Jim Tepin, Systems Integrator

1
Jim Tepin, Systems Integrator
State of Michigan Data Warehouse Data Sharing
Through Central Views
2
The Need for Sharing Data

• Unity of Effort Sharing InformationThe U.S.
  government has access to a vast amount of
  information. But it has a weak system for
  processing and using what it has. The system of
  "need to know" should be replaced by a system of
  "need to share."
• A smart government would integrate all sources
  of information to see the enemy as a whole.
• THE 9/11 COMMISSION REPORT

client
3
The Need for Sharing DataWins

• Child Support Locate and Enforcement
• Identifying new hires nation wide in less than a
  week.
• Dept. of Human Services
• Consolidated Inquiry
• Food Assistance - Automated Find Fix
• Homelessness Initiatives - Geography Focus
• Foster Care - Safe child placement
• OIG
• Child Day Care Fraud
• FAP Anti-Trafficking Efforts EBT, CIMS, FNS data

Reuse is key. Once a source is present and
available for one purpose, it can be easily
relied upon and referenced for other purposes.
4
What Prohibits Data Sharing

• Concern Over Unauthorized Access
• Fear that unauthorized users can see warehouse
  data.
• Federal regulations prohibit access outside of
  the agency.
• Uncertainty
• Others may take the data out of context due to
  lack of understanding, etc.
• There is no value outside of our use of the data.
• Can this be shared?
• Time Effort
• Not in our scope.
• Not in our budget.
• Does not benefit our agency.
• Lack of a Plan How Can We Do It

5
Current Environment
Hosts
6
Data Sharing Traditional Process
Network

• Policy / Legal
• Content / Layout / Format
• Timing
• Resources

7
Data Sharing Traditional Process
Redundancy abounds as various sharing
arrangements are formed.
8
Product Logistics Analogy
9
Data Sharing New Process

• Reduced redundancy
• Access specifically what is desired
• Auditable access

10
Security Overview - Tech Talk
Tables

• Table - A set of rows and columns of data.

11
Security Overview - Tech Talk
Databases
Database

• Database - A set tables.

12
Security Overview - Tech Talk
Michigan Data Warehouse

• Michigan Data Warehouse - A set databases.

13
Security Overview - Tech Talk
DHS
CSES
DCH
Treasury
Shared Machine Secured Access
14
Data Security
Database
Levels of security that can be defined and
enforced through security rules
15
Database Views
Employee Table
Views can be used for security by restricting
access to rows of data or columns of data. They
are simply not referenced by the view.
16
Current Sharing Method
View Databases
DHS-to-CSES Views
DHS Users
Tables
CSES-to-DHS Views
CSES Users
(Redundant)
DCH-to-CSES Views
(Redundant)
DCH Users
CSES-to-DCH Views
One agency has 37 discreet view databases serving
this specific purpose.
17
Roles and Security
Security Roles by Subject Area
FIA User Group
Tables
FIA-CIS Role
CSES Users
Corrections Role
MDOS Role
Health Ins. Role
DCH Users
Quarterly Wage Role
Security roles eliminate the need for
establishing a view database for each agency
exchange. Security becomes more specific.
Instead of user have access to Agency As
entire view database (holding subject areas X, Y
and Z), the user has access to a specific
subject area. Roles also allow the ability to
establish security groups.
18
New Sharing Method Centralizationinto VCentral
VCentral
FIA
Agency DBs
CSES
DCH

• TCentral
• (codes values)
• Federal Codes
• Industry Codes
• Addresses, Etc.

Codes Values
Views can be established for each subject area
and centralized in a common area. Security roles
provide any necessary segregation for access.
These central views can be used between agencies,
and even by the host agency themselves
(eliminating yet more redundancy). Centralization
also provides an opportunity to standardize and
to gather and store metadata centrally ...and
only once.
19
Centralization into VCentral
Users
VCentral
Roles
rlFIACIS
rlSOMCorrections
rlDCHVitalStats
Codes Values
rlPublic
Each subject area should have at least one role
representing it. The role has read privilege on
the view(s) for the subject area. A public role
can be assigned to all DW users, allowing access
to all non-secure codes and values (stored in
TCentral). Until the security bridge has been
crossed by granting roles to users, no security
breach has been made. This means that these
views can be established at any time, even prior
to a request for access.
(group of users)
Security Bridge
20
Compelling Reasons for Role Based Security

• Database level security is not refined enough.
  Column level security is too refined and hard to
  manage. Views and roles provide adequate and
  flexible security management.
• From a technical standpoint, role based security
  is less intensive on the Teradata database. It
  saves both access time and storage space.
• Roles can be applied more consistently. For
  example, a developer role can be created with
  appropriate developer privileges. Assignment
  occurs in a single step (vs. dozens).
• Roles have names (i.e. newhire). This brings
  visual cognizance to security rules.

21
Central View Process
22
Terminology Agency Parties

• Source Agency
• Original source of the information.
• Host Agency
• Agency who maintains the data on the data
  warehouse.
• Requesting Agency
• Agency requesting access to data warehouse data.
• DIT
• Can be central operations and/or specific
  agency DIT.

23
Terminology Data Sharing / Access Agreements

• Data Sharing Agreement
• (original) Agreement to exchange information
  between 2 or more parties.
• Occurs between a Source and Host agency
• Data Access Agreement (new term)
• Agreement to allow access to information already
  residing on Host agency platform.
• Occurs between Source, Host and Requesting
  agencies.
• Acts as an amendment to a Data Sharing
  Agreement between a source and host agency.

24
DSA Process VCentral
Host Agency
Host / Source Agencies
Host /Source Agency DIT
Data Sharing Need
DSA Process
Develop Store
DIT Host Agency
Host Agency DIT
Potential Shared Access
View/Role Creation
Compose Central Views
Yes
No
No Action
25
DAA Process
Requesting / Source /Host Agencies
DIT Requesting Agency OR DIT Host Agency
Central Views/Roles Already Exist
DAA Process
No
Data Access Need
Compose Central Views
Information Exchange
Yes
DIT Requesting Agency
View/Role Creation
Generate Security Request
DIT Host Agency
Grant Access to Requesting Agency Admin
Grant Access to Agency Users
DIT Host Agency
DIT Requesting Agency
26
Closing Notes

• VCentral accommodates the current environment.
  
• VCentral already exists and is being used.
• The approach provides secure access to shared
  information with less redundancy of effort (and
  with as little effort as possible for the host
  organization).