all rights reserved: justiceexperts.com. data(what)function(how)network(where)people(who)time(when)...


DataData

(What)(What)FunctioFunctionn

(How)(How)

NetworkNetwork

(Where)(Where)PeoplePeople

(Who)(Who)TimeTime

(When)(When)Motivation Motivation (Why)(Why)

ObjectivesObjectives//

ScopeScope

List of things List of things important to important to the enterprisethe enterprise

List of List of processes processes the the enterprise enterprise performsperforms

List of List of locations locations where the where the enterprise enterprise operatesoperates

List of List of organizational organizational unitsunits

List of List of business business events/cyclevents/cycleses

List of business List of business goals/strategiesgoals/strategies

ConceptuaConceptuall

(Owners’ View)(Owners’ View)

Entity Entity relationship relationship diagramdiagram

Business Business process process modelmodel

Logistics Logistics networknetwork

Organization Organization chart with chart with roles, skill roles, skill sets, security sets, security issuesissues

Business Business master master scheduleschedule

Business rulesBusiness rules

LogicalLogical

(Architect’s (Architect’s View)View)

Data modelData model Essential Essential data flow data flow diagram; diagram; application application architecturearchitecture

Distributed Distributed system system architecturearchitecture

Human Human interaction interaction architecture architecture (roles, data, (roles, data, access), access), security security requirementsrequirements

Dependency Dependency diagram, diagram, entity life entity life history history (process (process structure)structure)

Business rule Business rule modelmodel

PhysicalPhysical

(Designer’s (Designer’s View)View)

Data Data architecture architecture (tables and (tables and columns); map columns); map to legacy datato legacy data

System System designdesign

System System architecture architecture (hardware, (hardware, software software types)types)

User interface User interface (how the (how the system will system will behave), behave), security security designdesign

““control control flow” flow” diagramdiagram

Business rule Business rule designdesign

Build & Build & ImplementImplement(Programmer’s (Programmer’s View)View)

Data design, Data design, physical physical storage designstorage design

Detailed Detailed Program Program DesignDesign

Network Network ArchitectureArchitecture

Screens, Screens, security security architecture architecture (who can see (who can see what?)what?)

Timing Timing definitionsdefinitions

Rule specification Rule specification in program logicin program logic

FunctioninFunctioning Systemg System

Converted dataConverted data Executable Executable programsprograms

CommunicationCommunications facilitiess facilities

Trained Trained people, using people, using the systemthe system

Business Business eventsevents

Enforced rulesEnforced rules

T

E

C

H

N

O

L

O

G

Y


Technology Architecture

Application Architecture

Data & InformationArchitecture

BusinessArchitecture


• Immediate Solution

• Simple Point to Point

• No Enterprise Strategy

• No Common Metadata

• No Common Schema

• No Re-Use

Ad Hoc/EDIAd Hoc/EDI


Probation

Consolidated System

State's AttorneyCourts

Clerk

PublicDefender Jail/Sheriff

CentralDatabase(shared)


• Technology Solution

• Virtual Point to Point

• Centralized Data/Metadata

• Centralized Services

• Brokered Metadata

Broker

Data

Hub & SpokeHub & Spoke


AdultCorrections

(DCIS)

JuvenileCorrections

(CDS/Trails)

Prosecution(Blackstone)

District andCountyCourts(ICON)

LawEnforcement

(CCIC)

CICJIS(CentralIndex)

Virtual System - Colorado IntegratedCriminal Justice Information System

TransfersQueries


State's Attorney

Probation

Courts

Clerk

PublicDefender Jail/Sheriff

Hybrid System(County Level)

MiddlewareServer

DataWarehouse


Departmentof

Corrections

Departmentof MotorVehicles

Supreme andAppellate

Courts

CriminalHistory

Repository

State Police

TranslationPush/Pull


• Business Solution

• Common Point to Point

• Enterprise Metadata Registry

• Centralized Registry

• Distributed/Re-Usable Services

Broker

Data

Registry

Metadata

SOASOA


DiscoveryAgents

DiscoveryAgents

ServiceRequestor

ServiceProvider

PublishFi

nd

Bind

ServiceDescription

ServiceDescription

ServiceClient


Web ServicesWeb Services


What is a Web Service?What is a Web Service?

Many definitionsMany definitions

A standard way of requesting a computer system to A standard way of requesting a computer system to perform some action on your behalf, and for the perform some action on your behalf, and for the requested computer to return a response.requested computer to return a response.

““www for applications”www for applications”

At a minimum, however, a At a minimum, however, a web serviceweb service is a piece of is a piece of self-contained software that works over the Internet and self-contained software that works over the Internet and uses a standardized XML-based messaging systemuses a standardized XML-based messaging system


???John Doe

An Example of What They Are An Example of What They Are Doing TodayDoing Today

King County SO

Bellevue PD

Tukwila PD

UDDI


Two Aspects to Web ServicesTwo Aspects to Web Services

Use web services that others have created Use web services that others have created (consumption)(consumption)

Create your own web services for others Create your own web services for others to use (publishing)to use (publishing)


How Does It Work?How Does It Work?

Web Service

Client Application

Application Server

Internet

A request is sent to a computer system to A request is sent to a computer system to perform some action on your behalf, and for the perform some action on your behalf, and for the requested computer to return a response.requested computer to return a response.

XML is used to encode all communicationsXML is used to encode all communications

XML can be based on standards such as GJXDM XML can be based on standards such as GJXDM


Web Services InteractionWeb Services Interaction

GetTemperature( “92010” ) GetTemperature( “90210” )

Return( “65” )Return( “65” )

Process returned Value

Client Application Application Server


How Do They Help Me?How Do They Help Me?

Provide access to a wider range of Provide access to a wider range of information and services than a web site.information and services than a web site.

No need to copy data locally as it is No need to copy data locally as it is always available across the Internet.always available across the Internet.

Software systems can reap the same Software systems can reap the same benefits as web client users.benefits as web client users.

Facilitates electronic collaboration Facilitates electronic collaboration between (disparate) systems.between (disparate) systems.


How Does This Help Justice?How Does This Help Justice?

Existing agencies Existing agencies already form the hubs already form the hubs for justice related for justice related information.information.

Large amounts of Large amounts of useful information useful information already exist, but in already exist, but in disparate systems.disparate systems.


Where Can an Officer Look for Where Can an Officer Look for Information?Information?

Existing systems Existing systems provide access to provide access to information stored information stored locally within an locally within an agency.agency.


Some agencies offer Some agencies offer information services information services via a web portal of via a web portal of some kind.some kind.


Web services can Web services can help create a new help create a new “face” for an agency“face” for an agency


Web Services ComponentsWeb Services Components


What is UDDI?What is UDDI?

Web Service RegistryWeb Service RegistryStores which web Stores which web services are being services are being provided by a given provided by a given ProviderProviderStores a list of web Stores a list of web service standardsservice standards(T-Models), and (T-Models), and which web services which web services implement each implement each standard.standard.

UDDI Model

Provider A

Standard Web Service A

Standard Web Service B

Standard Web Service C

Web Service C

Web Service B

Web Service A

Provider B

Provider C

Web Service A

Web Service C

Web Service A


What is SOAP?What is SOAP?

A lightweight, XML-A lightweight, XML-based protocol for based protocol for exchanging information exchanging information in a decentralized, in a decentralized, distributed environment.distributed environment.

SOAP allows objects (or SOAP allows objects (or code) of any kind -- on code) of any kind -- on any platform, in any any platform, in any language -- to cross-language -- to cross-communicate. communicate.


What is WSDL?What is WSDL?

An XML format for describing network services An XML format for describing network services as a set of endpoints operating on messages as a set of endpoints operating on messages containing either document-oriented or containing either document-oriented or procedure-oriented information. procedure-oriented information.

It can describe information such as the access It can describe information such as the access point (i.e., URL), protocol (SOAP, HTTP, or point (i.e., URL), protocol (SOAP, HTTP, or MIME) and message format (such as XML MIME) and message format (such as XML Schema) of the Web service. Schema) of the Web service.


Web Service SecurityWeb Service Security

Web services can use the same security Web services can use the same security technologies as the www.technologies as the www.

Identity theft still remains the biggest Identity theft still remains the biggest security hole.security hole.

Use Defense In DepthUse Defense In Depth


Web Service EnhancementsWeb Service Enhancements

1.0 provides support for security features 1.0 provides support for security features such as digital signature and encryption, such as digital signature and encryption, message routing capabilities, and the message routing capabilities, and the ability to include message attachments ability to include message attachments that are not serialized into XML.that are not serialized into XML.

2.0 provides policy, security, messaging, 2.0 provides policy, security, messaging, and more and more


Consuming Web ServicesConsuming Web Services

Universal Description, Discovery and Integration Universal Description, Discovery and Integration (UDDI) registries can be used to catalogue (UDDI) registries can be used to catalogue available Web Servicesavailable Web Services

Use an XML-RPC or SOAP toolkit for your Use an XML-RPC or SOAP toolkit for your platform and your preferred programming platform and your preferred programming languagelanguage

Build your application logic around data retrieved Build your application logic around data retrieved from many different organizations through their from many different organizations through their published Web Servicespublished Web Services


Publishing Web ServicesPublishing Web Services

Create your Web Service using your Create your Web Service using your preferred programming language and preferred programming language and either the XML-RPC or SOAP toolkit for either the XML-RPC or SOAP toolkit for your platformyour platform

Use the Web Service Description Use the Web Service Description Language (WSDL) to describe your Web Language (WSDL) to describe your Web Service to other software systems Service to other software systems

Allow others to discover your Web Service Allow others to discover your Web Service by publishing to a UDDI serverby publishing to a UDDI server


Web Services in JusticeWeb Services in Justice

An ideal platform for data sharing without An ideal platform for data sharing without the need to gather data in one placethe need to gather data in one place

Present information obtained from multiple Present information obtained from multiple agencies in a unified viewagencies in a unified view

Can be real timeCan be real time

Available 24 hours a dayAvailable 24 hours a day


What’s Good About WS ?What’s Good About WS ?

Shares many similarities with existing web Shares many similarities with existing web based interaction (http/s, firewalls, etc)based interaction (http/s, firewalls, etc)

Clients and servers can be created using Clients and servers can be created using unrelated technologiesunrelated technologies

Supports all web site security models Supports all web site security models (http/s, certificates, LDAP etc.)(http/s, certificates, LDAP etc.)

Offers additional security features beyond Offers additional security features beyond that of web sites (WS Security).that of web sites (WS Security).


PitfallsPitfalls

Massively distributed, therefore no Massively distributed, therefore no standards for error managementstandards for error management

Far greater need for securityFar greater need for security

Response time cannot be guaranteed if Response time cannot be guaranteed if using the standard Internet as the using the standard Internet as the transport mechanismtransport mechanism


Service-OrientedService-Oriented

ArchitectureArchitecture


What is SOA?What is SOA?

SOASOA - - (Service Oriented Architecture)(Service Oriented Architecture)

A system for linking resources on demand, A system for linking resources on demand, where resources are made available to where resources are made available to other participants in the network as other participants in the network as independent services that are accessed in independent services that are accessed in a standardized way. This provides for a standardized way. This provides for more flexible loose coupling of resources more flexible loose coupling of resources than in traditional systems architecturesthan in traditional systems architectures


What is SOA?What is SOA?

At its simplest, SOA is just designing your At its simplest, SOA is just designing your architecture to best work in a Web service architecture to best work in a Web service environment, based on the consumer-environment, based on the consumer-provider model. provider model.


DiscoveryAgents

DiscoveryAgents

ServiceRequestor

ServiceProvider

PublishFi

nd

Bind

ServiceDescription

ServiceDescription

ServiceClient


Technology Architecture

Application Architecture

Data & InformationArchitecture

BusinessArchitecture


CC/DOCCourtCMSLE CADLE RMS

En

terp

rise

Info

rmat

ion

S

ervi

ces

Lay

erB

ack

En

d

Common Communications

HTTP - SOAP - XML

Access

Collaboration

Assurance

Gateway

Exchange

Workflow

Fro

nt

En

dUser Interface - PresentationUser Interface - Presentation

Justice Applications & FunctionsJustice Applications & Functions

Registries

UDDI Metadata

Common Services

WSDL- Web Services

WirelessTelecomEmailClient

APPSWeb

Browser


Why is SOA Important?Why is SOA Important?

The nature of e-business is changingThe nature of e-business is changing

Agencies are experiencing an explosion Agencies are experiencing an explosion of interactions both internally and of interactions both internally and externally externally

Need for dynamic A2A relationships that Need for dynamic A2A relationships that drive agencies to employ reusable, drive agencies to employ reusable, flexible, adaptive software services for flexible, adaptive software services for the creation of their CJIS solutions. the creation of their CJIS solutions.


What Benefits Does SOA Offer What Benefits Does SOA Offer Business Functions?Business Functions?

Concentrate development efforts on building Concentrate development efforts on building services that drive effectiveness services that drive effectiveness Evolve business models and relationships Evolve business models and relationships Reduce costs of internal integration Reduce costs of internal integration Establish interactions with CJ community more Establish interactions with CJ community more efficiently efficiently Deliver business functions to a broader set of Deliver business functions to a broader set of usersusersOutsource IT skills that provide no business Outsource IT skills that provide no business value-addvalue-add


What Benefits Does What Benefits Does SOA Offer IT Staff?SOA Offer IT Staff?

Easier development, service, and upgrade of solutions

Reuse of existing, proven assets

Reduced dependence on implementation specifics


SOA SummarySOA SummaryDecouple applications and infrastructure

Allows agencies to quickly build and deploy solutions based on reusable components (internal or external)

Change the target/nature of interactions based on changing business conditions

Leverage flexible business models

Maximize reach to users & partners

Minimize costs and development time


SecuritySecurity


Security Issues in Service Security Issues in Service Oriented ArchitectureOriented Architecture

Internal Network

Sheriff’sdatabase Hey, What do you

know about thisguy who was

arrested?

Hey, What do youknow about this

guy who wastried?

Courtdatabase


Security Issues in Service Security Issues in Service Oriented ArchitectureOriented Architecture

Internet or Intranet

Sheriff’sdatabase

Courtdatabase

SOAP/XML over HTTP

Registry of Services

1. ---

2. ---

I haveinfo

you mightbe interested

in!

So do I!

UD

DI

WS

DL

UD

DI

WS

DL


The NeedThe NeedIntegrated Justice Integrated Justice

ApplicationApplicationSecurity ChallengesSecurity Challenges Technology to the Technology to the

RescueRescue

Securely exchange Securely exchange information between information between disparate organizationsdisparate organizations

Positively identify both partiesPositively identify both parties

Secure information in transitSecure information in transit

Proper handling at Proper handling at destinationdestination

VPNsVPNs

I&AI&A

Post information to the Post information to the public over the Internetpublic over the Internet

Protect the privacy of Protect the privacy of exchanges with the publicexchanges with the public

Ensure the integrity of court -Ensure the integrity of court -provided informationprovided information

Digital SignatureDigital Signature

PKIPKISSLSSL

Electronic case filing & Electronic case filing & reduced paper processesreduced paper processes

Provide the integrity of an Provide the integrity of an official record in electronic official record in electronic formatsformats

Digital SignatureDigital Signature

PKIPKI

PrivacyPrivacy Provide access on a right-to-Provide access on a right-to-know basisknow basis

EncryptionEncryption

I&AI&A

Support an increasingly Support an increasingly mobile workforcemobile workforce

Protect electronic information Protect electronic information beyond the walls of the beyond the walls of the courthousecourthouse

VPNsVPNs

I&AI&A

EncryptionEncryption

In integrated justice applications, the security problems often surface as a byproduct of implementation


An Ontology of Security ServicesAn Ontology of Security Services

PreventionPrevention Protected communicationsProtected communications AuthenticationAuthentication AuthorizationAuthorization Access control enforcement Access control enforcement Non-repudiationNon-repudiation Transaction privacyTransaction privacy

Detection and RecoveryDetection and Recovery AuditAudit Intrusion detection and Intrusion detection and

containmentcontainment Proof of WholenessProof of Wholeness Restore ‘secure’ stateRestore ‘secure’ state

Supporting ServicesSupporting Services Identification (& naming)Identification (& naming) Cryptographic key managementCryptographic key management Security administrationSecurity administration System protectionsSystem protections


Secure Information Sharing:Secure Information Sharing:3 Basic Properties3 Basic Properties

CConfidentialityonfidentiality

IIntegrityntegrity

AAvailabilityvailability

SSL

Digital Signature

VPN


Identification & Identification & AuthenticationAuthentication

Identification factorsIdentification factors Something you know (password or PIN) Something you have (token/smart card) Something about you (biometric)

Increasingly secure authentication includes Increasingly secure authentication includes multiple factorsmultiple factors

Password protection is still the most prevalentPassword protection is still the most prevalent

Biometrics are receiving substantial interestBiometrics are receiving substantial interest

SI


I&A—Common (Best?) PracticesI&A—Common (Best?) Practices

Strong password system with auditingStrong password system with auditing

Hardware token with a one-time Hardware token with a one-time passwordpassword

PKI-based with password to unlock PKI-based with password to unlock secret keysecret key

HW token with containing cert & secret HW token with containing cert & secret key with PIN to unlockkey with PIN to unlock

Increa

sing C

om

plexity

SI


A Typical VPN ApplicationA Typical VPN Application

FIREWALL

PublicSide

Agency Bobdatabase

PrivateSide

• Depending upon the level of trust, the databases may be replicated

• Alice has query-only capability to Bob’s database (and vice versa)

• Access might be user-to-database or computer-to-database

FIREWALL

Agency Alicedatabase

encrypted “tunnel”

C&I

Internet


What Do VPNs Buy You?What Do VPNs Buy You?

Confidentiality and integrity AT THE NETWORK Confidentiality and integrity AT THE NETWORK LEVELLEVEL

Exploit public networks for reasons of cost Exploit public networks for reasons of cost effectiveness and location flexibilityeffectiveness and location flexibility

Establishment of “communities of interest” with Establishment of “communities of interest” with in private networksin private networks

Does not buy you…Does not buy you… I&A (although many products include that)I&A (although many products include that) Individual security (e.g., secure email)Individual security (e.g., secure email) Protection from other network operators bad practicesProtection from other network operators bad practices

C&I


e-shopper’s browser (client)

e-merchant’s web server (host)

Client Hello Message

Starts the session

Server Hello Message

Send certificate containing server’s public key1

Client Key Exchange Message

Send session key encrypted with server’s public key

Finished

Exchange information encrypted with the session key

SSL Can Provide ConfidentialitySSL Can Provide ConfidentialityC


What Does SSL Buy You?What Does SSL Buy You?

Secure (i.e., encrypted) communications Secure (i.e., encrypted) communications between two parties who previously don’t between two parties who previously don’t know each other (digitally, that is)know each other (digitally, that is)

Broad standardization; easy user Broad standardization; easy user participationparticipation

Confidentiality at the SESSION LEVELConfidentiality at the SESSION LEVEL

Option for two way authenticationOption for two way authentication

C


Secret vs. Public Key EncryptionSecret vs. Public Key Encryption

TrustedHolder ofPublic Keys

ESECRET KEY(m) DSECRET KEY(m)encrypted messagedigital signature

• Alice encrypts her message with Bob’s public key: confidentiality

Alice BobJudge Bob

EBob-public(m) DBob-private(m)

Attorney Alice

AuthorityCertificate

DBob-public(m) EBob-private(m)

• Bob encrypts his message with his private key: integrity (digital signature)

C&I


Electronic vs. Digital Electronic vs. Digital SignatureSignature

ElectronicElectronicDoes not guarantee the Does not guarantee the integrity of the integrity of the documentdocument

Can be loosely Can be loosely biometricbiometric

TransactionalTransactional

Eliminates enrollmentEliminates enrollment

DigitalDigitalImplies the use of PKIImplies the use of PKI

Ensures document Ensures document integrityintegrity

Author cannot deny Author cannot deny involvement (non-involvement (non-repudiation)repudiation)

Requires user to Requires user to “enroll” with “enroll” with Registration AuthorityRegistration Authority300D09262A4B912E41723E300D09262A4B912E41723E

I


Digital Certificates Bind a Person to Digital Certificates Bind a Person to a Public Keya Public Key

Version (of X.509)

Serial Number (of certificate)

Signature Algorithm (e.g., RSA + more details like key length)

Issuer (in that weird X.500 notation)

Validity date range

Subject (more weird X.500 notation)

Public key (finally)

Digital signature (of issuer)

It’s a computer file

It’s a digital credential

Think of it like a bank signature card

SI


Security Demands for the Security Demands for the SOASOA

Confidentiality: Protect specific fields and Confidentiality: Protect specific fields and documents in XMLdocuments in XML

Integrity: Information is valid and undisturbedIntegrity: Information is valid and undisturbed

Availability: Critical services remain up and Availability: Critical services remain up and running running

Authentication: Know who you’re talking to on a Authentication: Know who you’re talking to on a enterprise-wide basisenterprise-wide basis


What’s Available and Why It’s What’s Available and Why It’s LackingLacking

SSLSSL Indiscriminately covers an entire session and on a user to Indiscriminately covers an entire session and on a user to

server basisserver basis

Digital SignatureDigital Signature Good but relies on interoperable PKIsGood but relies on interoperable PKIs

Dumb FirewallsDumb Firewalls Only looks at the network level and misses the threatOnly looks at the network level and misses the threat

UserID/PasswordUserID/Password Still the most common way to get accessStill the most common way to get access No enterprise wide standardizationNo enterprise wide standardization No accommodation for role based access controlNo accommodation for role based access control Lightweight securityLightweight security


What We NeedWhat We Need

Fine grained encryption in web servicesFine grained encryption in web services

Enterprise standards for digital credentialsEnterprise standards for digital credentials—a law enforcement standard for digital —a law enforcement standard for digital credentialscredentials

““Application aware” firewallsApplication aware” firewalls

Cooperation among PKI owner-operatorsCooperation among PKI owner-operators

Mature standards and tools for developersMature standards and tools for developers

Peace on EarthPeace on Earth


Standards-Based Standards-Based Approaches: SAMLApproaches: SAML

OASIS standard based on XML

Includes assertions for Authentication (e.g., I

authenticated thru RISS or ARJIS, …)

Attributes (e.g. I’m a member of ATIX)

Authorization Extensible Incorporates XML digital

signature standards Version 2.0 now available

Source: Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML), OASIS Standard, 5 November 2002


TransportTransport

MessagingMessaging

DescriptionDescription

DiscoveryDiscovery

QualityQualityof Serviceof Service

Integration

HTTP, BEEP,IIOP, JMS, SMTPHTTP, BEEP,IIOP, JMS, SMTP

XML,EncodingXML,Encoding

SOAPSOAP

WSDLWSDL

UDDIUDDI

Reliable MessagingReliable Messaging

Business Process Languages:Business Process Languages:BPEL, XPDL, BPMLBPEL, XPDL, BPML

SecuritySecurity

TransactionsTransactions

CoordinationCoordination

Business Collaboration Language: Business Collaboration Language: Choreography Description LanguageChoreography Description Language

ContextContext

WS Interoperability StackWS Interoperability Stack

all rights reserved: justiceexperts.com. data(what)function(how)network(where)people(who)time(when)...

Documents