1. Use Case Template Each use case is presented in the following normative template for ease of comparison: Description / User Story Goal or Desired Outcome Categories Covered Applicable Deployment Models Actors Systems Notable Services Dependencies Assumptions Process Flow 1.1 Description / User Story A general description of the use case in consumer language that highlights the compelling need for one or more aspects of Identity Management while interacting with a cloud deployment model. 1.2 Goal or Desired Outcome A general description of the intended outcome of the use case including any artifacts created. 1.3 Categories Covered A listing of the Identity Management categories covered by the use case (as identified in section XXX) 1.4 Applicable Deployment and Service Models A listing of the cloud deployment and service models covered by the use case (as identified in section XXX) These categories include: Cloud Deployment Models ○ Private ○ Public ○ Community ○ Hybrid Service Models ○ Software-as-a-Service (SaaS) ○ Platform-as-a-Service (PaaS) ○ Infrastructure-as-a-Service (IaaS) ○ Other (i.e. other “as-a-Service” Models) 1.5 Actors A listing of the actors or roles that take part in the use case. 1.6 Systems TBD 1.7 Notable Services A listing of services (security or otherwise) that contribute to the identity management aspects of the use case. 1.8 Dependencies A listing of any dependencies the use case has as a precondition. 1.9 Assumptions A listing of any assumptions made about the use case including its actors, services, environment, etc. 1.10 Process Flow A detailed stepwise flow of actions that comprise the use case. 2. Use Cases 2.1 Use Case 1: Application and Virtualization Security in the Cloud 2.1.1 Description / User Story Cloud Computing environments have one or more virtual machines/images running on a Host Operating system on a server. Applications run inside these virtual machines (Guest Operating systems). Applications can run directly on the host operating system. Identities can be associated with each of these virtual machines. Identities can be associated with the applications running on that server (including the virtual machines). Virtual Machines can be owned by different owners. We have identities that administer the virtual machines. We have identities that use the applications. The Virtual Machine identities may not be the same as the application identities. Authentication and validation of Identities by the cloud infrastructure may not be sufficient for the owners of virtual machines. 2.1.2 Goal or Desired Outcome We have separation of identities and ownership is not just cloud provider. Could be one or more identity services (e.g. Amazon owns one, Customer owns another) Since a cloud server can have multiple virtual machines and applications run on these guest operating systems, it is important to manage the identities that exist in the host operating system, virtual machines as well as applications. Additionally, it should be possible for VM owners to do their own proofing of identities. 2.1.3 Notable Categorizations and Aspects Categories Covered: Primary Infrastructure IdM General Identity Management (IM) Secondary: Acct and Attr Mgmt. FIM Actors: Server Administrator. Virtual Machine Owner Virtual Machine Administrator Application Deployer Application User Applicable Deployment and Service Models: Cloud Deployment Models ○ Private (F) ○ Public (F) ○ Community ○ Hybrid Service Models ○ Software-as-a-Service (SaaS) (S) ○ Platform-as-a-Service (PaaS) (F) ○ Infrastructure-as-a-Service (IaaS) (F) Systems: None Notable Services: Virtual Machines Hypervisors Host Operating System Cloud Identity Stores (transformation of identities) Dependencies: None Assumptions: Multiple virtual machines run on a single host operating system. Not all virtual machines running on a single host operating system is owned by a single entity. 2.1.4 Process Flow 1 A Server Administrator (One type of identity) administers a server in the cloud. He has privileges to administer the host operating system and its services. 2 A Virtual Machine Owner (an identity) or a virtual machine administrator (an identity) commissions a virtual machine to run on this server. 3 An Application Deployer (an identity) then deploys an application on a virtual machine. 4 An Application User (an identity) then makes use of this application. 5 The Server Administrator, Virtual Machine Owner, Application Owner and Application User identities are authenticated/validated/transformed against an identity store/service that exists in the cloud. 6 The cloud identity system can transform a federated identity to a local identity if needed.