www.oasis-open.org Oasis Identity in the Cloud (IDCloud) Towards standardizing Cloud Identity Anil Saldhana ( Red Hat), Co-Chair Gershon Janssen, Secretary Cloud Identity Management • TC works to address Identity Management challenges related to Cloud Computing • Cloud Identity Management is considered a top security concern • Identity Management is not completely solved at Enterprise level • Standards are evolving • Cloud is a new paradigm, so the same problems in new packaging 2 Before we start • How many of you have Facebook, Google, LinkedIn or any similar Cloud Service accounts? • Imagine a company uses a public cloud for its documents. An employee leaves the company. The employee is decommissioned. What happened to the documents? • A small manufacturing company requires its employees to use an online benefits system annually, to choose health care benefits for the entire year. The employees work in workshops/units do not use computers regularly at work. Majority of them have Facebook accounts. Do you think they will remember their Benefits system password as much as their Facebook password? Should we use Facebook Connect, for the Benefits system? 3 What is it we do? 3 Main objectives: • Identifying detailed Use Cases • Identity deployment, provisioning and management in a cloud context • Gap Analysis of existing Identity Management standards and protocols when applied in the context of Cloud • Based on Use Cases and Interoperability Profiles • Feed analysis back to the WG responsible for a standard • Define Interoperability Profiles for Identity in the Cloud • Profiles will be based on use and combinations of existing standards, protocols and formats 4 What is it we do? • Other objectives: • Glossary on Cloud Identity • Harmonized set of definitions, terminologies and vocabulary on Identity in the context of Cloud • Do not re-invent the wheel • Build on existing standards and specifications • Strong liaison relationships with other international working groups • ITU-T, DMTF 5 How serious are we about this? • Our Technical Committee chairs are: • Anil Saldhana (Red Hat) • Tony Nadalin (Microsoft) • Amongst the member of the Technical Committee are: • Red Hat, IBM, Microsoft, CA Technologies, Cisco Systems, SAP, EBay, Novell, Ping Identity, Safe Net, Symantec, Boeing Corp, US DOD, Verisign, Akamai, Alfresco, Citrix, Cap Gemini, Google, Rackspace, Axciom, Huawei, Symplified, Thales, Conformity, Skyworth TTG, MIT, Jericho Systems, PrimeKey, Aveksa, Mellanox, Vanguard Integrity Professionals, NZ Govt ... 6 Current Status • Three stages: • Formalization of Use Cases [Finished] ļ OASIS Identity In The Cloud Use Case Document v1.0 • Gap Analysis of existing IDM standards using the Use Cases [In progress] • Defining Profiles for Identity In The Cloud [Scheduled] 7 Use Cases • Received 35 Use Cases of Identity Management in the • Cloud (Finally, 29 Use Cases are formalized) • Structure of Use Cases: • • • • • • • • • • Description / user story Goal / Desired outcome Categories covered Applicable Deployment Models Actors Systems Notable Services Dependencies Assumptions Process Flow Use Cases • Categorizations: • Authentication • Single Sign On (SSO) • Multi factor Authentication • Infrastructure Identity Establishment • General Identity Management • Infrastructure IdM • Federated IdM • Authorization • Account & Attribute Management • Account & Attribute Provisioning • Security Tokens • Audit & Compliance 9 Use Cases • Applicable Deployment and Service Models: • Deployment Models: • • • • Private Public Community Hybrid • Service Models: • • • • SaaS PaaS IaaS Other 10 Use Cases • High Ranked Use Cases: • • • • • • Managing Identities at all levels in the Cloud Need for Federated Single Sign On across multiple environments Enterprise to Cloud SSO Auditing Multi-factor Authentication for Privileged User Access Mobile Identity authentication using Cloud Provider 11 Use Cases • Mobile Identity Authentication • • • • Submitted by Bank of America Use case affects Mobile Banking First step is to do automatic mobile device registration Cloud based IAM solutions provide identity proofing, credential management, SSO and Provisioning capabilities. 12 Use Cases • Government Provisioning of Cloud Services • Submitted by Govt. Of New Zealand. (Colin Walis) • Government employee or contractor logs into a web site where he can configure an environment that utilizes one or more cloud services. • Identity proofing, authentication along with billing, auditing etc is provided. 13 Analysis GAP Analysis • Analysis of Identity Management Use Cases in a Cloud context Main Question: “Can the desired goal or outcome be achieved using existing standards?” GAPS: Profile: 14 How do we approach the Analysis • Analyzing how a Use Case can be implemented: What is required? USE CASE Goal / Outcome User Story Process Flow Actors Systems Services Assumptions and Dependencies 15 Scope of analysis • Focus on the technological challenge: how to get a user story working. • Not looking at legal, policy or economic perspectives 16 How do we approach the Analysis • Step by step / phased drill-down into more detail • First pass: identify relevant standards – Not reinvent the wheel; we have a broad scope and look at all relevant standards, specifications, recommendations, notes and ‘work in progress’, from both SDOs and non-SDOs RESULT: List is standards • Second pass: coarse analysis – Find out where the standards fall short or what we perceive as missing – Identify Management commonalities and reusable elements RESULT: Identified big / obvious gaps 17 Example of a Use Case USE CASE: Consumer Cloud Identity Management, Single Sign-On (SSO) and Authentication User Story: For services offered in the cloud, identity management and authentication should to be decoupled from the cloud services themselves. Users subscribing to cloud services expect and need to have an interoperable identity that would be used to obtain different services from different providers. Process Flow: 1. User access SaaS application 2. Login using external IdP 3. IdP transforms & maps identity to SaaS provider format 4. Access to SaaS application established Systems: - Cloud Identity Mgmt. System - External Identity Provider Goal: A user is able to access multiple SaaS applications using a single identity Actors: - Subscriber SaaS Application User - Subscriber SaaS Provider Administrator Services: - Cloud Provider Identity Federation Service - Cloud Provider Attribute Management Service (identity transform) Assumptions and Dependencies: -The federated trust relationship between the SaaS application and the identity provider was previously set by the Cloud tenant Administrator. -The user accessing the service is already registered and enrolled with the Identity Provider of choice. 18 Example Analysis of Use Case • First pass: Identified relevant standards: – – – – – – – SAML OpenID OAuth SPML SCIM WS-Federation IMI • Second pass: Identified big / obvious gaps – Configuration and association with an IdP is not standardized – No standards or rules for mapping or transforming attributes between different (cloud) domains. – No profiles or standard roles and related attributes – No standards for attributes – No audit standards for IDM systems 19 ‘Early’ profiles start to surface • Interoperablity profiles (combination of standards and protocols) become visible as identity management patterns surface • E.g. the pattern on how we now a days think about the identity ecosystem (IdP, RP, AP, etc.) 20 Conclusions and next steps • Produced in-depth work providing good understanding of Identity Management in a Cloud context with respect to technical standardsbased feasibility • Unsure how to deal with implicit details of use cases: e.g. trust space, attribute space, privacy space • Suggest future work to fill the gaps 21 Resources • OASIS IDCloud Technical Committee Homepage http://www.oasis-open.org/committees/id-cloud/ • OASIS Technical Committee Wiki http://wiki.oasis-open.org/id-cloud/FrontPage Anil.Saldhana@redhat.com Gershon.Janssen@gmail.com 22