oasis identity in the cloud (idcloud) towards standardizing cloud identity
Post on 06-Jan-2016
40 Views
Preview:
DESCRIPTION
TRANSCRIPT
Oasis Identity in the Cloud (IDCloud)
Towards standardizing Cloud Identity
Anil Saldhana ( Red Hat), Co-ChairGershon Janssen, Secretary
www.oasis-open.org
Cloud Identity Management
• TC works to address Identity Management challenges related to Cloud Computing
• Cloud Identity Management is considered a top security concern
• Identity Management is not completely solved at Enterprise level• Standards are evolving
• Cloud is a new paradigm, so the same problems in new packaging
2
Before we start
• How many of you have Facebook, Google, LinkedIn or any similar Cloud Service accounts?
• Imagine a company uses a public cloud for its documents. An employee leaves the company. The employee is decommissioned. What happened to the documents?
• A small manufacturing company requires its employees to use an online benefits system annually, to choose health care benefits for the entire year. The employees work in workshops/units do not use computers regularly at work. Majority of them have Facebook accounts. Do you think they will remember their Benefits system password as much as their Facebook password? Should we use Facebook Connect, for the Benefits system?
3
4
What is it we do?
3 Main objectives:
• Identifying detailed Use Cases• Identity deployment, provisioning and management in a cloud
context
• Gap Analysis of existing Identity Management standards and protocols when applied in the context of Cloud• Based on Use Cases and Interoperability Profiles
• Feed analysis back to the WG responsible for a standard
• Define Interoperability Profiles for Identity in the Cloud• Profiles will be based on use and combinations of existing
standards, protocols and formats
5
What is it we do?
• Other objectives:
• Glossary on Cloud Identity• Harmonized set of definitions, terminologies and vocabulary on Identity
in the context of Cloud
• Do not re-invent the wheel• Build on existing standards and specifications
• Strong liaison relationships with other international working groups• ITU-T, DMTF
6
How serious are we about this?
• Our Technical Committee chairs are:• Anil Saldhana (Red Hat)
• Tony Nadalin (Microsoft)
• Amongst the member of the Technical Committee are:• Red Hat, IBM, Microsoft, CA Technologies, Cisco Systems, SAP,
EBay, Novell, Ping Identity, Safe Net, Symantec, Boeing Corp, US DOD, Verisign, Akamai, Alfresco, Citrix, Cap Gemini, Google, Rackspace, Axciom, Huawei, Symplified, Thales, Conformity, Skyworth TTG, MIT, Jericho Systems, PrimeKey, Aveksa, Mellanox, Vanguard Integrity Professionals, NZ Govt ...
7
Current Status
• Three stages:
• Formalization of Use Cases [Finished]
OASIS Identity In The Cloud Use Case Document v1.0
• Gap Analysis of existing IDM standards using the Use Cases [In progress]
• Defining Profiles for Identity In The Cloud [Scheduled]
Use Cases
• Received 35 Use Cases of Identity Management in the• Cloud (Finally, 29 Use Cases are formalized)
• Structure of Use Cases:• Description / user story• Goal / Desired outcome• Categories covered• Applicable Deployment Models• Actors• Systems• Notable Services• Dependencies• Assumptions• Process Flow
9
Use Cases
• Categorizations:• Authentication
• Single Sign On (SSO)• Multi factor Authentication
• Infrastructure Identity Establishment
• General Identity Management • Infrastructure IdM• Federated IdM
• Authorization
• Account & Attribute Management• Account & Attribute Provisioning
• Security Tokens
• Audit & Compliance
10
Use Cases
• Applicable Deployment and Service Models:
• Deployment Models:• Private• Public• Community• Hybrid
• Service Models:• SaaS• PaaS• IaaS• Other
11
Use Cases
• High Ranked Use Cases:
• Managing Identities at all levels in the Cloud
• Need for Federated Single Sign On across multiple environments
• Enterprise to Cloud SSO
• Auditing
• Multi-factor Authentication for Privileged User Access
• Mobile Identity authentication using Cloud Provider
12
Use Cases
• Mobile Identity Authentication
• Submitted by Bank of America
• Use case affects Mobile Banking
• First step is to do automatic mobile device registration
• Cloud based IAM solutions provide identity proofing, credential management, SSO and Provisioning capabilities.
13
Use Cases
• Government Provisioning of Cloud Services
• Submitted by Govt. Of New Zealand. (Colin Walis)
• Government employee or contractor logs into a web site where he can configure an environment that utilizes one or more cloud services.
• Identity proofing, authentication along with billing, auditing etc is provided.
14
GAP Analysis
• Analysis of Identity Management Use Cases in a Cloud context
Analysis
Main Question:
“Can the desired goal or outcome be achieved using existing standards?”
GAPS:Profile:
15
How do we approach the Analysis
• Analyzing how a Use Case can be implemented: What is required?
USE CASE
User Story
Process Flow Actors Systems Services
Assumptions and Dependencies
Goal / Outcome
16
Scope of analysis
• Focus on the technological challenge: how to get a user story working.
• Not looking at legal, policy or economic perspectives
17
How do we approach the Analysis
• Step by step / phased drill-down into more detail
• First pass: identify relevant standards
– Not reinvent the wheel; we have a broad scope and look at all relevant standards, specifications, recommendations, notes and ‘work in progress’, from both SDOs and non-SDOs
RESULT: List is standards
• Second pass: coarse analysis
– Find out where the standards fall short or what we perceive as missing– Identify Management commonalities and reusable elements
RESULT: Identified big / obvious gaps
18
Example of a Use Case
USE CASE:Consumer Cloud Identity Management,
Single Sign-On (SSO) and Authentication
User Story: For services offered in the cloud, identity management and authentication should to be decoupled from the cloud services themselves. Users subscribing to cloud services expect and need to have an interoperable identity that would be used to obtain different services from different providers.
Process Flow:1. User access SaaS application2. Login using external IdP3. IdP transforms & maps identity to SaaS provider format4. Access to SaaS application established
Actors:- Subscriber SaaS Application User - Subscriber SaaS Provider Administrator
Systems:- Cloud Identity Mgmt. System- External Identity Provider
Services:- Cloud Provider Identity Federation Service- Cloud Provider Attribute Management Service (identity transform)
Assumptions and Dependencies:-The federated trust relationship between the SaaS application and the identity provider was previously set by the Cloud tenant Administrator.-The user accessing the service is already registered and enrolled with the Identity Provider of choice.
Goal:A user is able
to access multiple SaaS applications
using a single identity
19
Example Analysis of Use Case
• First pass: Identified relevant standards:– SAML– OpenID– OAuth– SPML– SCIM– WS-Federation– IMI
• Second pass: Identified big / obvious gaps– Configuration and association with an IdP is not standardized– No standards or rules for mapping or transforming attributes between
different (cloud) domains.– No profiles or standard roles and related attributes– No standards for attributes– No audit standards for IDM systems
20
‘Early’ profiles start to surface
• Interoperablity profiles (combination of standards and protocols) become visible as identity management patterns surface
• E.g. the pattern on how we now a days think about the identity eco-system (IdP, RP, AP, etc.)
21
Conclusions and next steps
• Produced in-depth work providing good understanding of Identity Management in a Cloud context with respect to technical standards-based feasibility
• Unsure how to deal with implicit details of use cases: e.g. trust space, attribute space, privacy space
• Suggest future work to fill the gaps
22
Resources
• OASIS IDCloud Technical Committee Homepage
http://www.oasis-open.org/committees/id-cloud/
• OASIS Technical Committee Wiki
http://wiki.oasis-open.org/id-cloud/FrontPage
Anil.Saldhana@redhat.com
Gershon.Janssen@gmail.com
top related