Up 2011-ken huang


Published on

My presentation at Up 2011, the 2nd Global Cloud Computing Conference

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Use Case driven
  • ITU: International Telecommunication Union
  • Infrastructure Identity Establishment : This category includes use cases that feature establishment of identity and trust between cloud providers their partners and customers and includes consideration of topics such as Certificate Services (e.g. x.509),  Signature Validation, Transaction Validation, Non-repudiation, etc.. Infrastructure Identity Management: This subcategory includes use cases that feature Virtualization, Separation of Identities across different IT infrastructural layers (e.g. Server Platform, Operating System (OS), Middleware, Virtual Machine (VM), Application, etc).
  • Overall Jericho thinks that deperimeterised cloud formation is most important formation of the cloud and should be focus of the work for the cloud security. Identity is shifting from Enterprise Centric to Principal Centric and from ACL List to Resource centric.
  • It is not a standard but just a white paper
  • Up 2011-ken huang

    1. 1. Up 2011 Global Cloud Computing Conference, December, 2011 Up in the Air:  The Future of Cloud Identity Management Ken Huang, Director of Cloud Security, CGI
    2. 2. About Ken Huang <ul><li>Director of Cloud Security at CGI </li></ul><ul><ul><li>Cloud Security </li></ul></ul><ul><ul><li>Identity and Access Management </li></ul></ul><ul><ul><li>Application Security </li></ul></ul><ul><ul><li>Frequent Speaker </li></ul></ul><ul><li>Blog: http://cloud-identity.blogspot.com/ </li></ul><ul><li>Linkedin: www.linkedin.com/in/kenhuang8 </li></ul><ul><li>Twitter: http://twitter.com/#!/kenhuangus </li></ul>
    3. 3. Agenda <ul><li>Why Traditional IDAM is not sufficient for Cloud? </li></ul><ul><li>Discuss 5 different Cloud Identity Initiatives/Standards </li></ul><ul><ul><li>OASIC IDCloud </li></ul></ul><ul><ul><li>OpenGroup Jericho </li></ul></ul><ul><ul><li>CSA’s Trusted Cloud Initiative </li></ul></ul><ul><ul><li>Simple Cloud Identity Management </li></ul></ul><ul><ul><li>The National Strategy for Trusted Identities in Cyberspace (NSTIC) </li></ul></ul><ul><li>Comparison </li></ul><ul><li>Suggestions and future works </li></ul>
    4. 4. Why Traditional IDAM is not sufficient for Cloud? <ul><li>Identity Management is not completely solved at Enterprise level </li></ul><ul><ul><li>Centralized authentication is not a reality yet (still lots of silos) </li></ul></ul><ul><ul><li>Identity Federation is hot but not a realty </li></ul></ul><ul><ul><li>Centralized Authorization is not mature </li></ul></ul><ul><li>Cloud extends the Enterprise beyond DMZ </li></ul><ul><ul><li>Deperimeterised </li></ul></ul><ul><ul><li>Multiple cloud providers </li></ul></ul><ul><ul><li>Need just in time provisioning </li></ul></ul><ul><ul><li>Immature technology for IDAM in the cloud </li></ul></ul><ul><ul><li>IDAM is needed in IAAS/PAAS/SAAS and in all deployment models(Public, Private, Hybrid, Community) </li></ul></ul>
    5. 5. Top 8 Reasons Why Cloud Provider needs IDAM 1) To make sure who is using your service. 2) To be compliant with government regulations. 3) To provide Separation of Duty  and Least Privileged access to the data hosted on behalf of cloud consumer. 4) To build a trust relationship with cloud consumer. If you don't care about IAM, you will certainly lose the trust of the customers. 5) For user based subscription model (such as salesforce.com ), cloud provider need to have IAM to provision, audit, de-provision users and to provider correct billing statement according to usage. 6) To support potential e-Discovery as required by law enforcement agency. 7) To be able to support wide range of users. 8) To support other functions within Cloud Provider such as BI, Sales, and Executive decisions.
    6. 6. Top 8 Reasons why Cloud Consumer needs IDAM 1) Network security is not enough, Identity Based Security is essential for the Cloud Consumer. 2) Audit tracking and compliance is still Cloud Consumer's responsibility. 3) SSO with the applications on the cloud. 4) The Identity Federation will be in strong need . 5: For small and middle size companies may need to leverage IDAAS to save the cost. 6: Measure effectiveness of the cloud service (you need the identities). 7: Verify the billing provided by Cloud Provider. 8: Modification of existing in house User Provisioning for the Cloud.
    7. 7. IDAM is a Foundational Component for Cloud 1: NIST Reference Architecture has Security and Privacy as Cross Cutting Service. IDAM is the main enabler of Security and Privacy 2: IDAM is essential regardless of Service model (IAAS, PAAS, SAAS, DAAS, XAAS) and deployment model (Public, Private, Community, Hybrid)
    8. 8. 1: OASIC IDCloud <ul><ul><li>OASIC IDCloud </li></ul></ul><ul><ul><li>OpenGroup Jericho </li></ul></ul><ul><ul><li>CSA’s Trusted Cloud Initiative </li></ul></ul><ul><ul><li>Simple Cloud Identity Management </li></ul></ul><ul><ul><li>The National Strategy for Trusted Identities in Cyberspace (NSTIC) </li></ul></ul><ul><ul><li>OASIC IDCloud </li></ul></ul>
    9. 9. OASIS IDCloud TC  <ul><li>3 Main objectives: </li></ul><ul><li>Identify Use Cases </li></ul><ul><ul><ul><li>example: Identity in the virtual environment by redhat </li></ul></ul></ul><ul><li>Define Interoperability Profiles </li></ul><ul><ul><ul><li>example: Kerboros profile by MIT </li></ul></ul></ul><ul><li>Gap Analysis of existing Identity Management standards and protocols when applied in the context of Cloud </li></ul><ul><ul><li>Based on Use Cases and Interoperability Profiles </li></ul></ul><ul><ul><li>Feed analysis back to the WG responsible for a standard </li></ul></ul>
    10. 10. OASIS IDCloud TC <ul><li>Other objectives: </li></ul><ul><ul><li>Glossary on Cloud Identity </li></ul></ul><ul><ul><li>Do not re-invent the wheel </li></ul></ul><ul><ul><li>Strong liaison relationships with other international working groups </li></ul></ul><ul><ul><ul><li>ITU-T, Cloud Security Alliance, etc . </li></ul></ul></ul>
    11. 11. OASIS ID Cloud Status <ul><li>Deliverables: </li></ul><ul><ul><li>Use Case formalization ( version 1 published on 27 June 2011) </li></ul></ul><ul><ul><li>Defining the Interoperability Profiles for Identity in the Cloud (ETA: December ’11) </li></ul></ul><ul><ul><li>Gap Analysis of existing Identity Management Standards </li></ul></ul>
    12. 12. OASIS ID Cloud : Total 32 Use Cases <ul><li>Categorizations: </li></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Infrastructure Identity Establishment </li></ul></ul><ul><ul><li>General Identity Management </li></ul></ul><ul><ul><li>Authorization </li></ul></ul><ul><ul><li>Account & Attribute Management </li></ul></ul><ul><ul><li>Security Tokens </li></ul></ul><ul><ul><li>Audit & Compliance </li></ul></ul><ul><ul><li>Link: http://wiki.oasis-open.org/id-cloud/ </li></ul></ul>
    13. 13. 2: OpenGroup Jericho <ul><ul><li>OASIC IDCloud </li></ul></ul><ul><ul><li>OpenGroup Jericho </li></ul></ul><ul><ul><li>CSA’s Trusted Cloud Initiative </li></ul></ul><ul><ul><li>Simple Cloud Identity Management </li></ul></ul><ul><ul><li>The National Strategy for Trusted Identities in Cyberspace (NSTIC) </li></ul></ul>
    14. 14. Jericho Cloud Cube Perimeterised Deperimeterised Proprietary Open Internal External
    15. 15. Jericho COA <ul><li>Jericho Forum has proposed a cloud architecture that uses identity management across all levels of the cloud (infrastructure, platform, software, and process) in a design it calls collaboration-oriented architecture (COA). </li></ul><ul><li>Standardized form of Identity that could be validated across cloud platforms.  </li></ul>
    16. 16. “ Identity” Commandments by Jericho <ul><li>Total 14 Commandments on the Identity and Entitlement </li></ul><ul><li>Resource Owner define Identity and Attributes </li></ul><ul><li>Attributes must not be over exposed </li></ul><ul><li>Entity can have multiple Identities </li></ul><ul><li>User Centric Identity Management </li></ul><ul><li>Link to the commands: </li></ul><ul><ul><li>http://www.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf </li></ul></ul>
    17. 17. 3: CSA’s Trusted Cloud Initiative <ul><ul><li>OASIC IDCloud </li></ul></ul><ul><ul><li>OpenGroup Jericho </li></ul></ul><ul><ul><li>CSA’s Trusted Cloud Initiative </li></ul></ul><ul><ul><li>Simple Cloud Identity Management </li></ul></ul><ul><ul><li>The National Strategy for Trusted Identities in Cyberspace (NSTIC) </li></ul></ul>
    18. 18. Trusted Cloud Initiative by CSA <ul><li>October 18, 2011 – The Cloud Security Alliance (CSA) published first white paper, “Trusted Cloud Initiative Quick Guide to the Reference Architecture” </li></ul><ul><li>The TCI Reference Architecture is both a methodology and a set of tools </li></ul><ul><li>Jericho is part of the Reference Architecture (ITIL, TOGAF and SABSA are the other components) </li></ul>
    19. 19. Domain 12 of CSA Guide
    20. 20. CSA Guide On Identity Management <ul><li>Identity Provisioning </li></ul><ul><li>Authentication </li></ul><ul><li>Federation </li></ul><ul><li>Authorization & user profile management </li></ul><ul><li>Identity as a Service </li></ul>
    21. 21. Identity Provisioning – Recommendations by CSA <ul><ul><ul><li>Avoid custom connectors. </li></ul></ul></ul><ul><ul><ul><li>Leverage standard connectors (SPML or SCIM). </li></ul></ul></ul><ul><ul><ul><li>Schema Extension for the cloud. </li></ul></ul></ul>
    22. 22. Authentication Recommendation for SAAS/PAAS by CSA <ul><li>Authentication via IDP and establish Circle of Trust with CSP for Identity Federation (not your typical application level login module anymore). </li></ul><ul><li>Leverage user-centric authentication such as Google, Yahoo, OpenID, Live ID for accessing low sensitive data </li></ul><ul><li>Avoid proprietary security token, use standard token such as SAML instead (need to consider security vs. performance) . </li></ul>
    23. 23. Authentication Recommendation for IAAS by CSA <ul><li>For admin users, leverage VPN. </li></ul><ul><li>If possible, use dedicated VPN. </li></ul><ul><li>If dedicated VPN tunnel is not feasible, use Identity Federation Standards over SSL (SAML, WS-Federation). </li></ul><ul><li>Judicial use of OpenID. </li></ul><ul><li>For OTP or other form of strong authentication, make sure it is OATH compliant. </li></ul><ul><li>Cloud providers should consider supporting various strong authentication options such as One-Time Passwords, biometrics, digital certificates, and Kerberos. This will provide another option for enterprises to use their existing infrastructure. </li></ul>
    24. 24. Federation Recommendation by CSA <ul><li>Cloud Providers should support multiple Federation standards. </li></ul><ul><li>Cloud providers desiring to support multiple federation token formats should consider implementing some type of federation gateway or STS. </li></ul><ul><li>Cloud Consumer should evaluate Federated Public SSO (open standard based) versus Federated Private SSO (Custom security token based, may provide quick win). </li></ul><ul><li>Cloud Consumer can delegate issuing various security token types to the federation gateway, which then handles translating tokens from one format to another (STS). </li></ul>
    25. 25. Access Control Recommendation by CSA <ul><li>Review Access Control Model (SoD, LP). </li></ul><ul><li>Identify authoritative sources. </li></ul><ul><li>Enforce privacy policies for the data (conduct PIA). </li></ul><ul><li>Select a format in which to specify policy and user information (XACML). </li></ul><ul><li>Determine the mechanism to transmit policy from a Policy Administration Point (PAP) to a Policy Decision Point (PDP). </li></ul><ul><li>Determine the mechanism to transmit user information from a Policy Information Point (PIP) to a Policy Decision Point (PDP). </li></ul><ul><li>Request a policy decision from a Policy Decision Point (PDP). </li></ul><ul><li>Enforce the policy decision at the Policy Enforcement Point (PEP). </li></ul><ul><li>Log information necessary for audits </li></ul>
    26. 26. IDaaS Recommendations by CSA <ul><li>The reduction of cost from using IDaaS needs to be balanced against risk mitigation. </li></ul><ul><li>Application Security (such as SQL Injection and Cross Site Scripting, among many others) must be considered and protected against. </li></ul><ul><li>IDaaS vendors should support industry standards for IDAM. </li></ul><ul><li>Proprietary IDaaS is often less secure, less robust, and less interoperable. </li></ul>
    27. 27. 4: Simple Cloud Identity Management <ul><ul><li>OASIC IDCloud </li></ul></ul><ul><ul><li>OpenGroup Jericho </li></ul></ul><ul><ul><li>CSA’s Trusted Cloud Initiative </li></ul></ul><ul><ul><li>Simple Cloud Identity Management </li></ul></ul><ul><ul><li>The National Strategy for Trusted Identities in Cyberspace (NSTIC) </li></ul></ul>
    28. 28. Simple Cloud Identity Management (SCIM) <ul><li>SCIM is a specification for a universal SAAS Identity connector based on Restful API. </li></ul><ul><li>Mainly focus on Identity Model and User life cycle management (provisioning and de-provisionnig) </li></ul><ul><li>PingIdentity, CISCO, Salesforce.com, Sailpoint, UnboundID etc. </li></ul>
    29. 29. SCIM deliverables <ul><ul><li>Scenarios Doc - draft 4 </li></ul></ul><ul><ul><li>Core Schema 1.0 - draft 2 </li></ul></ul><ul><ul><li>REST API - draft 1 </li></ul></ul><ul><ul><li>SAML 2.0 Binding - draft 1 </li></ul></ul>
    30. 30. SCIM Restful Web Service API endpoints Resource Endpoint Operations Description User /User GET ,  POST ,  PUT ,  PATCH ,  DELETE Retrieve/Modify Users User Query/Listing /Users GET Retrieve User(s) via ad hoc queries Group /Group GET ,  POST ,  PUT ,  PATCH ,  DELETE Retrieve/Modify Groups User Query/Listing /Groups GET Retrieve Group(s) via ad hoc queries User Password /User/{userId}/password PATCH Change a User's password Service Provider Configuration /ServiceProviderConfig GET Retrieve the Service Provider's Configuration Resource Schema /Schema GET Retrieve a Resource's Schema Resource Schema Query/Listing /Schemas GET Retrieve Resource Schema(s) via ad hoc queries Bulk /Bulk POST Bulk modify Resources
    31. 31. 5: NSTIC <ul><ul><li>OASIC IDCloud </li></ul></ul><ul><ul><li>OpenGroup Jericho </li></ul></ul><ul><ul><li>CSA’s Trusted Cloud Initiative </li></ul></ul><ul><ul><li>Simple Cloud Identity Management </li></ul></ul><ul><ul><li>The National Strategy for Trusted Identities in Cyberspace (NSTIC) </li></ul></ul>
    32. 32. US Government on Cloud Identity Policy Initiatives <ul><li>President signed NSTIC in April 2011 </li></ul><ul><ul><ul><li>NSTIC: National Strategy for Trusted Identities in Cyberspace </li></ul></ul></ul><ul><ul><ul><li>Identity Ecosystem </li></ul></ul></ul><ul><ul><ul><li>It is a Strategy Document. </li></ul></ul></ul>
    33. 33. Guiding Principles for NSTIC <ul><li>Privacy enhancing and voluntary </li></ul><ul><li>Secure and resilient </li></ul><ul><li>Interoperable </li></ul><ul><li>Cost-effective and easy to use </li></ul>
    34. 34. Comparison Standard Or Initiative Deliverable Industrial support OASIS IDCloud Use case, profiles and gap analysis 21 sponsors including DoD, Microsoft, CA, IBM, CISCO, Symantec, SAP Jericho White paper 58 members including DoD, HP, IBM, Microsoft, Oracle, Raytheon, Mitre CSA TCI Guide Over 100 members. Novell is the initial sponsor for TCI SCIM Use case, Restful API guide, SAML profile, Core schema Ping Identity, The UnboundID SCIM SDK, Sailpoint, etc NSTIC Strategy document Paypal, IBM, Microsoft, CA etc
    35. 35. Recommendation <ul><li>Don’t re-invent wheel </li></ul><ul><li>Re-use existing building blocks such as SAML, XACML, Oauth, OpenID, etc. </li></ul><ul><li>Evaluate not so successful standards such as SPML (SCIM seems a better alternative?) </li></ul><ul><li>Close collaboration between standard organizations and different initiatives </li></ul><ul><li>Compliance (FISMA, HIPAA, SOX, PCI/DSS, FedRamp, SAS 70 Type II, ISO 27001) </li></ul>
    36. 36. Conclusion and Q/A <ul><li>It is still up in the air </li></ul><ul><li>Executive buy-in is essential for IDAM in the Cloud </li></ul><ul><li>It will be still few more years before we see mature standards and technology for IDAM in the Cloud </li></ul>