how do get police, fire, paramedics and others to share information? built trust into the system

Open Identity Summit

Enabling Information Sharing Identity in a Multi-Agency First Responder and Emergency Management Environment

Darrell O’Donnell, P.Eng. President Continuum Loop Inc.


Emergency)Informa.on)Sharing)Challenges)

2


How is SA shared? !  USERS:

!  Fire fighters, Police, EMS/Paramedics, Emergency Managers, Public Safety/Homeland Security officers

!  From “boots on the ground” to senior federal leadership.

!  Both “consumers” and “contributors”.

!  PROBLEM: !  Sharing of basic SA information does not happen in a systematic

way. Phone calls and emails rule the world of crisis and day-to-day operations.

!  The status of SA information is difficult to determine (e.g., whether current, whether confirmed at source, etc.)

What is MASAS? !  Multi-Agency – many agencies and organizations from local all

the way up to international.

!  Situational Awareness – Sharing information that helps to understand what is happening around us so we can do our job effectively.

!  System (of systems) – MASAS is not a tool, it is a way of sharing information amongst a trusted community.


Situational awareness is needed everyday

...and in many different places

Interdev(

5


Local

Regional (P/T)

Federal

Information Flow

First Responder EOC

P/T EMO EOC

EOC 2…n EOC 1

Regional Office

OGD Regional

Office

Federal Region

ADM-EMC

Field


Road closures, EM weather, check points, command posts, area of

operation, evacuation zone, plume cloud, shelter locations, shelter

status, staging area, supply depot, live cameras, media events,

pictures, sitreps, earthquakes, space weather, ...

Limiting Access

CLASSIFICATION

Completely Unclassified

7

Limited(obstacles(to(success(

Major(obstacles(to(success(

Designated or Classified


It can be this simple!

8

IAM allows users to know that the sender is who they say they and that they are the authoritative source.


Fires and MVA from CAD

9


Hurricane Sandy Good example of information sharing. Or was it?


Common Viewer - OpenLayers

!  Little to no training !  Popular browsers

!  Source code available

11


ESRI ArcGIS Widget

12


Moving to Common Viewer - ArcGIS

!  Plugs into ArcGIS !  User configurable

!  Source code available

13


It works locally

It must ...or it won’t work nationally, internationally

14


Local Level !  Tri-services

!  Fire, Police, and Ambulance/Paramedics

!  Emergency Managers

!  Multiple Jurisdictions

!  Muddy !  Today’s Incident Command Systems tells you who is in charge and

who does what? Who has what rights?

!  No systems integration – no way to share data reliably and predictably (i.e., not automated, and supporting policy)


International – Canada/US


Beyond the Border Beyond the Border - Action Plan on Perimeter Security... December 2011

Page 25: “The second working group will focus on cross-border interoperability as a means of harmonizing cross-border emergency communications efforts. It will pursue activities that promote the harmonization of the Canadian Multi-Agency Situational Awareness System with the United States Integrated Public Alert and Warning System to enable sharing of alert, warning, and incident information to improve response coordination during binational disasters.”

17


Self Examination … !  Given this Surprise …

!  Why is MASAS Succeeding? !  ~50 Organizations in 2011, 200 in 2012, 450 in 2013 (May)

!  It isn’t Technology !  Information Exchange is somewhat novel – but not magic.

!  Been done before.

!  Mimics the real world – enables relationships

!  Easy to approach


Moving Pieces – lots… MASAS Controlled !  Server Software

!  Information Exchange

!  Access Control

!  Apps

!  OpenLayers/JavaScript

!  ArcGIS Flex

!  Mobile (Android, iOS, BlackBerry)

EXTERNAL SYSTEMS !  Incident management systems

(IMS)

!  Geographic information systems (GIS)

!  Computer aided dispatch systems (CAD)

!  Records management systems (RMS)

!  Forest fire management systems

!  … including external IAM (e.g. Federal AD)


Current Access Control !  Django-Based

!  Modified Django user access and identity

!  Incredibly onerous to maintain and add capability

!  Permissions?

!  Granular?

!  Roles?

!  Groups?

!  Scale?


MASAS Basic

Toolset

MASAS Basic

Toolset

VERY Simple Architecture

Your Tools

Their Tools

Firewall Firewall

ESRI, EmerGeo, Interdev, Sentinel, IHS, CriSys, Command View,

IDV, MyStateUSA, SharePoint, Hazus, …,

basic MASAS tools

Your Tools Your

Tools

Their Tools Their

Tools

Incident management, mapping, dispatch, consoles, tablets,

smartphones, sensors, digital radio, …

21


Access Control - REST RESTful Query:

https://access.masas-sics.ca/api/check_access/?query_secret=XXXXXX&secret=YYYYYY

JSON response: {

"groups": [ "https://access.masas-sics.ca/accounts/group/1” ],

"hubs": [

{ "url": https://sandbox2.masas-sics.ca/hub, "post": "Y” },

{ "url": https://sandbox1.masas-sics.ca/hub, "post": "Y” }

],

"id": 5, "name": "MASAS NIT - Darrell ODonnell”, "uri": "https://access.masas-sics.ca/accounts/user/######/"

}

Groups not used yet.


It Starts Simple !  Username and Password access per hub

!  Add read-only and read/write access

!  4 hubs operationally (2 for dev)

!  Consolidate account into one account

!  r/o & r/w per hub

!  OAuth 2.0 (app level access?)

!  Integrate CMS (Joomla)

!  Allow self-admin …

!  What are we building???


Starting to Sound Familiar !  Roll your own

!  Add capabilities as you go

!  Total Control

!  …

!  Until …

!  It Controls you – and you have build an Identity & Access Management System – a black hole for development funds


Community is About… !  TRUST

!  How do I know you?

!  Have we met?

!  How do I know I can trust you?

!  Who else trusts you? – professional referrals

!  How has this translated so far? !  Simply - but that’s a problem

!  Growing needs for deeper information


Future Needs !  Increase Information Exchange Types

!  Hospital Availability, Resource Request, Requests for Information

!  Limiting Access to Information

!  Deep Identity and Access Management !  Authentication, Authorization, and Audit (A3)

!  Identity

!  Credentialing, revocation…

!  Multi-Factor Authentication

!  Integration into Directories


Lessons Learned to Date !  Limit scope

!  Being able to say NO is powerful

!  Work on the majority – not the exceptions

!  Standards take additional time in the beginning but provide scale.

!  Build only what you must – buy, configure, borrow (beg, steal) the rest

!  Building for resilience and flexibility is necessary (and hard)


Core Market-ecture

Information Exchange Layer

Identity & Access Management Layer

integrated


Information Exchange !  BUILD

!  Architecture -> Dev -> Support

!  Integrate with IAM Layer !  Protect resources

!  Use Standards

!  Integrate through Configuration where possible


Problems !  Technical jargon tossed around:

!  Credentials

!  Revocation

!  Provisioning

!  Federation

!  Access Control

!  Audience Control

!  OAuth

!  XACML

!  SAML

!  …


Local

Regional (P/T)

Federal

Information Flow

First Responder EOC

P/T EMO EOC

EOC 2…n EOC 1

Regional Office

OGD Regional

Office

Federal Region

ADM-EMC

Field


Identity & Access Management !  Open Source Focus of Team

!  OFFSITE

!  A3

–  Authentication

–  Authorization – rights, permissions, membership

–  Audit

!  Integration – internal & external

!  Huge Enterprise Space (Oracle, IBM, MS, etc.)


IAM Needs !  Authentication & Authorization

!  Provisioning & Management – Users, Organizations, Systems, Devices, etc.

!  Integration – Core Tools, Internal Systems, External Systems etc.

!  OPPORTUNITY – Identity is an investment of the community

!  STICKY and hard to leave


Identity Management - Asset !  A MASAS community member invests in MASAS:

!  Fees (nominal)

!  Time

!  Reputation…

!  In the social space, this is sticky !  No common space in Canada right now beyond MASAS

!  No credentialed system beyond organization boundaries

!  Identity underpins trust – and it needs enterprise and cloud scale


Open Identity Stack !  Open-Source – but

commercially supported

!  Already C&A capable

!  Supports Integration out of box

!  Out-of-box for admins

!  Still need Community Management


MASAS – Growing Community !  Business Problem: Managing thousands of user

accounts takes a lot of time – more time than the New Entity can reasonably spend.

!  SOLUTION: Offload effort by allowing Organizations to manage their own needs.


MASAS – Community Management !  NEED: MASAS will need to track usage (revenue) and

manage the overall directory !  # of Organization Accounts

!  Access Rights for Organization, Organization Hierarchy

!  Policy Enforcement

!  MASAS OPS team gets OpenAM … in its RAW form…


Organization Management !  Firefighters, Police, EMS/Paramedics

!  OpenAM tools for Management?


Applicant Processing !  Outside of Open Identity Stack


Admin/Clerk View !  Examines Existing, Approved, and Rejected Applications

!  Edits if needed – keeps log of Rejections

!  Approval Process – OpenIDM REST – create Org and Org Admin’s account.


Participant Administrator !  Skin on OpenAM (via REST)

!  Custom View for the Organization !  Focuses on their Organization only

!  Manages permissions for their members

!  Creates/Edits/Deletes Accounts for that Organization


Upcoming Decisions !  Granular Permissions/Entitlements

!  Groups? XACML? Attributes + Policy…

!  OpenIDM vs. OpenAM REST APIs

!  Scale !  Issues and Roadblocks

!  Federation


Thanks Darrell O’Donnell, P.Eng.

[email protected]

@darrello

Chief Technology Officer MASAS National Implementation Team (under contract) Centre for Security Science

President, Principal Consultant Continuum Loop Inc. Ottawa, Ontario, CANADA

Q & A

Logo of Presenter Company HERE

Notional Market-ecture

how do get police, fire, paramedics and others to share information? built trust into the system

Technology

open identity summit

information sharing

way of sharing information

status of sa information

basic sa information

emergency managers

responder eoc pt emo

source code available