1.
Oasis Identity in the Cloud (IDCloud) Towards standardizing Cloud Identity
Anil Saldhana ( Red Hat), Co-Chair
Gershon Janssen, Secretary

2. Cloud Identity Management
TC works to address Identity Management challenges related to Cloud Computing
Cloud Identity Management is considered a top security concern
Identity Management is not completely solved at Enterprise level
Standards are evolving
Cloud is a new paradigm, so the same problems in new packaging 2 2

3. Before we start
How many of you have Facebook, Google, LinkedIn or any similar Cloud Service accounts?
Imagine a company uses a public cloud for its documents. An employee leaves the company. The employee is decommissioned. What happened to the documents?
A small manufacturing company requires its employees to use an online benefits system annually, to choose health care benefits for the entire year. The employees work in workshops/units do not use computers regularly at work. Majority of them have Facebook accounts. Do you think they will remember their Benefits system password as much as their Facebook password? Should we use Facebook Connect, for the Benefits system? 3 3

4. What is it we do? 3 Main objectives: Identifying detailed Use Cases
Identity deployment, provisioning and management in a cloud context
Gap Analysis of existing Identity Management standards and protocols when applied in the context of Cloud
Based on Use Cases and Interoperability Profiles
Feed analysis back to the WG responsible for a standard
Define Interoperability Profiles for Identity in the Cloud
Profiles will be based on use and combinations of existing standards, protocols and formats 4

5. What is it we do? Other objectives: Glossary on Cloud Identity
Harmonized set of definitions, terminologies and vocabulary on Identity in the context of Cloud
Do not re-invent the wheel
Build on existing standards and specifications
Strong liaison relationships with other international working groups
ITU-T, DMTF 5

6. How serious are we about this?
Our Technical Committee chairs are:
Anil Saldhana (Red Hat)
Tony Nadalin (Microsoft)
Amongst the member of the Technical Committee are:
Red Hat, IBM, Microsoft, CA Technologies, Cisco Systems, SAP, EBay, Novell, Ping Identity, Safe Net, Symantec, Boeing Corp, US DOD, Verisign, Akamai, Alfresco, Citrix, Cap Gemini, Google, Rackspace, Axciom, Huawei, Symplified, Thales, Conformity, Skyworth TTG, MIT, Jericho Systems, PrimeKey, Aveksa, Mellanox, Vanguard Integrity Professionals, NZ Govt ... 6

7. Current Status Three stages: Formalization of Use Cases [Finished]
OASIS Identity In The Cloud Use Case Document v1.0
Gap Analysis of existing IDM standards using the Use Cases [In progress]
Defining Profiles for Identity In The Cloud [Scheduled] 7

8. Use Cases Received 35 Use Cases of Identity Management in the
Cloud (Finally, 29 Use Cases are formalized)
Structure of Use Cases:
Description / user story
Goal / Desired outcome
Categories covered
Applicable Deployment Models
Actors
Systems
Notable Services
Dependencies
Assumptions
Process Flow 8

9. Use Cases Categorizations: Authentication
Single Sign On (SSO)
Multi factor Authentication
Infrastructure Identity Establishment
General Identity Management
Infrastructure IdM
Federated IdM
Authorization
Account & Attribute Management
Account & Attribute Provisioning
Security Tokens
Audit & Compliance 9

10. Use Cases Applicable Deployment and Service Models: Deployment Models:
Private
Public
Community
Hybrid
Service Models:
SaaS
PaaS
IaaS
Other 10

11. Use Cases High Ranked Use Cases:
Managing Identities at all levels in the Cloud
Need for Federated Single Sign On across multiple environments
Enterprise to Cloud SSO
Auditing
Multi-factor Authentication for Privileged User Access
Mobile Identity authentication using Cloud Provider 11

12. Use Cases Mobile Identity Authentication Submitted by Bank of America
Use case affects Mobile Banking
First step is to do automatic mobile device registration
Cloud based IAM solutions provide identity proofing, credential management, SSO and Provisioning capabilities. 12

13. Use Cases Government Provisioning of Cloud Services
Submitted by Govt. Of New Zealand. (Colin Walis)
Government employee or contractor logs into a web site where he can configure an environment that utilizes one or more cloud services.
Identity proofing, authentication along with billing, auditing etc is provided. 13

14. Analysis GAP Analysis Main Question:
Analysis of Identity Management Use Cases in a Cloud context
Main Question:
“Can the desired goal or outcome be achieved using existing standards?”
GAPS:
Profile:

15. Assumptions and Dependencies
How do we approach the Analysis
Analyzing how a Use Case can be implemented: What is required?
USE CASE
User Story
Goal /
Outcome
Process Flow
Actors
Systems
Services
Assumptions and Dependencies

16. Scope of analysis
Focus on the technological challenge: how to get a user story working.
Not looking at legal, policy or economic perspectives

17. How do we approach the Analysis
Step by step / phased drill-down into more detail
First pass: identify relevant standards
Not reinvent the wheel; we have a broad scope and look at all relevant standards, specifications, recommendations, notes and ‘work in progress’, from both SDOs and non-SDOs
RESULT: List is standards
Second pass: coarse analysis
Find out where the standards fall short or what we perceive as missing
Identify Management commonalities and reusable elements
RESULT: Identified big / obvious gaps

18. Consumer Cloud Identity Management, Single Sign-On (SSO) and
Example of a Use Case
USE CASE:
Consumer Cloud Identity Management,
Single Sign-On (SSO) and
Authentication
User Story:
For services offered in the cloud, identity management and authentication should
to be decoupled from the cloud services themselves.
Users subscribing to cloud services expect and need to have an interoperable
identity that would be used to obtain different services from different providers.
Goal:
A user is able
to access multiple
SaaS applications
using a single
identity
Process Flow:
1. User access SaaS application
2. Login using external IdP
3. IdP transforms & maps identity to SaaS provider format
4. Access to SaaS application established
Actors:
- Subscriber SaaS Application User
Subscriber SaaS Provider Administrator
Systems:
- Cloud Identity Mgmt. System
- External Identity Provider
Services:
Cloud Provider Identity Federation Service
Cloud Provider Attribute Management Service (identity transform)
Assumptions and Dependencies:
The federated trust relationship between the SaaS application and the identity provider was previously
set by the Cloud tenant Administrator.
The user accessing the service is already registered and enrolled with the Identity Provider of choice.

19. Example Analysis of Use Case
First pass: Identified relevant standards:
SAML
OpenID
OAuth
SPML
SCIM
WS-Federation
IMI
Second pass: Identified big / obvious gaps
Configuration and association with an IdP is not standardized
No standards or rules for mapping or transforming attributes between different (cloud) domains.
No profiles or standard roles and related attributes
No standards for attributes
No audit standards for IDM systems

20. ‘Early’ profiles start to surface
Interoperablity profiles (combination of standards and protocols) become visible as identity management patterns surface
E.g. the pattern on how we now a days think about the identity eco- system (IdP, RP, AP, etc.)

21. Conclusions and next steps
Produced in-depth work providing good understanding of Identity Management in a Cloud context with respect to technical standards- based feasibility
Unsure how to deal with implicit details of use cases: e.g. trust space, attribute space, privacy space
Suggest future work to fill the gaps

22. Resources OASIS IDCloud Technical Committee Homepage
OASIS Technical Committee Wiki 22