many camps of vendor driven interests
Where is SOA Today? Many camps of vendor driven interests WS/I ,W3C, OMG, OASIS, more Many components as open specifications Marketplace still sorting out winners and losers of key components security, registry, messaging, transactions, business process Loose coupling – concept but not reality Poor understanding of applicability of B2B batch delivery – push / pull / staged

7 Quick look - what exactly is SOA?
Using Amazon web services Contrast and compare simple web service model to SOA requirements Web Services – Amazon AWS AWS 1 2 3 (TALKING POINTS) Rapid deployment Simplicity of Content Transient value-less content Security / Role / Access? Legal position Degrading content at peak times Agility / loose coupling

8 NIH eRECEIPTS & USPS POSTALONE

9 Receives 70,000+ research and training grant applications
NIH Grants Management NIH issues billions of dollars in grant awards to investigators worldwide annually Receives 70,000+ research and training grant applications Handling 20,000,000+ pages of paper To electronically receive, verify and accept ALL Research/Research related Grant Applications Securely manage each step of the process 9

10 Grant Applications Process and EERP
Posting Submission Evaluation Award Tracking Outcomes KM / Research Budget KM End-to-End Resource Planning Agency Peer review, Evaluation Templates + XML NIH Grantor Org Delivery Agency Submissions Grantee Review & Sign-off Award Management Grant Opportunities ($4B+ annually) Verification, Validation Notification Security: Role, Policy, Access

11 NIH Exchange - Design Goals
Automated registration of participants Ability to self-certify exchange transactions Version control and ability to approve partners Centralized registry for participant management Alignment of policy and security Declared and shared business rule scripting Integration through messaging services Backend application integration services Uses open public specifications and open source 11

12 NIH Partner Services Architecture Vision

13 NIH Layered Deployment Model

14 PostalOne!® – Web-Based Enterprise Application
To electronically verify and accept ALL Business Mailings nationwide 30,000+ users $32 Billion in annual revenue collection for USPS 100,000+ transactions per day Mission Critical application for USPS

15 PostalOne!® – Current Web Services Implementation
USPS Appointment Scheduling Business process IBM WebSphere MQ Appointment Scheduling Request/Response via Web Services USPS Appointment Scheduling Application (FAST) Business Mailers PostalOne! (Scheduling Gateway) User Authentication & Authorization USPS Electronic Postage Statement Submission Business process Electronic Documentation & Payment via Web Services Business Mailers PostalOne! (Postage Wizard Web Service)

16 PostalOne!® – A Service Oriented Architecture Approach

17 Security Considerations for Real World SOA Systems
Dr. Alan Harbitter CTO, Nortel Government Solutions

18 High-level Thoughts on Security and SOA
Probably the number one paranoia in SOA pilot-to-production transition is security—and rightly so. SOA (web services), is generally thought of as service producer-to-consumer, not system-to-user. But security has to be user-focused. The mechanisms suggested by many of the standards assume in place security infrastructure beyond the “as-is.” The ROI for SOA is based on applications, so that’s how an organization is likely to start But security should be institutionalized—beyond single applications.

19 Security Services Requirements
Confidentiality Services and information provided are not accessible to unauthorized parties Traffic patterns do not provide a “covert channel” Integrity Service and information provided is not inappropriately modified Availability Service is reliably provided at advertised hours Authentication Server, Service, User Non-repudiation Parties exchanging information can be positively identified and can not deny providing or receiving services

20 SOA Transport Protocols
Very Basic Security Registry of Services --- Registry of Services --- Internet or Intranet SSL I have info you might be interested in! So do I! SOA Transport Protocols Publishing Protocols SSL Publishing Protocols Government data repository Stakeholder data repository Authentication at user level is typically handled by the application SSL covers confidentiality and service authentication

21 How well does SSL support requirements?
Confidentiality Secret key and symmetric algorithm are negotiated for the session Integrity MAC can be negotiated into the session Availability Not specifically addressed, requires at least normal DDoS precautions and an application-aware firewall IA&A (Identification, Authentication, Authorization) Typically, SSL handles the server/service level (application handles the user level) Non-repudiation Inherent in the session, but can not be shown later Attack resilience What ever is in place for enterprise websites

22 Functionally, what’s missing?
Fine grained confidentiality Under SSL, the entire session is encrypted In wide scale information sharing applications, subset of provided information may have unique security characteristics (e.g., HIPAA data) Institutional representation of the user Doesn’t provide IA&A beyond the first application

23 What else is missing? Non-repudiation is limited to the duration of the session (or application based) Limited persistent security associations There is no enterprise-wide statement and enforcement of policy Security is dependent upon the organizational dynamic between application developers and infrastructure managers Protection mechanisms befitting a mission critical application

24 A Universe of Standards
SOAP Foundation WS-Security WS-Policy WS-Trust WS-Privacy WS-Secure Conversation WS-Federation WS-Authorization WS Security Specifications WS-Security: Framework for building security protocols WS-Policy: Policy assertions WS-Trust: Defines how to broker trust relationships WS-Privacy: a model for how a privacy language may be embedded into WS-Policy descriptions and how WS-Security may be used to associate privacy claims with a message WS-SecureConversation: Allows participants to establish a shared context WS-Federation: Single sign on and attribute service WS-Authorization: will describe how to manage authorization data and authorization policies.

25 The SOA-enabled Security Infrastructure
In the context of SOA-based secure information sharing in the public sector justice community Nationwide Sensitive But Unclassified (SBU) Backbone Application-aware Firewalls Service Provider State, Local & Regional Networks Federal Networks Certificate Authority Certificate Authority Local Authentication & Auditing Identity Server Identity Server Service Provider Service Consumers

26 Work for Government Implementers
For service owners, focus on application-specific details (where the devil is) XML-based expression of identity, attributes, and privileges Subject matter specific privacy tags For infrastructure owners, focus on building the SOA-enabled infrastructure

27 SUMMARY

28 Lessons Learned Providing self-service facilities is key to rapid adoption Infrastructure exists today off-the-shelf to create pre-built templates for industry domains Using open specifications allows integration into wide range of environments Open source solutions allows partners to readily obtain technology Use of partner id concept to manage partners and versioning interchanges 28

29 Challenges / Opportunities Today
Exposing synchronous and asynchronous interfacing to control content access Open source solution components to allow unrestricted integration by partners Leveraging loose coupling of web services Combining best-of-breed solution with both ebXML and Web services working together as formal model (e.g. Oracle SOA 10g v3 upgrade) Industry best-practices and lessons learned (who has solved similar needs?) 29

30 SOA – Future Challenges
As marketplace matures customers will demand core enabling components and features Trend continuing toward services as solution not software (that’s good for services providers like us!) Supporting complex infrastructure demands – such as ERP and BAM – will need robust rule-based solutions and tools Integration with cool new desktop tools and services (Microsoft & Nortel)

31 Nortel Government Solutions
Q & A Discussion Nortel Government Solutions For more information Visit our Website:

32 Acronym Soup WSDL – web service description language
SOAP – simple object access protocol ebXML – e-Business XML REST – Representational State Transfer – http-based exchanges XSD – XML Schema (structure / layout) Definition XML – eXtensible Markup Language W3C – World Wide Web consortium B2B – business to business MoU – Memorandum of Understanding TCP/IP – internet communications syntax 32

33 Project and Technology Resources
NIH eRA Project site – NIH S2S Resources site - Commons online site – Grants.gov online site – 33

34 Technology Resources www.oasis-open.org www.ebxml.org

Download ppt "NIH eReceipts and Amazon.com"

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Service Oriented Architecture for Mobile Applications Swarupsingh Baran University of North Carolina Charlotte.

Service Oriented Architecture for Mobile Applications Swarupsingh Baran University of North Carolina Charlotte.
Tuesday, June 10, 2003 Web Services Brief Overview & Security Assertion Coordinator Pattern by Mohammad Abushadi & Riaz Ahmed for Security Group CSE -

Tuesday, June 10, 2003 Web Services Brief Overview & Security Assertion Coordinator Pattern by Mohammad Abushadi & Riaz Ahmed for Security Group CSE -
CS651/551 Federated Trust Systems Alfred C. Weaver

CS651/551 Federated Trust Systems Alfred C. Weaver
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 

Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
B2B e-commerce standards for document exchange In350: week 13: Nov. 19,2001 Judith A. Molka-Danielsen.

B2B e-commerce standards for document exchange In350: week 13: Nov. 19,2001 Judith A. Molka-Danielsen.
Web services security I

Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.

Introduction to UDDI From: OASIS, Introduction to UDDI: Important Features and Functional Concepts.
Using OASIS standards for SOA development for eGovernment applications SOA CoP Technology Briefing MITRE, McLean, VA May 2006 David RR Webber

Using OASIS standards for SOA development for eGovernment applications SOA CoP Technology Briefing MITRE, McLean, VA May 2006 David RR Webber
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
EbXML Overview Dick Raman CEO - TIE Holding NV Chairman CEN/ISSS eBES Vice Chair EEMA and HoD in UN/CEFACT Former ebXML Steering Group.

EbXML Overview Dick Raman CEO - TIE Holding NV Chairman CEN/ISSS eBES Vice Chair EEMA and HoD in UN/CEFACT Former ebXML Steering Group.
James Cabral, David Webber, Farrukh Najmi, July 2012.

James Cabral, David Webber, Farrukh Najmi, July 2012.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
What is Service Oriented Architecture ? CS409 Application Services Even Semester 2007.

What is Service Oriented Architecture ? CS409 Application Services Even Semester 2007.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,

International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,

Similar presentations

Ads by Google