2010 EA Conf_RA Track Presentation_20100506

7/28/2019 2010 EA Conf_RA Track Presentation_20100506

1/47

2010 EA Conference

Reference Architecture Track

Terry Hagle, Office of DoD CIO/AS&I703-607-0235

. .


2/47

enda Enterprise Reference Architecture Cell (ERAC) Overview

erry ag e

Reference Architecture (RA) Steve Ring

Principles

Technical Positions

Patterns

Enterprise-wide Access to Network and Collaboration

Services (EANCS) RA Norm Minekime

DoD Information Enterprise Architecture (IEA) Al Mazyck

Pur ose/Back round

Content

Application of the DoD IEA

Exam le EANCS RA

Compliance with the DoD IEA

Example EANCS RA 2


3/47

3


4/47

Enterprise Reference Architecture

e

Components have expressed the need for more detailed guidance

nterprse patterns an processes

Army CIO/G-6 Comment on DoD IEA v1.1: establish a separate DoD IEAReference Architecture with sufficient granularity to enable interoperabilityacross the DOD IE/GIG. To foster such interoperability, these referencearc ec ures wou nee o nc u e processes, process pa erns an servcepatterns, as well as service interfaces and metrics.

Purpose:

Develop the reference architecture (artifacts)

Assist IT Decision Makers/Components/Programs/Solution Architects asdirected

Work as an advisor to the functional architect

Assist in the proper application of the DoD IEA, DoDAF and DARS

Conduct architecture assessments as directed Assess architecture compliance w/DoD IEA

Event Driven - Net Centric Reviews (ED-NCR)

Management:

ERAC funded by and resources managed by EA&S Taskings and guidance from the EGB/ASRG

4


5/47

Enterprise Reference Architecture

Mission Statement

e n en o e erence rc ec ure s o:

Normalize the institutional understanding of capabilities at

the enterprise level and provide a common set of

principles, patterns, and technical positions for use within

the DoD to guide development of Enterprise, Segment, oro u on arc ec ures.

Development of a Reference Architecture is a

process that results in the required content

5


6/47

Reference Architecture

escr p on

Five components of a Reference Architecture:

Strategic Purpose Describes the context, scope, goals, purpose, and intendeduse of the RA

High-level statements about the IT environment that tie backto business goals

Incorporate values, organizational culture, and business goals Drive Technical Positions (and Patterns) Technical Positions

Statements that provide technical guidance (standards,technologies, etc) for use with each major architecturalcomponent or service

a erns emp a es Diagrams that address the distribution of systems functionsand how they relate topologically

Models that show relationships between components specified

Vocabulary

Reference Architecture Description6


7/47

ERAC Process for Developing RA

e everages e s x s ep arc ec ure

development process of the DoDAF

The process steps are:

Clarify Purpose (Architects & Architecture Owner)

Identify key questions (Architects & Architecture Owner)

Determine required data/information (architects)

o ec an rganze a a n orma on arc ec s co ec& organize, SMEs provide)

Analyze architecture data/information (architects)

Document the results (architects)

Use or apply results (Architecture Owner) 7


8/47

DoDAF Models to Be Developed: AV-1, AV-2, OV-1, OV-a, - a c, an -

Overview and Summary Information (AV-1) Contract between Architecture Owner and Architect Guides develo ment of the RA Executive level presentation of RA DM2: Vocabulary and Semantics

Reference Architecture Document Introduction Content from AV-1

Context and Relationships (Resulting Principles) Term Definitions Architectural Patterns Generic Standards and rofiles olic

Use Case/Use Case Analysiso Implementation Specificso Specific Technical Standards and Profileso De lo ment and Performance Considerations

8


9/47

DoD IEA Website

htt ://cio-nii.defense. ov/sites/diea/

9


10/47

ARCHITECTURE

10


11/47

DoD CIO intends to use Reference Architecture as a means to provide

epar men -w e u ance or arc ec ures an so u ons

Reference Architecture, as currently used within DoD

generalized) with

: Has lit tle agreement and much confusion

: Has mult iple meanings relative to the context of the environment

To support the DoD CIO intent, a common definition of Reference Architecture

is needed that

, ,

agencies) that guides and constrains architectures and solutions

; Can be equally applied across the wide spectrum of DoD environments

IT/ Business and Service (SOA) domains

Warfighter domains

11


12/47

Objectives of a Reference

rc ec ure

To direct, guide and constrainarchitectures and solutions within a

Reference ArchitectureReference Architecture

To serve as a reference foundation of

Guidesandconstrainsthe

developmentof

,

relationshipsStakeholder

Requirements

ArchitecturesArchitectures

andand

SolutionsSolutions

alignment purposes

Diagram derived from: TheImportanceofReferenceArchitecture,ArchitectureandChange(A&C),2007,http://www.architectureandchange.com/2007/12/29/the-importance-of-reference-architecture 12


13/47


s

anau or a vesourceo unam guousarchitectureinformationwithinadomain

thatguides andconstrains multiplearchitecturesandsolutionsbyprovidingpatterns ofabstract

architecturalelements,basedonastrategic, , ,

withacommonvocabulary. 13


14/47

Building a Reference Architecture

e ve omponen s

DomainDomainReference Architecture Components

PrinciplesPrinciples TechnicalTechnical

PositionsPositions

Patterns Vocabulary

ra eg cPurpose

Guides ConstrainsAuthoritative

Source

Architecture/Architecture/

SolutionSolutionArchitecture/Architecture/

SolutionSolution

14


15/47

DoDAFModelsAV-1 Overview & Summary Information

CV-1: Vision overall strategic concept and high level scopeOV-1 High Level Operational Concept Graphic what solution architectures are intendedto do and how they are supposed to do it

OV-6a Operational Rules ModelSvcV-10a Services Rules Model

SV-10a Systems Rules ModelOV-4 Organizational Relationships Chart architecturalstakeholders

Strategic Purpose

PrinciplesPrinciples

StdV-1 Standards ProfileTechnicalPositions

OV-2 Operational Resource FlowsOV-5 {a,b} Activity diagrams

Service Patterns

SV-1 System InterfacesSV-2 System Resource FlowsSV-4 System FunctionalitySV-10b System State Transitions

vc -ervce n er acesSvcV-2 Service Resource Flows

SvcV-4 Service FunctionalitySvcV-10b Service State Transitions

ven - ase cenar o a erns o ynam c

Behavior

OV-6c Event-Trace DescriptionSvcV-10c Services Event-Trace DescriptionSV-10c S stems Event-Trace Descri tion

AV-2 Integrated Dictionary- definitions of terms used throughout solution architectures

15


16/47

Authoritative source of architecture information within aproblem space that guides and constrains architectures and

solutions

Simplif ies and standardizes solutions for complex problems by

providing common repeatable patterns

Provides early, focused guidance at a sufficient level of

abstraction and detail before concrete implementation

decisions are known

A tool to ensure interoperable architectures and solutions

based on common uidance

16


17/47

FirstUsage:EANCSReferenceArchitecture

EANCS implementationguidance and solution

Department of Defense

Enterprise-wide Access to Network and

Collaboration Services (EANCS)

architectures focuses on that portion of the

characteristic dealing with global


authentication, authorization and

access control to globally

accessible resources. It is intended

to uide the develo ment of

solution architectures and supportthe development of specif ic

implementation guidance for

ac ev ng s capa y..

December 2009

Prepared by the Office of the DoD CIO 17


18/47

Enterprise-wide Access toNetworks and Collaboration

Architecture (RA)

18


19/47

EANCS RA

Operational Requirements

.

Global Authentication, Access Control, and Directory Services Vice Chairman J oint Chiefs of Staff (VCJ CS) directed ability to go anywhere [in

DoD lo in and be roductive

EANCS RA to address these requirements by:

Providing basis for implementation guidance/roadmap for Enterprise Services

Describing Authentication and Authorization and Access Control to networks

(NIPRNet and SIPRNet) and designated Enterprise Services (e.g., Enterprise

Director Service, Enter rise e-mail, DCO, Intelink)

Supporting implementation of an initial authentication and access control

capability in 6 to 9 months for Enterprise User Initiative

Levera in :

Common credentials for authentication (PKI/CAC for NIPR, PKI/hard-token for SIPR)

Authoritative identity attributes for authorization and access control (Attribute-BasedAccess Control)

19


20/47

EANCS RA

Pur ose

Gain Department-wide consensus on requirements for authenticating users andauthorizing user access to DoD Information Enterprise (IE) and, more

specifically, to representative collaborative services, to include portals and

enterprise e-mail

Describe architectural patterns to guide, standardize, and enable the most rapid

and cost-effective implementations of an authentication and authorizationcapability in support of secure information sharing across DoD

Scope

To Be Architectural Description

Document requirements, activities, and information for authentication andauthorization and access control

Document standard/common authentication and authorization and access

control processes

20


21/47

EANCS RA

Architecture Owner organized Working Group (WG)

, , ,

Defense Manpower Data Center (DMDC), Defense Information Systems Agency(DISA), and National Security Agency (NSA)

Teammembers re resented their stakeholder or anizations

Architecture Owner worked with ERAC to establish RA purpose,

perspective, and scope

eve ope oncep o pera ons or con ex

WG provided necessary architecture data/information

Existing documents served as knowledge baseline

SME knowledge and experience provided rest of information

ERAC organized collected data into DoDAF-compliant RA description

Submitted to Architecture and Standards Review Group (ASRG) for

approval and federation into DoD EA 21


22/47

EANCS RA

FederalFederalLegend

ESSF Enterprise SecurityServices Framework

GIG 2.0GIG 2.0ESMESM

Process &

Function

Operational

Requirements

Service

ESM Enterprise SecurityManagement

ICAM Identity, Credential, andAccess Management

ORA -Operational ReferenceArchitecture

- Patterns - Operational

Descriptions

RARA CONOPSCONOPS- u es

- Technical

Positions

Requirements

- Implementation

Considerations

- NIPRnet

USEUSE

CASESCASES

IMPIMP

PLANPLANIMPIMP

PLANPLANIMPIMP

PLANPLAN

Provide

Analysis

- SIPRnet- Deployed User

- UnanticipatedUser

- to mont s

- Longer Period

- Impacts

- Metrics

- Guidance- ar me ser - VPN- ???

What To Do How To Do It 22


23/47


24/47

Compliance

w

Development of RA guided byDepartments Net-centric vision to

Enterprise, creating an information

advantage for DoD, its people, and

its mission partners, as described inDoD IEA

Alignment with DoD IEA built-in

during RA development IAW DoD

Compliance with DoD IEA

documented in IAW DoD IEA

Appendix E

24


25/47

Architecture IEA

25


26/47

Pur ose Unify the concepts embedded in the DoDs net-

centric strategies into a common vision

Drive common solutions and promote consistency

Enterprise and the rules for information assets and

resources that enable it

enterprise net-centric vision

DoD Net-centric Vision

o unc on as one un e o n erpr se, crea ng an n orma on a van age

for our people and mission partners by providing:A rich information sharing environment in which data and services are visible,

accessible, understandable, and trusted across the enterprise.

An available and protected network infrastructure (the GIG) that enables responsive

information-centric operations using dynamic and interoperable communications

and computing capabilities. 26


27/47

Major Net-Centric Strategies

Data (9 May 2003) Spectrum Management (3 Aug 2006)

Services (4 May 2007) NetOps (February 2008)

DoD IEA v1.0 (Approved 11 April 2008)

Computing Infrastructure (September 2007) Information Sharing (4 May 2007)

Established five priority areas for realizing net-centric goals

Provided key principles, rules, and activities for priority areas

Positioned as a tool to guide the net-centric transformation of then orma on n erprse

DoD IEA v1.1 (Approved 27 May 2009)

Describes a process for applying the DoD IEA content (App D)

Describes compliance areas and criteria (App E)

Provides activity mapping between the DoD IEA and the NCOW RM(App F)

27


28/47

Audience &

n en e se

Align architecture with the DoD IEA

Apply DoD IEA content (rules, activities, etc) to guide and

constrain information enterprise solutions

Managers of IT Programs (PM, PEO, etc.)

, ,

implementation

Through solution architectures properly aligned with the DoD IEA

IT Decision-Makers (CPM, IRB, CIO, etc.)

Use the DoD IEA to support investment decisions

with the DoD IEA

28


29/47

DoD IEA v1.2

Adds DoD EA Compliance Requirements (Appendix G)

Compliance with DoD IEA

Compliance with Capability and Component EAs

Compliance with Mandatory Core and Shared Designated DoD

Enterprise Services (ES) Architecture Registration Requirements

DoD ES

Adds content to the Rules, App D, and App E to maintain

consistency with App G29


30/47

Applying the DoD IEA

ppen x

30


31/47

Applying the DoD IEAEstablish Net Centric

Context for EANCS RA

Relevant DoD IEA Priority Areas

Understand Net-Centric Concepts

Align with Net-Centr ic Vision

Net-Centric Assumptions

Portable identity credentials will be used tosu ortuser authentication

ecure va a y

Data and Services Deployment (DSD)

Identify Net-Centric Assumptions

Authorization attributes have already beendefined, collected, regularly updated, and madeavailable through standard interfaces from

reliable attribute sources

Consumer/

User

Perspective Identify DoD IE Perspective for

Architecture

OV-1 (Operational

Concept Graphic)

-

Concept Provider/ProducerPerspective

31

Align with JCA Taxonomy

Relevant JCAs

Net-Centric/Enterprise Services/Core

Enterprise Services/User AccessNet-Centric/Information Assurance

A l i th D D IEA


32/47

Applying the DoD IEAAlign EANCS RA

Description with DoD IEA

Guiding Principles and Rules for RA

Data assets, services, and a lications on the GIG shall be visible, accessible, understandable, and trusted

Incorporate applicable DoDIEA Principles

A l DoD IEA Rules

to authorized (including unanticipated) users. (DoD IEA, GP 03)

Global missions and globally dispersed users require global network reach. Information Assurance

mechanisms and processes must be designed, implemented, and operated so as to enable a seamlessDefense Information Enterprise. (DoD IEA, SAP 03)

Authoritative data assets, services, and applications shall be accessible to all authorized users in theDepartment of Defense, and accessible except where limited by law, policy, security classification, or

. ,

All DoD information services and applications must uniquely and persistently digitally identify andauthenticate users and devices. These services, applications, and networks shall enforce authorized accessto information and other services or devices according to specified access control rules and quality ofprotection requirements for all individuals, organizations, COIs, automated services, and devices. (DoD IEA,SAR 07)

Align Operational Activi ties and

Processes with related DoD IEA

Activi ties

OverseeAuthentication

Initiatives

ManageAuthentication

A2.8.4 Constrain

Use net-centric

OV-6c (Event-Trace

Description)

A2.8.4.1

OverseePrivilege Mgmt

Initiatives

DoD IEA Terminology

DoD Net-Centric Vision

DoD IE Perspective

32

erm no ogy n

architecture

description

A2.8.5 ser onsumer

Producer/Provider

Priority Areas

Data and Services Deployment Secured Availability


33/47


ppen x

Compliance is about conveying the application of DoD IEA

Principles, Rules, and Activit ies

Use the rocess described in A D and rovided in A E

Tab A

of DoD IEA content are captured in the Enhanced ISP tool

Completed Compliance table

ISP and Architecture

epor

33


34/47

Com liance w/the DoD IEATab A to Appendix E: DoD IEA Compliance Assessment Table

.

B1. Use Net-

CentricTerminology

2.3.2.1.1 Use key terms

contained inthe DoD IEA

Glossary

across

2.1.1.2.1 Describe

applicableDoD IEA

key terms.

Describe in

the:- AV-2

Integrated

Dictionar .

Q12 - Identify key

terminology from theDoD IEA used in your

architecture/program

documents.

architecture

descriptions.

- Related

taxonomies.

- ISP

descriptions

of the IE.B .

Incorporate

Applicable

DoD IEA

Principles

. . . . - Ident y

applicable

DoD IEA

Principles and

use in

. . . . Descr be

DoD IEA

Principles.

Descr be n

the:

- OV-1

Operational

Concept.

- -

- Wh ch DoD IEA

Principles apply to your

Program?

Q14 - How do the

Principles apply to your

descriptions toplace

restrictions or

limitations on

operations.

OperationalActivity

Model.

- Process

Models

Q15 - How are theapplicable Principles

addressed in your

architecture/program

documents?

34

- Use

applicable

Principles


35/47


Incor orated descri tion of ke ali nment as ects into RA

document

Added section describing RA alignment with J CAs and DoD IEA

Added text descriptions of how process patterns align with DoD IEA

activities into pattern discussions Filled out Tab A Compliance Matrix for RA

Developed eISP excerpt for RA

u u

EISP 2.0 to identify and locate DoD IEA questions to be answered

Incorporated information and text from RA document

35

Generated compliance matrix using Xml2PDF 2007 application and

ISP_DoD_IEA_Compliance_Table style sheet


36/47

Initiatives and Pro ects Reference Architecture Description

Comment Adjudication for ASRG Approval

DoD IEA

omment u caton v . or pprova

Work on future versions of the DoD IEA

EANCS RA

Delivered to owner; now in FAC/ASRG approval process

Document Process for Developing RA

Describe the process used to develop the EANCS RA

FEA BRM Extension

x en o s or e

Recommended changes provided to OMB FEA for action36


37/47

DoD IEA Site:http://cio-nii.defense.gov/sites/diea/

uestions

37


38/47

BACKUP SLIDES

38


39/47

Services and InfrastructureArchitecture

IE Service/Infrastructure Context DiagramDRAFT


40/47

DefenseIntel

DefenseIntel

MissionMission

BusinessBusinessBusinessBusiness

IE Service/Infrastructure Context Diagram

Human Computer Interaction

Mission

&

Business

Force

App licat ion

Portfolio

Battlespace

Awareness

Portfolio

Force Support

Portfolio

Command &

Control Portfolio

Functional Capability Enterprise Services

Information Sharing Enterprise ManagementDiscovery

IT

Partnerships

Portfolio

Protection

Portfolio

& Support

Portfolio

Logistics

Portfolio

essag ng orta

Collaboration Mediation

Content Delivery

erv ces anagement

Resource Management

Content Handling

eop e erv ce scovery

Content Discovery

Metadata Discovery

Geospatial Visualization

Digital Identity Privilege

Management

Credentialing Authentication Authorization

& Access

Mandatory Core & Shared Enterprise Services (ES)

Enterprise Services Security Foundation

Enterprise

Services

&

Infrastructure

Aud it ing &

Reporting

Cryptography Configuration

Management

Computer

Network Defense

COOP/CIP

IA InfrastructureDynamic Policy Management

Assured Resource AllocationMgmt of IA Assets and Mechanisms

NetOps InfrastructureEnterprise Management

Content ManagementNet Assurance

ompu ng ommun ca ons n ras ruc ure

40


41/47

Use Enterprise Services Framework to

rgan ze an ocus or s

Enterprise Services Security Foundation (ESSF)41


42/47

Use ESSF Segment Architecture to Organize and

Focus Securit Efforts

42


43/47

Describe the components of the context diagram

Build use cases based on GIG 2.0 Attributes to establish relationships

between its functional components (Mandatory Core & Shared EnterpriseServices)

Global Authentication, Access Control, and Directory Services

Information and Services From The Edge

J oint Infrastructure

Unity of Command

Analyze use cases through identification, sequencing, and prioritization offunctional components to develop key or foundational Services first

Apply analysis to prioritize and manage: Reference Architecture Development (Principles, Technical Positions,

Patterns)

Sequence and Monitor Initiatives, Projects, and Programs

Identify Issues, Gaps, and Shortfalls43

Apply Enterprise Services &


44/47

pp y p

Infrastructure to GIG 2.0

Requirements through Use Cases

ndation

S

ices

Fou

nterpr

is

rvices

F

rise

Serv

Securit

oundati

Enter

pn

44

Computing & Communications Infrastructure

C ll b ti S i


45/47

Collaboration ServicesUse Case Example

Document

Sharing

Enterprise

Directory Desktop/

Browser

(EANCS)

User

LocalAccessRequest(Logon)

EndUserDevice(EUD)

Printer

Capability

OfficeAutomation

Applicationse

Mail

Authorization

Decision

Request+Authentication

Factors Authentication

Decision

Response

Resource

Metadata

Policy

Constrained

Access

oragorag

eeCollaborationPortal

ESSFAuthenticationSecondary

Authentication(ifrequired)

ESSFAuthorization& AccessControl Environmental

DataResponsePortable

Identity

Credential

ValidationResponse

Identity

MissionManagerUserAttributeResponse

esource

Access

Policy

Response

45

ESSFDigitalIdentityESSFCredentialing

In ormat on

PolicyManagement

IdentityUpdates Indicates Dependency


46/47

Sample Use Case (Content Request)

InformationSharing Discovery

User

Portal

1

Discovery

3

49

10

2

ContentDelivery

78

Enterprise

Management

ContentMgmt

6

Authenticatio Authorization &

5n ras ruc ure

EnterpriseServicesSecurityFramework

46

IE Service/Infrastructure Context DiagramDRAFT


47/47

DefenseIntel

DefenseIntel

MissionMission

BusinessBusinessBusinessBusiness

Human Computer Interaction

Force

Applicat ion

Portfolio

Battlespace

Awareness

Portfolio

Force Support

Portfolio

Command &

Control PortfolioMission

&

Business

Functional Capability Enterprise Services

Partnerships

Portfolio

Protection

Portfolio

& Support

Portfolio

Logistics

Portfolio

Information Sharing Enterprise ManagementDiscovery

IT

essag ng orta

Collaboration Mediation

Content Delivery

erv ces anagement

Resource Management

Content Handling

eop e erv ce scovery

Content Discovery

Metadata Discovery

Geospatial Visualization

Digital Identity Privilege

Management

Credentialing Authentication Authorization

& Access

EANC

S RASAR SA

Mandatory Core & Shared Enterprise Services (ES)

Enterprise Services Security Foundation

Enterprise

Services

&

Infrastructure

Aud it ing &

Reporting

Cryptography Configuration

Management

Computer

Network Defense

COOP/CIP

EU

ITI Opt

Arch

AD Opt

Arch

IA InfrastructureDynamic Policy Management

Assured Resource AllocationMgmt of IA Assets and Mechanisms

NetOps InfrastructureEnterprise Management

Content ManagementNet Assurance

ompu ng ommun ca ons n ras ruc ure

47

Documents

2010 EA Conf_RA Track Presentation_20100506