Thursday, November 25, 2010

Information and Comments on OASIS Identity in the Cloud (IDCloud) TC

OASIS Identity in the Cloud (IDCloud) TC is composed of leading IAM experts in the industry, and is now working on define various use cases for the identity and access management in the Cloud.

At time of this writing in the late 2010, sample uses cases have been proposed including identities for managing virtual machines and middleware; and identities used in IAAS, PAAS, and SAAS. There are also use cases for Federated Single Sign On using Kerberos and SAML2.0.

The use cases are still under development, and in my view, I believe that we need to define at least some common terms to formalize each use case. For example, the user community shall include the following, similar to Ping Idenity's CEO and Symplified CTO's approach, but elaborate furthermore.


Cloud Administrator:  

A person who is responsible for managing other type of user in the cloud computing environment. The duties of a Cloud administrator are wide-ranging, and vary widely from one organization to another. Cloud administrators are usually charged with manually creating other type of users if this is part of the IAM's process and procedures, reset the password for other users, unlock users who have failed certain number of login attempts and have been locked out by the Cloud Provider, run the auditing reports and compliance report, assist in the criminal investigations if there is security bleaches and access violation in the use of Cloud service, creating Virtual Machines, allocating Virtual CPU time, and network bandwidth, configuring Virtual Firewalls, etc.  Other duties may include scripting or light programming by leveraging Cloud Provider's Web Service API, monitoring cloud service usage,  bring down or start certain cloud service.  The Cloud Administrator can come from Cloud Provider or come from within Cloud Consumer's organization. It is important to follow Separation of Duty principal. The Cloud Administrator should not be able to see or change the sensitive information such as salary information, date of birth of other users, or medical information of other users. Cloud Administrator should have basic Cloud Computing skills, should understand Cloud Computing concepts and key supporting technologies.  Organizations recruiting Cloud Administrator shall do background investigation and carefully interview and exam the candidate before making an offer of hire.


Help Desk Users.

If there are many users (for example, millions of users using cloud service), the user must be supported by multi-tier help desk staff. This includes the level-one help desk staff, level-two system support staff, and level-three cloud administrators. Authorized users have the ability to change system parameters, select regular user security settings, and other configuration details through standard cloud user management administration tools.


Regular Users:

Depends on the type of Cloud Service leveraged by Cloud Provider, the regular user can be internal users within Cloud Consumer's organization (if it is internal application such as HR application)  or the end user for general public(if this is B2C environment such as internet shopping).


Contractors:  

The Cloud Consumer can hire a contractor to use cloud service to conduct outsourced business activities. In this case, the Cloud Consumer needs to make sure that the Contractor identity is established to use cloud server. Cloud Provider can also use Contractor to run part of its business, and should make sure the identity of such contractor are separate from regular users due to data privacy, privilege management and access control issues.


Partners:

  Both Cloud Consumer and Cloud Provider can have business partners and their identities in the Cloud must be established before they can use Cloud Service.


After use case formalization, the next step for the IDCloud is to do deep gap analysis of existing IAM standards such as SAML, SPML, WS Federation, etc with the use cases needed for the IAM in the Cloud. The final step for IDCloud is to crate profile of use cases which can then be used as recommended profile by the Cloud Identity providers.

Overall, this will be a gradual process and may take few years to get to the finishing line.

No comments:

Post a Comment