Enterprise Infrastructure Reference Implementation Defense Information Systems Agency A Combat Support Agency Enterprise Infrastructure Reference Implementation (EIRI) DISA CTO 1
The Situation and a Better Solution Today’s Pt-to-Pt Quagmire - Interfaces - A Net-Centric Enterprise - Services - On the left you can see how we do it today. You have to subscribe to an RSS feed for every system where you want to consume data. Based on technology, you can dynamically discover new sources of data and services leveraging enterprise services specifications and standards Based on socialization – call a buddy and subscribe to an RSS feed. Based on technology to dynamically discover new sources of data and services leveraging enterprise services specifications and standards.
Industry Example 3
DoD Example 4 4
From Systems to Services, From Programs to Capabilities Objectives Rapid Development…of Enterprise Mission Services EIRI is a leading-edge effort intended to develop the processes and procedures to rapidly and cost-effectively deliver information sharing capabilities to the Department EIRI will leverage Net-Centric Enterprise Services (NCES) standards and capabilities in exposing data net-centrically EIRI will provide shoulder-to-shoulder assistance to help organizations implement those processes and procedures Exposed to the Enterprise Discoverable Leverages NCES Machine to Machine (M2M) or NCES compliant Web Service Authorized (Attribute Based Access Control (ABAC)) Available (Instrumented with NCES compliant EnSM) From Systems to Services, From Programs to Capabilities 5 5
Rules for Enterprise Services in C2 JCTDs Attribute WS-Service Attribute Store Enterprise Level Policy WS-Service Policy Store Local Level Policy Decision Point Permit, Deny Unk,N/A User Request PEP Authorization JUM Message Broker Message Topic Publishers Subscribers Message Bus Mediation Service Stores information in a centralized repository Uses Xquery for access, manipulate and retrieve operations Searches and locates information with pinpoint accuracy Extensive full-text, structured, geospatial, and real-time search features Analyzes to understand and exploit what you have Built in indexes to speed analysis of data Delivers content to users in multiple contexts Send content to multiple devices and users Data Repository
Data Exchange Design Approaches Web Service (Request/Response) Use when data needed by the consumer is specific and bound by indicated parameters JUM Interface (Publish/Subscribe ) Joint User Messaging (JUM) Use when data is frequently updated, relatively small, and relevant to a large number of users SharePoint Reference Implementation Package add-on which will allows for communication with JUM Use if you already have SharePoint and now wish to share data Hybrid – some combination of these design approaches A Web Service (Request/Response) is the appropriate model when the data needed by the consumer is specific and bounded by indicated parameters, and/or when it otherwise makes sense for the consumer to initiate the request on a one-time or periodic basis. Request/Response is more appropriate when the datasets being shared are potentially large. JUM (Publish/Subscribe) is the appropriate model when the data is frequently updated, individual updates are relatively small, and subsets of the data are relevant to large numbers of consumers. JUM also makes sense when updates or notifications need to be pushed rapidly to consumers rather than waiting for them to request updates. While Publish/Subscribe is ideal for high-frequency, event-driven data updates, it should not be used for database replication. Microsoft SharePoint Reference Implementation is appropriate when the data is manually entered and the users already utilize SharePoint, but wish to share data to a broader audience through JUM. 7 7
Web Service (Request/Response) One of the most basic use cases is one in which a web service is stood up to expose a database or other information source to the Enterprise on a query-like basis. Consumers of the information make requests to the web service, specifying the parameters of the data they require. The web service validates the requestors’ identity, and calls out to validate the requestors’ authorization making use of an externalized security architecture. The web service then structures the request in a way that can be understood by the source (e.g., a database call, file access or an application API call). Upon retrieving the data from the source, the web service structures the data into an XML document according to the interface definition for the web service (i.e., the XML schema) and returns it to the consumer.
Joint User Messaging (JUM) (Publish/Subscribe) Event Driven Information Publication A very common use case is the event-driven publication of data; this is a very simple and effective mechanism for shared relatively small, frequently updated information with a potentially large audience of consumers. In this case, the web service publishes data via Joint User Messaging (JUM) to one or more topics. All messages published are received by the applications and users subscribe to those topics. JUM handles authentication and authorization of publishers and subscribers as well as the reliable delivery of the messages. Data from the information source is published by the web service to the appropriate JUM topics using the defined message formats. This form of interaction is typically a machine-to-machine exchange of information.
SharePoint Reference Implementation In some cases, information may be published directly by users for consumption by others users and/or by systems. The SharePoint Connector to JUM provides a means by which SharePoint Lists and Workflows can be used to publish information to JUM.
Hybrid Design In some cases, information updates may be too large for publication to JUM, or each consumer might desire a different subset of the update available. In this case, the web service publishes only a notification via JUM to communicate to consumers that new information is available. The web service then exposes a web service that consumer call to request the specific data updates they require.
Use Case Web Service XML Repository TRANSCOM IGC JOPES CDMS ABAC ABAC 1. Point to Point data exchange from TRANSCOM/IGC to JOPES 2. Enterprise data exchange / Joint user Messaging (JUM) and ABAC 3. TRANSCOM to Machine data exchange via JUM pub/sub 4. TRANSCOM to User data exchange using CDMS (translation) via JUM 5. TRANSCOM to XML (store for later use) 6. XML (data repository) to User (forward) 7. User to ABAC enabled Web Service with a Question (Request) 8. Web Service back to User (Response) 9. Disolve Pt To P t Connection between TRANSCOM/IGC and JOPES
Publish in 45 days - now that’s rapid! EIRI Process Preparation Complete Initial Survey EIRI 101 Telecon EIRI 101 ABAC 101 JUM 101 Discuss Design Options Approvals Finalize requirements Finalize design approach Obtain approval Determine ABAC Policy Obtain Port Exceptions Production Operationalize Coordination Weekly Update Mtgs Finalize Schema Develop Interface(s) Implement NCES tools Test S2S Site Visit JUM and/or Web Svc ABAC CDMS, XML, ESM Milestones/Deliverables Register Service Day 45 Day 0 Publish in 45 days - now that’s rapid! 13
COCOM and Partner Participation JFCOM NORTHCOM SOUTHCOM SOCOM TRANSCOM Army NAVY NII Data Pilots Joint Staff EUCOM AFRICOM HHS
Response from Our Partners “The knowledge brought to the table and speed of implementation proved invaluable to the Pilot.” -- Josh Taylor, C2 Data Pilot Phase IVB Project Lead “Puts us on the pub/sub ground floor and this is very exciting“ -- Brig. Gen. Robert Yates, JFCOM “It isn’t that hard” -- Don Runnels, Asynchrony Solutions, supporting TRANSCOM J6 15
In Summary EIRI provides shoulder-to-shoulder engineering and a “how to” process to support the rapid exposure of NCES-compliant mission services to the Enterprise NCES compliance, enterprise attributes, and ABAC security provide assurance that information exposed to the Enterprise is visible, interoperable, secure, and accessible by all authorized users Our data can be our competitive advantage against tomorrow’s threats "... [The] next great opportunity for us is universal situational awareness. Anything that disrupts the envelope -- we see it and we can act on it, whether it's in the air, on land, or underwater. Our biggest competitive advantage can be our knowledge.” - ADMIRAL MICHAEL MULLEN CHAIRMAN OF THE JOINT CHIEFS OF STAFF, 2010 16
EIRI Support Contacts Carlos Vera, EIRI Technical Lead, 703-882-0425, Carlos.Vera@disa.mil Cheryl Porter Brown, 858-220-9225, cheryl@porter-brown.net Wendy Crowell, 816-668-4643 wcrowell@stassociates.com Blaine Newlon, 703-882-1326, blaine.newlon.ctr@disa.mil
Rules for Enterprise Services in C2 JCTDs Purpose : To comply with DoD Policy and Guidance for the net-centric enterprise Policy: All Joint Concept Technology Demonstrations (JCTD) within the Command and Control (C2) portfolio will use the following Enterprise services: Attribute Based Access Control (ABAC) - Access control method that uses identity attributes about Users (Humans and Machines) to make security access decisions to data Joint User Messaging (JUM) - DISA enterprise messaging service Common Data Mediation Service (CDMS) Inbound data can be mediated into a canonical model, allowing data consumers to deal with consistently formatted data regardless of origination Outbound data can be mediated into alternative formats as needed, providing interoperability with alternative data formats without having to couple a system to any one format XML Data Repository (Mark Logic) - Enterprise XML repository. Single copy-of-record content storage, on top of which new information products can be created that slice, dice and re-purpose content in new ways so content is easily accessed. (Enterprise License) Intent to use these four services must be documented in the Implementation Directive of new JCTDs starting in FY11 and complied with by pre-FY11 JCTDs ABAC, CDMS, and JUM Enterprise services available for download at Forge.mil (www.Forge.mil) DOD Information Enterprise Architecture provides additional guidance on transformation to net-centric operations at http://cio-nii.defense.gov/sites/diea/ 19 19
Attribute Based Access Control (ABAC) Services Attribute Service Policy Service Exposes Individual’s Attributes by using a Web Service Exposes Policy Statements as a Web Service Attribute WS-Service Attribute Store Policy WS-Service Policy Store Enterprise Level Local Level Policy Decision Point Yes or No User Request If needed 20
Joint User Messaging (JUM) Joint User Messaging (JUM ) is an enterprise service to enable user-to-user, user-to-machine, and machine-to-machine messaging across the joint enterprise Information Distribution Suite (IDS) provides the technology platform for JUM, supplying a WS-Notification message broker, messaging bus, and web portal for user interfacing components Publish/Subscribe/Alert instead of Point-to-Point 21
Enterprise Infrastructure Reference Implementations SMADS SkiWeb NGA Maps DISA GISMC NSLDSS Visualization (Strategic Watch) NSLDSS TOI Tracker XML * Data Repository Strategic Watch Server Attribute Based Access AEISS (JUON) LAS Policy Store CPDP CDMS PEP M/IDS Active Conferences: CFACC and ONEC Senior Participants: NCdr, EA Domestic Attack Assessment: NO ATTACK NCES EXERCISE ERSA Joint User Messaging (JUM) DL1123 2 Crew/Pax:7 / 128 Acft Type:B767 / US Call Sign: DL1123 VIP NCES to JUM Bridge Lincoln Labs to DECC Critical Infrastructure Time-to-Decide White House 0+45 min Real-time voice, text, video, application sessions Collaboration Content Discovery Flight Plan Route Interceptors Velocity vector Velocity vectors Presumed target Actual Route of Flt TOI Splash estimate Access to data; improved content awareness DISA DECC COLUMBUS SIPRNet TMSE (GCCS-J) DISA DECC San Antonio * Currently XML Data Repository Not Located in the DECC
Common Data Mediation Service (CDMS)
XML Data Repository Commercial Based Product that: Stores information in a centralized repository Uses Xquery for access, manipulate and retrieve operations Searches and locates information with pinpoint accuracy Extensive full-text, structured, geospatial, and real-time search features Analyzes to understand and exploit what you have Built in indexes to speed analysis of data Delivers content to users in multiple contexts Send content to multiple devices and users
JUM - SOCOM SharePoint Integration 4/20/2017 JUM - SOCOM SharePoint Integration SOCOM SharePoint Connector Reduce the Code using SharePoint Workflow Reduce the Time not having to implement and get new code approve and utilize your current SharePoint users to generate the workflow. Reduce the Cost by utilizing current resources Joint Staff SharePoint Connector
Net-Centric Guidance 2002 2004 2006 2008 2010 ICD 501 8320 It is DoD policy that: 4.1. Data is an essential enabler of network-centric warfare (NCW) and shall be made visible, accessible, and understandable to any potential user in the Department of Defense as early as possible in the life cycle to support mission objectives. Net-Centric Guidance DoD CIO 3-in-1 memo ICD 501 DoD Net-Centric Services Strategy DoD IEA Net-Centric Data Strategy JROCM 010-08 8320.02-M XML Registration Memo DoD 8320.02G DoD Dir 8320.02 CJCSI 6212.01E CJCSI 6212 Wiki 8320 “It is DoD policy that: 4.1. Data is an essential enabler of network-centric warfare (NCW) and shall be made visible, accessible, and understandable to any potential user in the Department of Defense as early as possible in the life cycle to support mission objectives.” 2002 2004 2006 2008 2010 8320 “It is DoD policy that: 4.1. Data is an essential enabler of network-centric warfare (NCW) and shall be made visible, accessible, and understandable to any potential user in the Department of Defense as early as possible in the life cycle to support mission objectives.” 26