1 / 22

Oasis Identity in the Cloud (IDCloud) Towards standardizing Cloud Identity

www.oasis-open.org. Oasis Identity in the Cloud (IDCloud) Towards standardizing Cloud Identity Anil Saldhana ( Red Hat), Co-Chair Gershon Janssen, Secretary. Cloud Identity Management. TC works to address Identity Management challenges related to Cloud Computing

tyrell
Download Presentation

Oasis Identity in the Cloud (IDCloud) Towards standardizing Cloud Identity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. www.oasis-open.org Oasis Identity in the Cloud (IDCloud)Towards standardizing Cloud Identity Anil Saldhana ( Red Hat), Co-Chair Gershon Janssen, Secretary

  2. Cloud Identity Management • TC works to address Identity Management challenges related to Cloud Computing • Cloud Identity Management is considered a top security concern • Identity Management is not completely solved at Enterprise level • Standards are evolving • Cloud is a new paradigm, so the same problems in new packaging 2

  3. Before we start • How many of you have Facebook, Google, LinkedIn or any similar Cloud Service accounts? • Imagine a company uses a public cloud for its documents. An employee leaves the company. The employee is decommissioned. What happened to the documents? • A small manufacturing company requires its employees to use an online benefits system annually, to choose health care benefits for the entire year. The employees work in workshops/units do not use computers regularly at work. Majority of them have Facebook accounts. Do you think they will remember their Benefits system password as much as their Facebook password? Should we use Facebook Connect, for the Benefits system? 3

  4. What is it we do? 3 Main objectives: • Identifying detailed Use Cases • Identity deployment, provisioning and management in a cloud context • Gap Analysis of existing Identity Management standards and protocols when applied in the context of Cloud • Based on Use Cases and Interoperability Profiles • Feed analysis back to the WG responsible for a standard • Define Interoperability Profiles for Identity in the Cloud • Profiles will be based on use and combinations of existing standards, protocols and formats

  5. What is it we do? • Other objectives: • Glossary on Cloud Identity • Harmonized set of definitions, terminologies and vocabulary on Identity in the context of Cloud • Do not re-invent the wheel • Build on existing standards and specifications • Strong liaison relationships with other international working groups • ITU-T, DMTF

  6. How serious are we about this? • Our Technical Committee chairs are: • Anil Saldhana (Red Hat) • Tony Nadalin (Microsoft) • Amongst the member of the Technical Committee are: • Red Hat, IBM, Microsoft, CA Technologies, Cisco Systems, SAP, EBay, Novell, Ping Identity, Safe Net, Symantec, Boeing Corp, US DOD, Verisign, Akamai, Alfresco, Citrix, Cap Gemini, Google, Rackspace, Axciom, Huawei, Symplified, Thales, Conformity, Skyworth TTG, MIT, Jericho Systems, PrimeKey, Aveksa, Mellanox, Vanguard Integrity Professionals, NZ Govt ...

  7. Current Status • Three stages: • Formalization of Use Cases [Finished] OASIS Identity In The Cloud Use Case Document v1.0 • Gap Analysis of existing IDM standards using the Use Cases [In progress] • Defining Profiles for Identity In The Cloud [Scheduled]

  8. Use Cases • Received 35 Use Cases of Identity Management in the • Cloud (Finally, 29 Use Cases are formalized) • Structure of Use Cases: • Description / user story • Goal / Desired outcome • Categories covered • Applicable Deployment Models • Actors • Systems • Notable Services • Dependencies • Assumptions • Process Flow

  9. Use Cases • Categorizations: • Authentication • Single Sign On (SSO) • Multi factor Authentication • Infrastructure Identity Establishment • General Identity Management • Infrastructure IdM • Federated IdM • Authorization • Account & Attribute Management • Account & Attribute Provisioning • Security Tokens • Audit & Compliance

  10. Use Cases • Applicable Deployment and Service Models: • Deployment Models: • Private • Public • Community • Hybrid • Service Models: • SaaS • PaaS • IaaS • Other

  11. Use Cases • High Ranked Use Cases: • Managing Identities at all levels in the Cloud • Need for Federated Single Sign On across multiple environments • Enterprise to Cloud SSO • Auditing • Multi-factor Authentication for Privileged User Access • Mobile Identity authentication using Cloud Provider

  12. Use Cases • Mobile Identity Authentication • Submitted by Bank of America • Use case affects Mobile Banking • First step is to do automatic mobile device registration • Cloud based IAM solutions provide identity proofing, credential management, SSO and Provisioning capabilities.

  13. Use Cases • Government Provisioning of Cloud Services • Submitted by Govt. Of New Zealand. (Colin Walis) • Government employee or contractor logs into a web site where he can configure an environment that utilizes one or more cloud services. • Identity proofing, authentication along with billing, auditing etc is provided.

  14. GAPS: Profile: Analysis GAP Analysis • Analysis of Identity Management Use Cases in a Cloud context Main Question: “Can the desired goal or outcome be achieved using existing standards?”

  15. USE CASE How do we approach the Analysis • Analyzing how a Use Case can be implemented: What is required? User Story Goal / Outcome Process Flow Actors Systems Services Assumptions and Dependencies

  16. Scope of analysis • Focus on the technological challenge: how to get a user story working. • Not looking at legal, policy or economic perspectives

  17. How do we approach the Analysis • Step by step / phased drill-down into more detail • First pass: identify relevant standards • Not reinvent the wheel; we have a broad scope and look at all relevant standards, specifications, recommendations, notes and ‘work in progress’, from both SDOs and non-SDOs • RESULT: List is standards • Second pass: coarse analysis • Find out where the standards fall short or what we perceive as missing • Identify Management commonalities and reusable elements • RESULT: Identified big / obvious gaps

  18. Example of a Use Case USE CASE: Consumer Cloud Identity Management, Single Sign-On (SSO) and Authentication User Story: For services offered in the cloud, identity management and authentication should to be decoupled from the cloud services themselves. Users subscribing to cloud services expect and need to have an interoperable identity that would be used to obtain different services from different providers. Goal: A user is able to access multiple SaaS applications using a single identity Process Flow: 1. User access SaaS application 2. Login using external IdP 3. IdP transforms & maps identity to SaaS provider format 4. Access to SaaS application established Actors: - Subscriber SaaS Application User • Subscriber SaaS Provider Administrator Systems: - Cloud Identity Mgmt. System - External Identity Provider Services: • Cloud Provider Identity Federation Service • Cloud Provider Attribute Management Service (identity transform) Assumptions and Dependencies: • The federated trust relationship between the SaaS application and the identity provider was previously set by the Cloud tenant Administrator. • The user accessing the service is already registered and enrolled with the Identity Provider of choice.

  19. Example Analysis of Use Case • First pass: Identified relevant standards: • SAML • OpenID • OAuth • SPML • SCIM • WS-Federation • IMI • Second pass: Identified big / obvious gaps • Configuration and association with an IdP is not standardized • No standards or rules for mapping or transforming attributes between different (cloud) domains. • No profiles or standard roles and related attributes • No standards for attributes • No audit standards for IDM systems

  20. ‘Early’ profiles start to surface • Interoperablity profiles (combination of standards and protocols) become visible as identity management patterns surface • E.g. the pattern on how we now a days think about the identity eco-system (IdP, RP, AP, etc.)

  21. Conclusions and next steps • Produced in-depth work providing good understanding of Identity Management in a Cloud context with respect to technical standards-based feasibility • Unsure how to deal with implicit details of use cases: e.g. trust space, attribute space, privacy space • Suggest future work to fill the gaps

  22. Resources • OASIS IDCloud Technical Committee Homepage http://www.oasis-open.org/committees/id-cloud/ • OASIS Technical Committee Wiki http://wiki.oasis-open.org/id-cloud/FrontPage Anil.Saldhana@redhat.com Gershon.Janssen@gmail.com

More Related