Presented by Darrell O'Donnell, P.Eng, President, Continuum Loop Inc. at ForgeRock Open Stack Identity Summit, June 2013
Learn more about ForgeRock Access Management:
https://www.forgerock.com/platform/access-management/
Learn more about ForgeRock Identity Management:
https://www.forgerock.com/platform/identity-management/
How Do Get Police, Fire, Paramedics and Others to Share Information? Built Trust into the System...
1. Open Identity Summit
Enabling Information Sharing
Identity in a Multi-Agency First Responder and Emergency
Management Environment
Darrell O’Donnell, P.Eng.
President
Continuum Loop Inc.
3. Open Identity Summit
How is SA shared?
! USERS:
! Fire fighters, Police, EMS/Paramedics, Emergency Managers,
Public Safety/Homeland Security officers
! From “boots on the ground” to senior federal leadership.
! Both “consumers” and “contributors”.
! PROBLEM:
! Sharing of basic SA information does not happen in a systematic
way. Phone calls and emails rule the world of crisis and day-to-day
operations.
! The status of SA information is difficult to determine (e.g., whether
current, whether confirmed at source, etc.)
4. What is MASAS?
! Multi-Agency – many agencies and organizations from local all
the way up to international.
! Situational Awareness – Sharing information that helps to
understand what is happening around us so we can do our job
effectively.
! System (of systems) – MASAS is not a tool, it is a way of
sharing information amongst a trusted community.
7. Open Identity Summit
Road closures, EM weather, check
points, command posts, area of
operation, evacuation zone, plume
cloud, shelter locations, shelter
status, staging area, supply depot,
live cameras, media events,
pictures, sitreps, earthquakes,
space weather, ...
Limiting Access
C
L
A
S
S
I
F
I
C
A
T
I
O
N
Completely
Unclassified
7
Limited(obstacles(
to(success(
Major(obstacles(
to(success(
Designated
or Classified
8. Open Identity Summit
It can be this simple!
8
IAM allows users to
know that the sender
is who they say they
and that they are the
authoritative source.
13. Open Identity Summit
Moving to
Common Viewer - ArcGIS
! Plugs into ArcGIS
! User configurable
! Source code available
13
14. Open Identity Summit
It works locally
It must ...or it won’t work nationally, internationally
14
15. Open Identity Summit
Local Level
! Tri-services
! Fire, Police, and Ambulance/Paramedics
! Emergency Managers
! Multiple Jurisdictions
! Muddy
! Today’s Incident Command Systems tells you who is in charge and
who does what? Who has what rights?
! No systems integration – no way to share data reliably and
predictably (i.e., not automated, and supporting policy)
17. Open Identity Summit
Beyond the Border
Beyond the Border -
Action Plan on
Perimeter Security...
December 2011
Page 25: “The second working group will focus on cross-border interoperability as a means of
harmonizing cross-border emergency communications efforts. It will pursue activities that
promote the harmonization of the Canadian Multi-Agency Situational Awareness
System with the United States Integrated Public Alert and Warning System to
enable sharing of alert, warning, and incident information to improve response
coordination during binational disasters.”
17
18. Open Identity Summit
Self Examination …
! Given this Surprise …
! Why is MASAS Succeeding?
! ~50 Organizations in 2011, 200 in 2012, 450 in 2013 (May)
! It isn’t Technology
! Information Exchange is somewhat novel – but not magic.
! Been done before.
! Mimics the real world – enables relationships
! Easy to approach
19. Open Identity Summit
Moving Pieces – lots…
MASAS Controlled
! Server Software
! Information Exchange
! Access Control
! Apps
! OpenLayers/JavaScript
! ArcGIS Flex
! Mobile (Android, iOS,
BlackBerry)
EXTERNAL SYSTEMS
! Incident management systems
(IMS)
! Geographic information systems
(GIS)
! Computer aided dispatch systems
(CAD)
! Records management systems
(RMS)
! Forest fire management systems
! … including external IAM (e.g.
Federal AD)
20. Open Identity Summit
Current Access Control
! Django-Based
! Modified Django user access and identity
! Incredibly onerous to maintain and add capability
! Permissions?
! Granular?
! Roles?
! Groups?
! Scale?
21. Open Identity Summit
MASAS
Basic
Toolset
MASAS
Basic
Toolset
VERY Simple
Architecture
Your
Tools
Their
Tools
Firewall Firewall
ESRI, EmerGeo,
Interdev, Sentinel, IHS,
CriSys, Command View,
IDV, MyStateUSA,
SharePoint, Hazus, …,
basic MASAS tools
Your
Tools
Your
Tools
Their
Tools
Their
Tools
Incident management,
mapping, dispatch,
consoles, tablets,
smartphones, sensors,
digital radio, …
21
22. Open Identity Summit
Access Control - REST
RESTful Query:
https://access.masas-sics.ca/api/check_access/?query_secret=XXXXXX&secret=YYYYYY
JSON response:
{
"groups": [ "https://access.masas-sics.ca/accounts/group/1” ],
"hubs": [
{ "url": https://sandbox2.masas-sics.ca/hub, "post": "Y” },
{ "url": https://sandbox1.masas-sics.ca/hub, "post": "Y” }
],
"id": 5, "name": "MASAS NIT - Darrell ODonnell”, "uri": "https://access.masas-sics.ca/accounts/
user/######/"
}
Groups not used
yet.
23. Open Identity Summit
It Starts Simple
! Username and Password access per hub
! Add read-only and read/write access
! 4 hubs operationally (2 for dev)
! Consolidate account into one account
! r/o & r/w per hub
! OAuth 2.0 (app level access?)
! Integrate CMS (Joomla)
! Allow self-admin …
! What are we building???
24. Open Identity Summit
Starting to Sound Familiar
! Roll your own
! Add capabilities as you go
! Total Control
! …
! Until …
! It Controls you – and you have
build an Identity & Access
Management System – a black
hole for development funds
25. Open Identity Summit
Community is About…
! TRUST
! How do I know you?
! Have we met?
! How do I know I can trust you?
! Who else trusts you? – professional referrals
! How has this translated so far?
! Simply - but that’s a problem
! Growing needs for deeper information
26. Open Identity Summit
Future Needs
! Increase Information Exchange Types
! Hospital Availability, Resource Request, Requests for Information
! Limiting Access to Information
! Deep Identity and Access Management
! Authentication, Authorization, and Audit (A3)
! Identity
! Credentialing, revocation…
! Multi-Factor Authentication
! Integration into Directories
27. Open Identity Summit
Lessons Learned to Date
! Limit scope
! Being able to say NO is powerful
! Work on the majority – not the exceptions
! Standards take additional time in the beginning but provide
scale.
! Build only what you must – buy, configure, borrow (beg,
steal) the rest
! Building for resilience and flexibility is necessary (and hard)
28. Open Identity Summit
Core Market-ecture
Information Exchange Layer
Identity & Access Management Layer
integrated
29. Open Identity Summit
Information Exchange
! BUILD
! Architecture -> Dev -> Support
! Integrate with IAM Layer
! Protect resources
! Use Standards
! Integrate through Configuration where possible
32. Open Identity Summit
Identity & Access Management
! Open Source Focus of Team
! OFFSITE
! A3
– Authentication
– Authorization – rights, permissions, membership
– Audit
! Integration – internal & external
! Huge Enterprise Space (Oracle, IBM, MS, etc.)
33. Open Identity Summit
IAM Needs
! Authentication & Authorization
! Provisioning & Management – Users, Organizations,
Systems, Devices, etc.
! Integration – Core Tools, Internal Systems, External
Systems etc.
! OPPORTUNITY – Identity is an investment of the
community
! STICKY and hard to leave
34. Open Identity Summit
Identity Management - Asset
! A MASAS community member invests in MASAS:
! Fees (nominal)
! Time
! Reputation…
! In the social space, this is sticky
! No common space in Canada right now beyond MASAS
! No credentialed system beyond organization boundaries
! Identity underpins trust – and it needs enterprise and cloud scale
35. Open Identity Summit
Open Identity Stack
! Open-Source – but
commercially supported
! Already C&A capable
! Supports Integration out of
box
! Out-of-box for admins
! Still need Community
Management
36. Open Identity Summit
MASAS – Growing Community
! Business Problem: Managing thousands of user
accounts takes a lot of time – more time than the New
Entity can reasonably spend.
! SOLUTION: Offload effort by allowing Organizations to
manage their own needs.
37. Open Identity Summit
MASAS – Community
Management
! NEED: MASAS will need to track usage (revenue) and
manage the overall directory
! # of Organization Accounts
! Access Rights for Organization, Organization Hierarchy
! Policy Enforcement
! MASAS OPS team gets OpenAM … in its RAW form…
40. Open Identity Summit
Admin/Clerk View
! Examines Existing, Approved, and Rejected Applications
! Edits if needed – keeps log of Rejections
! Approval Process – OpenIDM REST – create Org and Org Admin’s
account.
41. Open Identity Summit
Participant Administrator
! Skin on OpenAM (via REST)
! Custom View for the Organization
! Focuses on their Organization only
! Manages permissions for their members
! Creates/Edits/Deletes Accounts for that Organization
42. Open Identity Summit
Upcoming Decisions
! Granular Permissions/Entitlements
! Groups? XACML? Attributes + Policy…
! OpenIDM vs. OpenAM REST APIs
! Scale
! Issues and Roadblocks
! Federation
43. Open Identity Summit
Thanks
Darrell O’Donnell, P.Eng.
darrell.odonnell@continuumloop.com
@darrello
Chief Technology Officer
MASAS National Implementation Team
(under contract) Centre for Security
Science
President, Principal Consultant
Continuum Loop Inc.
Ottawa, Ontario, CANADA