Oasis Identity In The Cloud TCTowards standardizing Cloud Identity

Anil Saldhana (Red Hat), TC Co-Chair

Need for standards in the cloud§ Standards and rapid innovation?

Frustrations with Cloud Computing Mount

Cloud computing lacks standards about data handling and security practices, and there's not even any agreement about whether a vendor has an obligation to tell users if their data is in the U.S. or not.

The cloud computing industry has some of the characteristics of a Wild West boom town. But the local saloon's name is Frustration.

http://www.computerworld.com/s/article/9175102/Frustrations_with_cloud_computing_mount (April 2010)

Lawmakers worry about lack of cloud computing guidance

In a letter to General Services Administration CIO Casey Coleman, Rep. Edolphus Towns, D-N.Y., and Rep. Diane Watson, D-Calif., expressed concern about the absence of clear policies, procedures and standards to support the federal government's initiative to move many agency networks to platforms operated by contractors, or in the cloud.

http://www.nextgov.com/nextgov/ng_20100609_2152.php

IDCloud TC § Lets begin with history...

Oasis IDCloud TC History

● Roots in the Oasis IDTrust Member Section Steering Committee.

● Jump started a brainstorming group with top IDM experts.

● Small group to yield a focused charter.

● Charter distributed to extend proposer list

● Charter published for open comment

● Co-Chairs: Anil Saldhana (Red Hat), Tony Nadalin (Microsoft)

● About 18 Months of TC lifetime

IDCloud TC Members§ Are we really serious?

Members

Red Hat, IBM, Microsoft, CA Technologies, Cisco Systems, SAP, EBay, Novell, Ping Identity, Safe Net, Symantec, Boeing Corp, US DOD, Verisign, Akamai, Alfresco, Citrix, Cap Gemini, Google, Rackspace, Axciom, Huawei, Symplified, Thales, Conformity, Skyworth TTG, MIT, Jericho Systems, PrimeKey, Aveksa, Mellanox, Vanguard Integrity Professionals ...

IDCloud Charter§ Objectives

Charter

● Three Stages● Use Cases Formalization

● Gap Analysis of existing IDM standards– Feed analysis back to the WG responsible for a standard

● Profiles of Use Cases

Charter

● Other Objectives● Do not reinvent the wheel

● Strong liaison relationships with other working groups internationally

● Glossary of Cloud Identity

IDCloud Use Cases§ Are we working?

Clouds need Accounts

● Privileged Account Management● Use Case by SafeNet Inc (Doron Cohen)

● Strong authentication, authorization and auditing needs

● Account Management● Use Case by Ping Identity (Patrick Harding)

● Consistent maintenance of user accounts

● Automated CRUD of user accounts

Cloud Identities

● Virtualization Security● Use Case by Red Hat Inc (Anil Saldhana)

● Identities managing VM, Infrastructure, Applications

● Middleware Containers in Public Clouds● Use Case by Red Hat Inc (Anil Saldhana)

● Deployer Identities manage the middleware application lifecycle (running in 1 VM / cluster of VM)

● Application Identities

Federated SSO● Kerberos In The Cloud

● Use Case by MIT Kerberos Consortium (Thomas Hardjono)

● 60% of large enterprises and medium businesses driven by Kerberos

● Natural extension of enterprise services into the cloud

● Issueshttp://www.oasis-open.org/committees/document.php?document_id=38245

– Identity Definition/Attributes

– Identity Metadata Exchange

– Cross Realm Trust

– Interoperability with other IDM standards

Federated SSO

● Mixture of Infrastructure● Use Case by Ping Identity (Patrick Harding)

● Enterprise Cloud (Mixture of IaaS, Paas and Saas)

● Cloud Users of enterprise clouds are in 3 categories– Workforce (Employee/Contractors)

– Partners (vendors, suppliers, franchises, distributors)

– Customers

● SSO for browser based apps and APIs

Federated SSO/ Attribute Sharing

● Token Format and Transformation● Use Case by Red Hat (Anil Saldhana)

● Mixture of enterprise and user centric identities– Security Token Format

– Security Token Transformation

Identity Auditing

● Tamper Proof Audit Trails● What standards exist?● Forensic aspects incorporated?● CloudAudit.org

Identity Provisioning

● Cloud Resources are not part of an identity● Decommissioned identities should not decommision

the resources.

● Silos part of one cloud or many● Directory Synchronization

● Attribute Aggregation

Other Topics

● Identity Configuration● Metadata driven configuration

● Privacy and Governance Frameworks● Transactions and Signatures

● Non-repudiation

● Government Clouds

IDCloud Road Map

Road Map

● Use Cases are being gathered and discussed for patterns

● In few months, we will formalize use cases.

● Parallel, gap analysis and profiles.

Resources

● Oasis TC Page http://www.oasis-open.org/committees/id-cloud/

● Oasis TC Wiki http://wiki.oasis-open.org/id-cloud/FrontPage

● Wiki Page with links to member submissions http://wiki.oasis-open.org/id-cloud/MemberSubmissions

● Q & A

THANK YOU !!!

anil.saldhana@redhat.com