1 / 18

A Federation of Web Services

A Federation of Web Services. For Danish Health Care IDTrust 2008. Kåre Kjelstrøm, kkj silverbullet.dk. @. The Danish Health Sector . Hospital Doctor. Many systems Many computers Doctors Nurses. Exchange Information. Caregiver. Few systems PDA access. Web access to own data.

vida
Download Presentation

A Federation of Web Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Federation of Web Services For Danish Health Care IDTrust 2008 Kåre Kjelstrøm, kkj silverbullet.dk @

  2. The Danish Health Sector Hospital Doctor Many systems Many computers Doctors Nurses Exchange Information Caregiver Few systems PDA access Web access to own data Single system Doctor Secretary General Practitioner Patient

  3. Requirements:Privacy vs. Safety Health Confidentiality Authentication & Authorization Records Emergency Access Record Activity

  4. Requirements:Availability New work routines based on IT Redundancy Of systems Redundancy of lines Only loose dependency!

  5. Requirements:Single-Signon Often multiple logins to multiple systems multiple times a day Login Login SSO Login Reduce number of logins to external systems!

  6. Requirements: Preconditions National PKI infrastructure with SSN lookup Health care network (VPN) Existing specifications and profiles Rich non-browser clients

  7. High Level Proposal: SOSIService-Oriented System Integration GP Hospital Security Token Service (STS) Nursing Home Central National Services Message integrity thru PKI Signatures on SAML tokens and body data SOAP Web Services Confidentiality & Integrity protected VPN Network SAML 2.0 assertions as security tokens Federation of Trust Existing Infrastructure Client initiated SSO

  8. ID card: SAML Security Token Embedded into every SOAP message header SOSI IDCard Version: 1.0 ID: QYZ1234 Valid: 10/25-2008 - 10/26/2008 Issuer: EPJQ 3.0 Type: User Offline verifiable credentials (signature) System: EPJQ 3.0 Organization: Region X Organization ID: 1234 Identifies person or system Owner: S.Miley AuthorizationCode: 5678 Role: Surgeon SSN: 0101121234 Email: s.miley@abc.dkOccupation: Doctor Contains “core” attributes

  9. Service Interaction

  10. Timeout Maximum ID card lifetime: 24 hours Authorization by service provider Service provider decides timeout level Based on risk analysis SOSI ID-Kort Version: 1.0 ID: QYZ1234 Gyldig: 25/10-2006 - 26/10/2006 Udsteder: EPJQ 3.0 Type: User System: EPJQ 3.0 Organisation: Region X Organisation ID: 1234 Indehaver: S.Miley Autorisationsnr: 5678 Rolle: Kirurg CPR: 0101121234 Email: s.miley@abc.dkStilling: Læge • IDCard Valid? • IDCard ”fresh” enough? • Person authorized?

  11. Trail Blazer: Medicines Information GP Hospital Receive patient: Fetch data Receive patient: Fetch data Discharge patient: Upload data Issue Receipt: Upload data Web Services at the Danish Medicines Agency

  12. Participating Systems

  13. STS Performance Verification and signing of 12.000 ID cards in 24 hours A maximum continuous throughput (MCT) of 1500 ID cards / hour, with a peak of 10 simultaneous ID card requests. Mean response times < 2 seconds at MCT 95% response times < 5 seconds at MCT 99% response times < 10 seconds at MCT

  14. Implementing SOSI? SAML? COTS? SOAP? XML Signature? Cost? STS & WS-Trust? Integrate with legacy system? IDCards? Revocation Lists PKI?

  15. Lowering the Threshold Code Libraries Support Organizations .NET library Java library Technical Support Center Toolkits Contract First WSDL Engineer .NET code gen MedCom Web Service Test Center Security Gateway

  16. Looking Forward Partially verified IDCards? Biometrics, RFID, Near Field Identification? ”Break the glass” solution: Heightened control Alternatives from National IT- and Telecom Agency? Liberty ID-WSF 2.0 a replacement? Service governance

  17. Summary Federation of health care systems using SOAP web services, SAML and WS-Trust Single-Sign-On to Web Services within the national federation / trust domain. Reduction of impact of unavailability of services. Reduction of the effort that WSCs and WSPs must put into implementing web services. High performance architecture where the number of requests/messages is minimized. Transparency and flexibility through the use of Open Source licensed tools and products. Reuse of existing infrastructure. The design reuses existing infrastructure for establishing secure channels that takes care of confidentiality and stream integrity and prevents known cryptographic attacks

  18. ? Questions

More Related