Embed Size (px)
Citation preview
Agenda - 18 February 04
• Welcome• Round Table - Who? Where? What?• Introduction to FAME• Fame Generic Framework
– Overview– Technical components
• Round table discussion• Next actions
FAME Generic Framework
Objectives
• To explore and understand the work of FAME pilot streams.
• To synthesise views of a deliverable overall generic framework with appropriate (vendor neutral) technical and social/organisational elements.
• It is NOT about individual stream level service or software design.
Objectives
• The generic framework will be the accumulation of ideas and experience from the individual streams together with relevant research input.
• It will act as a guide to other LAs in their sourcing and implementation of systems and service development.
Headings
• High level scoping statement• Legal powers and responsibilities• Governance• Information sharing• Identity management• Infrastructure• Messaging, events and transactions• Sustainability• Federation
High level scoping statement
• What services are we exploring?• What are the aspirations for outcomes?• How will these outcomes be evaluated?• Takes account of the different
requirements of the contexts of:– citizens/communities, – service providers, – service commissioning and – national governance.
• Defines the ‘business case’.
Legal powers and responsibilities
• Defines the multi agency services to be provided (e.g. practice, assessment, care planning and delivery).
• Identifies the legislative/guidance framework covering these services.
• Identifies the legal powers, statutory duties and responsibilities of the agencies and organisations providing the service.
Governance• The organisation of multi agency
services and practice.• Information sharing.• The infrastructure- relationships, hard
and soft assets.• Procurement and ownership.• Participation of stakeholders in the
evaluation of outcomes.• The links to the duties and legal
powers available is clearly identified.
Information sharing
• A multi agency hub facilitates a variety of information sharing modes.
• Information sharing may apply in all contexts- amongst citizens, services, commissioning and policy making.
• The information sharing protocol will explicitly define the limits information sharing enabled.
Identity Management
• Identity is more than a personal dataset.• Identity is context dependent and must
be defined in terms of relationships.• Statements about identity have a
provenance associated with the trustworthiness of their sources.
• Extends ideas of identity and consent.
Infrastructure
• Communication within a multi agency community requires shared resources and capabilities.
• The infrastructure must respect appropriate diversity and autonomy as well as commonality and uniformity.
• Its use is defined by the user community.
Messaging, events, transactions
• Process maps, workflows and catalogues may be shared.
• The infrastructure will support broadcast, narrowcast publication and may automatically generate:– Notifications– Updates of shared data items,
documents and content.
Sustainability• A capability for continuous adaptation.• Identifies the scale, scope and context of
change. • Links systems and organisational change
processes.• Sustains on-going processes for training,
review and further development.• Recognises the required skill-sets, project
resources, cultural sensitivity and people.
Federation
• Co-operative working evolves between multi agency communities of service.
• Local shared infrastructures can inter-work with other local and national infrastructures.
• These processes are facilitated by Internet technologies e.g. portals and hubs/spokes.
Headings
• High level scoping statement• Legal powers and responsibilities• Governance• Information sharing• Identity management• Infrastructure• Messaging, events and transactions• Sustainability• Federation
Project SponsorProject
SponsorPractitionerPractitioner IT ManagerIT Manager
High level scoping statements
Governance
High level scoping statements
High level scoping statements
Legal Powers
Governance
Information sharing
Identity
Events, Messages & Transactions
Infrastructure
Sustainability
Federation
Events, Messages & Transactions
Infrastructure
Legal Powers
GovernanceInformation
sharing
Identity
Sustainability
Federation
Possible paths through the framework
Information sharing
IdentityLegal Powers
Events, Messages & Transactions
Sustainability
Federation
The areas with a strong technical component.
The areas with a strong technical component.
Headings
• High level scoping statement• Legal powers and responsibilities• Governance• Information sharing• Identity management• Infrastructure• Messaging, events and transactions• Federation• Sustainability
Systems and infrastructure
An historical perspective
Integrates platforms within an enterprise: our computers and networks become a unified resource
Hardware and Operating System Layer
Middleware
Preserves and manages data over space and timePersistent data layer
Local interaction
Local interaction
Application layer with local event handling and workflowApplication layer
Transaction Management
Transaction Management
Modes and means of access
Channels
Integrates platforms within an enterprise: our computers and networks become a unified resource
Hardware and Operating System Layer
Middleware
Preserves and manages data over space and timePersistent data layer
Local interaction
Local interaction
Application layer with local event handling and workflowApplication layer
Applications are WEB enabled
CRM
Shared Workflow
Knowledge Portals
eCommunity
Each of these “integration products” has its own origins in concepts of resource management or process management.
Resource Integration
Identifiers and identities
Process Integration
Master IndexShared Workflow and Message Hub
PortalIntegration layer
Modes and means of access
Channels
Application Adapters
Domain of Integration
Integrates platforms within an enterprise: our computers and networks become a unified resource
Hardware and Operating System Layer
Middleware
Preserves and manages data over space and timePersistent data layer
Local interaction
Local interaction
Application layer with local event handling and workflowApplication layer
The information systems and communications utility.
Commodity products and services
Hardware and Operating System Layer
Middleware
Persistent data layer
Master IndexShared Workflow and Message Hub
PortalIntegration layer
Local interaction
Channels
Local interaction
Support for users to shape and govern their information environment.
Application layer
Domain of Integration Structure and infrastructure
Master IndexShared Workflow and Message Hub
Portal
Application layer
Hardware and Operating System Layer
Middleware
Persistent data layer
Master IndexShared Workflow and Message Hub
PortalIntegration layer
Channels
Local interaction
Local interaction
Application layer
Hardware and Operating System Layer
Middleware
Persistent data layer
Integration layer
Channels
Local interaction
Local interaction
Syste
ms In
teg
ratio
n an
d chan
ge m
an
age
me
nt.
Provision value chains
Box shifting
Software technology licensing
Software development and support
Integration Engines:CRM, BPR, media/content, Knowledge/document Management
Commodity devices and services
Ap
plicatio
ns service
provision
/ In-ho
use
Master IndexShared Workflow and Message Hub
Portal
Application layer
Hardware and Operating System Layer
Middleware
Persistent data layer
Master IndexShared Workflow and Message Hub
PortalIntegration layer
Channels
Local interaction
Local interaction
Application layer
Outsource: we do it all for you…
Box shifting
Software technology licensing
Software development and support
Integration Engines:CRM, BPR, media/content, Knowledge/document Management
Commodity devices and services
Syste
ms In
teg
ratio
n an
d chan
ge m
an
age
me
nt.
Ap
plicatio
ns service
provision
/ In-ho
use
Hardware and Operating System Layer
Middleware
Persistent data layer
Integration layer
Channels
Local interaction
Local interaction
Box shifting
Software technology licensing
Software development and support
Integration Engines:CRM, BPR, media/content, Knowledge/document Management
Commodity devices and services
Hardware and Operating System Layer
Middleware
Persistent data layer
Master IndexShared Workflow and Message Hub
PortalIntegration layer
Channels
Local interaction
Local interaction
Application layer
“Best of breed”: The IT department in control
Box shifting
Software technology licensing
Software development and support
Integration Engines:CRM, BPR, media/content, Knowledge/document Management
Commodity devices and services
Syste
ms In
teg
ratio
n an
d chan
ge m
an
age
me
nt.
Ap
plicatio
ns service
provision
/ In-ho
use
Hardware and Operating System Layer
Middleware
Persistent data layer
Master IndexShared Workflow and Message Hub
PortalIntegration layer
Channels
Local interaction
Local interaction
Application layer
Government Gateway: Fit a DIS Box and London will do the rest
Box shifting
Software technology licensing
Software development and support
Integration Engines:CRM, BPR, media/content, Knowledge/document Management
Commodity devices and services
Syste
ms In
teg
ratio
n an
d chan
ge m
an
age
me
nt.
Ap
plicatio
ns service
provision
/ In-ho
use
Hardware and Operating System Layer
Middleware
Persistent data layer
Master IndexShared Workflow and Message Hub
PortalIntegration layer
Channels
Local interaction
Local interaction
Application layer
Strategic integration:
Box shifting
Software technology licensing
Software development and support
Integration Engines:CRM, BPR, media/content, Knowledge/document Management
Commodity devices and services
Syste
ms In
teg
ratio
n an
d chan
ge m
an
age
me
nt.
Ap
plicatio
ns service
provision
/ In-ho
use
Hardware and Operating System Layer
Middleware
Persistent data layer
Master IndexShared Workflow and Message Hub
PortalIntegration layer
Local interaction
Channels
Local interaction
Portal
Index
Hub
Application layer
Domain of IntegrationOther
Domains
We are not alone: There are other domains around us.
Hardware and Operating System Layer
Middleware
Persistent data layer
Master IndexShared Workflow and Message Hub
PortalIntegration layer
Local interaction
Channels
Local interaction
Portal
Index
Hub
Hub
to H
ub in
tera
ctio
ns
Application layer
Domain of IntegrationOther
Domains
We are not alone: There are other domains around us.
Universal point of Access
• Is offer X in your catalogue the same as offer Y in mine?• How do we support and nurture brokers and
intermediaries?• Sometimes we need to be able to “google” the whole
federation…• This universal service enables signaling for an
information economy.– Financial cost and value– Social value– Political value
Portal Portal
Universal point of Publication and Recourse
• The audit trail may lead to a boundary: where do you go then?
• Escalation has to stop somewhere.• Can you deliver my scripts and can I deliver yours? • How do I tell the people who need to know?
– Individually addressed messages,
– Role and workflow based structured messages,
– Narrow-cast,
– Universal broadcast,
– Publication.
Shared Workflow and Message Hub
Hub
Who gives the identity management service the right to do this and how?
Identity Management
I have identifier B in domain XDomain id XA
Domain id XB
Domain id XC
Domain id XD
Appl
icat
ion
xaAp
plic
atio
n xb
Appl
icat
ion
xcAp
plic
atio
n xd
Master Index X
Index Index
and identifier C in domain Y.
If application xb needs to talk to application ym about me, then it must do so via a hub to hub message.
This requires that the identity management service, at the federation level, must confirm that XB ≡ YC ≡ “Me”.
Appl
icat
ion
yk
Appl
icat
ion
ymDomain id YA
Domain id YB
Domain id YC
Domain id YD
Appl
icat
ion
yj
Appl
icat
ion
ylMaster Index Y
Hardware and Operating System Layer
Middleware
Persistent data layer
Master IndexShared Workflow and Message Hub
PortalIntegration layer
Local interaction
Channels
Local interaction
Portal
Index
Hub
Hub
to H
ub in
tera
ctio
ns
Application layer
Federal points of access: the catalogue of catalogues
Universal point of publication, recourse and resolution.
Domain of IntegrationOther
DomainsFederation Services
We are not alone: There are other domains around us.
Federated Identity Management Services
Hardware and Operating System Layer
Middleware
Persistent data layer
Master IndexShared Workflow and Message Hub
PortalIntegration layer
Local interaction
Channels
Local interaction
Portal
Index
Hub
Application layer
Federal points of access: the catalogue of catalogues
Federated Identity Management Services
Universal point of publication, recourse and resolution.
Domain of IntegrationOther
DomainsFederation Services
Smart Cards: Integrating the integration technologies
Accepting networks
Identity tokens and keys
Brand Apps
Pocketable data
The areas with a strong technical component.
The areas with a strong technical component.
Headings
• High level scoping statement• Legal powers and responsibilities• Governance• Information sharing• Identity management• Infrastructure• Messaging, events and transactions• Federation• Sustainability
Hierarchical model
Trust anchors must link root and end entities.
A business anchor linking end entities.
Certification authorities
Hierarchical model
Distributed model
Trust anchors must be local.
Hierarchical model
Distributed model
A CA acting as facilitator between CA domains.Bridge model
www.projectliberty.org
Portal
Hardware and Operating System Layer
Middleware
Persistent data layer
Master IndexShared Workflow and Message Hub
Integration layer
Channels
Portal
Index
Hub
Application layer
Federal points of access:
Federated Identity Services
Universal point of publication.
Domain of IntegrationOther
DomainsFederation Services Views of
federation
Safe & secure public service infrastructure:
• What does Liberty Alliance do?– Best practice PKI to protect the channels and
the messages.– Authentication enrolment mechanisms.– A set of mutual and community based trust
creation and implementation mechanisms.– Open, progressive and federable approach.
But multi-agency public service delivery, particularly the caring services, present
more demanding requirements than does commerce.
The requirements:• Governance.
– who participates in defining the rules and processes?
– how is their engagement informed and made effective?
• Flexibility.– The process to be supported is the one that
reengineers processes and creates new structures.
• Trust.– New demarcations between structure and
infrastructure.
Ideas of identity and of relationship seem to be very significant in addressing these
requirements.
Some definitions…
….but not just a glossary.
We need to be clear about the terms and concepts we use.
Events,Messages and Transactions.
Events→Individuals→Transactions • An event: an occasion when information is generated.• Unique birth and death events delimit the existence of
an individual, (also known as a principal or a party).• An event becomes a transaction when:
– It involves 2 or more individuals and…– Produces intended changes in the distribution of resources
and responsibilities among them
Information• News of a contingency that has significance.
A state of affairs that could be one way or another.
It causes something and so makes a difference.
It is communicated, - moving in space and or time.
Transactions→Relationships→Identities
• If information from a previous transaction is used, by the same parties, in subsequent ones then this is a relationship.– Multiple encounters– Recognition– Persistence– More and different transactions.
• An identity is the information used by parties to recognise each other.
• An identifier links an identity to a history.
• These definitions lead to two implementation concepts:
– A register
– An index.
Relationship Rc.
Relationship Ra.
Sets of records of the same individual with different relationships.
A local identifier
Identity attributes
Profile and history
An identity
An Individual
Register 1
Hardware and Operating System Layer
Middleware
Persistent data layer
Master IndexShared Workflow and Message Hub
PortalIntegration layer
Local interactio
n
Channels
Local interactio
n
Application layer
Domain of IntegrationAssociated identifiers
Register 1
Relationship Ra.
Relationship Rc.
An Individual
An identity
Ra, P
bRb,
Pb
Rc, P
bRd,
Pb
Re, P
bRf,
PbRg,
Pb
An index correlating identifiers
A relationship type +A provider identity
Sets of records of the same individual with different relationships.
Index based, narrowcast publications:
• I, <Na>, having relationship w with individual I know as <Nb>, am willing to enter transactions q, r or s with anyone who has relationships x, y or z with this individual.
• With whom can I engage in transaction u, regarding the individual I know as <Nb>?
• These may be subject initiated, permissioned, joint or independent of the subject.
Associated identifiers
Ra, P
bRb,
Pb
Rc, P
bRd,
Pb
Re, P
bRf,
PbRg,
Pb
A relationship type +A provider identity
Associated identifiers
Ra, P
bRb,
Pb
Rc, P
bRd,
Pb
Re, P
bRf,
PbRg,
Pb
Register 1Registers which use different attribute sets to indicate identities.
Relationship Ra.
Relationship Rc.
An Individual
An identity
An index correlating identifiers
A relationship type +A provider identity
A domain of integration…
…but where is federation?
IMPb
Identity Management Provider B
IMPb
IMPa
Identity Management Provider A
Relationship Rb.
Relationship Rk.
Sets of records of the same individual with different relationships in two different domains.
Relationship Ra.
Relationship Rc.
Ra, P
bRb,
Pb
Rc, P
bRd,
Pb
Re, P
bRf,
PbRg,
Pb
IMPa
Register 2 Register 3Registers which use different attribute sets to indicate identities.
Register 1
Rc, P
b
Rm, P
b
Rk, P
bRl, P
b
Ra, P
bRb,
Pb
Rd, P
b
Rk, P
bRl, P
bRm
, Pb
Ra, P
bRb,
Pb
Rd, P
b
Rc, P
b
IMPa
IMPb
Ra, P
bRb,
Pb
Rc, P
bRd,
Pb
Re, P
bRf,
PbRg,
Pb
IMPb
Register 2 Register 3Register 1
• One register • An index of registers and a register of registrars?• One index distributed over the federation.• A universal identity management service.• Multiple registers, indexes and identity management services.
Centralisation policies:
Rk, P
bRl, P
bRm
, Pb
Ra, P
bRb,
Pb
Rd, P
b
Rc, P
b
IMPa
IMPb
Ra, P
bRb,
Pb
Rc, P
bRd,
Pb
Re, P
bRf,
PbRg,
Pb
IMPb
Register 2 Register 3Register 1
A range of trust models:
A
B
A
BC
A
B
A
BC
Rk, P
bRl, P
bRm
, Pb
Ra, P
bRb,
Pb
Rd, P
b
Rc, P
b
IMPa
IMPb
Ra, P
bRb,
Pb
Rc, P
bRd,
Pb
Re, P
bRf,
PbRg,
Pb
IMPa
IMPb
An index row represents the business anchor list for relationship suppliers who have direct trust respecting a common client.Identity managers support brokered trust (both direct and indirect) respecting an individual client.
Registrars deliver Authentication Enrolment Agreements to Certification Authorities (CAs).
The trusted core services support a federal, mixed model CA network in which relationship providers (and clients) are authenticatable end entities.
Mapping to Liberty Alliance concepts and terms:
The areas with a strong technical component.
The areas with a strong technical component.
Headings
• High level scoping statement• Legal powers and responsibilities• Governance• Information sharing• Identity management• Infrastructure• Messaging, events and transactions• Federation• Sustainability
Issues
• How does all this feel to you?• How much of this is available now?• What can I buy today?• Do our IT departments have the skills
and know-how to deliver this vision?• Some of this has to be bought and
deployed collectively – Who? How?
