Oasis Identity in the Cloud (IDCloud)

Towards standardizing Cloud Identity

Anil Saldhana ( Red Hat), Co-ChairGershon Janssen, Secretary

www.oasis-open.org

Cloud Identity Management

• TC works to address Identity Management challenges related to Cloud Computing

• Cloud Identity Management is considered a top security concern

• Identity Management is not completely solved at Enterprise level• Standards are evolving

• Cloud is a new paradigm, so the same problems in new packaging

2

Before we start

• How many of you have Facebook, Google, LinkedIn or any similar Cloud Service accounts?

• Imagine a company uses a public cloud for its documents. An employee leaves the company. The employee is decommissioned. What happened to the documents?

• A small manufacturing company requires its employees to use an online benefits system annually, to choose health care benefits for the entire year. The employees work in workshops/units do not use computers regularly at work. Majority of them have Facebook accounts. Do you think they will remember their Benefits system password as much as their Facebook password? Should we use Facebook Connect, for the Benefits system?

3

4

What is it we do?

3 Main objectives:

• Identifying detailed Use Cases• Identity deployment, provisioning and management in a cloud

context

• Gap Analysis of existing Identity Management standards and protocols when applied in the context of Cloud• Based on Use Cases and Interoperability Profiles

• Feed analysis back to the WG responsible for a standard

• Define Interoperability Profiles for Identity in the Cloud• Profiles will be based on use and combinations of existing

standards, protocols and formats

5

What is it we do?

• Other objectives:

• Glossary on Cloud Identity• Harmonized set of definitions, terminologies and vocabulary on Identity

in the context of Cloud

• Do not re-invent the wheel• Build on existing standards and specifications

• Strong liaison relationships with other international working groups• ITU-T, DMTF

6

How serious are we about this?

• Our Technical Committee chairs are:• Anil Saldhana (Red Hat)

• Tony Nadalin (Microsoft)

• Amongst the member of the Technical Committee are:• Red Hat, IBM, Microsoft, CA Technologies, Cisco Systems, SAP,

EBay, Novell, Ping Identity, Safe Net, Symantec, Boeing Corp, US DOD, Verisign, Akamai, Alfresco, Citrix, Cap Gemini, Google, Rackspace, Axciom, Huawei, Symplified, Thales, Conformity, Skyworth TTG, MIT, Jericho Systems, PrimeKey, Aveksa, Mellanox, Vanguard Integrity Professionals, NZ Govt ...

7

Current Status

• Three stages:

• Formalization of Use Cases [Finished]

OASIS Identity In The Cloud Use Case Document v1.0

• Gap Analysis of existing IDM standards using the Use Cases [In progress]

• Defining Profiles for Identity In The Cloud [Scheduled]

Use Cases

• Received 35 Use Cases of Identity Management in the• Cloud (Finally, 29 Use Cases are formalized)

• Structure of Use Cases:• Description / user story• Goal / Desired outcome• Categories covered• Applicable Deployment Models• Actors• Systems• Notable Services• Dependencies• Assumptions• Process Flow

9

Use Cases

• Categorizations:• Authentication

• Single Sign On (SSO)• Multi factor Authentication

• Infrastructure Identity Establishment

• General Identity Management • Infrastructure IdM• Federated IdM

• Authorization

• Account & Attribute Management• Account & Attribute Provisioning

• Security Tokens

• Audit & Compliance

10

Use Cases

• Applicable Deployment and Service Models:

• Deployment Models:• Private• Public• Community• Hybrid

• Service Models:• SaaS• PaaS• IaaS• Other

11

Use Cases

• High Ranked Use Cases:

• Managing Identities at all levels in the Cloud

• Need for Federated Single Sign On across multiple environments

• Enterprise to Cloud SSO

• Auditing

• Multi-factor Authentication for Privileged User Access

• Mobile Identity authentication using Cloud Provider

12

Use Cases

• Mobile Identity Authentication

• Submitted by Bank of America

• Use case affects Mobile Banking

• First step is to do automatic mobile device registration

• Cloud based IAM solutions provide identity proofing, credential management, SSO and Provisioning capabilities.

13

Use Cases

• Government Provisioning of Cloud Services

• Submitted by Govt. Of New Zealand. (Colin Walis)

• Government employee or contractor logs into a web site where he can configure an environment that utilizes one or more cloud services.

• Identity proofing, authentication along with billing, auditing etc is provided.

14

GAP Analysis

• Analysis of Identity Management Use Cases in a Cloud context

Analysis

Main Question:

“Can the desired goal or outcome be achieved using existing standards?”

GAPS:Profile:

15

How do we approach the Analysis

• Analyzing how a Use Case can be implemented: What is required?

USE CASE

User Story

Process Flow Actors Systems Services

Assumptions and Dependencies

Goal / Outcome

16

Scope of analysis

• Focus on the technological challenge: how to get a user story working.

• Not looking at legal, policy or economic perspectives

17

How do we approach the Analysis

• Step by step / phased drill-down into more detail

• First pass: identify relevant standards

– Not reinvent the wheel; we have a broad scope and look at all relevant standards, specifications, recommendations, notes and ‘work in progress’, from both SDOs and non-SDOs

RESULT: List is standards

• Second pass: coarse analysis

– Find out where the standards fall short or what we perceive as missing– Identify Management commonalities and reusable elements

RESULT: Identified big / obvious gaps

18

Example of a Use Case

USE CASE:Consumer Cloud Identity Management,

Single Sign-On (SSO) and Authentication

User Story: For services offered in the cloud, identity management and authentication should to be decoupled from the cloud services themselves. Users subscribing to cloud services expect and need to have an interoperable identity that would be used to obtain different services from different providers.

Process Flow:1. User access SaaS application2. Login using external IdP3. IdP transforms & maps identity to SaaS provider format4. Access to SaaS application established

Actors:- Subscriber SaaS Application User - Subscriber SaaS Provider Administrator

Systems:- Cloud Identity Mgmt. System- External Identity Provider

Services:- Cloud Provider Identity Federation Service- Cloud Provider Attribute Management Service (identity transform)

Assumptions and Dependencies:-The federated trust relationship between the SaaS application and the identity provider was previously set by the Cloud tenant Administrator.-The user accessing the service is already registered and enrolled with the Identity Provider of choice.

Goal:A user is able

to access multiple SaaS applications

using a single identity

19

Example Analysis of Use Case

• First pass: Identified relevant standards:– SAML– OpenID– OAuth– SPML– SCIM– WS-Federation– IMI

• Second pass: Identified big / obvious gaps– Configuration and association with an IdP is not standardized– No standards or rules for mapping or transforming attributes between

different (cloud) domains.– No profiles or standard roles and related attributes– No standards for attributes– No audit standards for IDM systems

20

‘Early’ profiles start to surface

• Interoperablity profiles (combination of standards and protocols) become visible as identity management patterns surface

• E.g. the pattern on how we now a days think about the identity eco-system (IdP, RP, AP, etc.)

21

Conclusions and next steps

• Produced in-depth work providing good understanding of Identity Management in a Cloud context with respect to technical standards-based feasibility

• Unsure how to deal with implicit details of use cases: e.g. trust space, attribute space, privacy space

• Suggest future work to fill the gaps

22

Resources

• OASIS IDCloud Technical Committee Homepage

http://www.oasis-open.org/committees/id-cloud/

• OASIS Technical Committee Wiki

http://wiki.oasis-open.org/id-cloud/FrontPage

Anil.Saldhana@redhat.com

Gershon.Janssen@gmail.com