Defining Identity as a Service (IDaaS) in Cloud Computing

Dr.M.Pyingkodi, Dept of Computer Applications, Kongu Engineering College, Erode, Tamil Nadu, India

Defining Identity as a Service (IDaaS)
 Application delivery model (like software-as-a-service, or SaaS)
 Allows users to connect to and use identity management services from
the cloud.
 Ensures the right people in an organization have the right access to the
right resources
 Identity and access management (IAM) computing uses online computer
power, database storage, and other IT resources.
 Identity service is one that stores the information associated with a
digital entity in a form that can be queried managed for use in electronic
transactions
Why IDaaS?
• Deliver access services efficiently and cost-effectively
• Protect against internal and external security threats
• Meet regulatory compliance requirements around security and
privacy
Dr.M.Pyingkodi, Dept of Computer Applications, Kongu Engineering College, Erode, Tamilnadu

Defining Identity as a Service (IDaaS) Examples
Single Sign-on (SSO)
Authentication service allowing a user to access multiple applications
and sites using one set of credentials.
Multi-Factor Authentication (MFA)
Multi-step account login process that requires users to enter more
information than just a password
Identity Management
To ensure that only the right people can access the appropriate data
and resources — at the right times and for the right reasons.
Provisioning
When a worker is assigned a role through your system, they would
be automatically provisioned access with a role-based IAM solution.

Defining Identity as a Service (IDaaS)
IDaaS Servers
.COM, .ORG, .EDU, .MIL, .TV, .RU
Core functions
– A data stores
– Query Engine
– Policy Engine
Identity
 A set of characteristics or traits that make something
recognizable or known a digital identity
 Attributes and metadata of an object along with a set of
relationships with other objects that makes an object
identifiable

An identity can belong to a person and may include the following
Things you are
Biological characteristics such as age, race, gender,
appearance
Things you know
Biography, personal data such as social security numbers,
PINs, where you went to school
Things you have
A pattern of blood vessels in your eye, your fingerprints, a
bank account you can access, a security key you were given, objects
and possessions
Things you relate to
Your family and friends, a software license, beliefs and
values, activities and endeavors, personal selections and choices,
habits and practices, an iGoogle account

Digital Identities
For user and machine accounts
Identities are created and stored in domain security
Databases that are the basis for any network domain,
In directory services, and in data stores in federated systems
Network Interface
the point of interconnection between a computer and a private or public
network
Identified uniquely by Media Access Control (MAC) addresses,
Alternatively are referred to as Ethernet Hardware Addresses (EHAs).
EHAs - (HW Address) is your Ethernet card's unique identity
It is the assignment of a network identity to a specific MAC address that allows
systems to be found on networks.
Media Access Control
Network data transfer policy that determines how data is transmitted between two
computer terminals through a network cable.

Windows Product Activation
Microsoft validates your installation
During Activation it Creates an identification index or profile of your system
 A 25-character software product key and product ID
 The uniquely assigned Global Unique Identifier or GUID
 PC manufacturer
 CPU type and serial number
 BIOS checksum
 Network adapter and its MAC address
 Display adapter
 SCSCI and
 DE adapters
 RAM amount
 Hard drive and volume serial number
 Optical drive
 Region and language settings and user locale
From the above information, a code is calculated, checked, and entered into the registration
database.
Each of these uniquely identified hardware attributes is assigned a weighting factor such that an
overall sum may be calculated

Networked identity service classes
Forms of identity services
To validate Web sites, transactions, transaction participants, clients, and network
services
Identity as a Service (IDaaS) offers
 Authentication services (identity verification)
 Directory services
 Federated identity
 Identity governance
 Identity and profile management
 Policies, roles, and enforcement
 Provisioning (external policy administration)
 Registration
 Risk and event monitoring, including audits
 Single sign-on services (pass-through authentication)

Identity System Codes of Conduct
IDaaS is cloud-based authentication built and operated by a third-party provider.
Working with IDaaS software, evaluate IDaaS applications on the following basis
User control for consent
Users control their identity and must consent(to agree to something) to the use of their
information.
Minimal Disclosure
The minimal amount of information should be disclosed for an intended use.
Justifiable access
Only parties who have a justified use of the information contained in a digital identity and
have a trusted identity relationship with the owner of the information may be given access to that
information.
Directional Exposure
An ID system must support bidirectional identification for a public entity so that it is
discoverable and a unidirectional identifier for private entities, thus protecting the private ID.
Interoperability
A cloud computing ID system must interoperate with other identity services from other
identity providers.
Unambiguous human identification
An IDaaS application must provide an unambiguous mechanism for allowing a human to
interact with a system while protecting that user against an identity attack.
Consistency of Service
An IDaaS service must be simple to use, consistent across all its uses, and able to operate in
different contexts using different technologies.

IDaaS interoperability
Cloud computing IDaaS applications must rely on a set of developing industry standards to
provide interoperability
User centric authentication (usually in the form of information cards)
The OpenID and CardSpace specifications support this type of data object.
The XACML Policy Language
A general-purpose authorization policy language
Allows a distributed ID system to write and enforce custom policy expressions.
XACML can work with SAML when SAML presents a request for ID authorization,
XACML checks the ID request against its policies and either allows or denies the request.
The SPML Provisioning Language
This is an XML request/response language that is used to integrate and interoperate
service provisioning requests. SPML is a standard of OASIS’s Provision Services Technical
Committee (PSTC) that conforms to the SOA architecture.
The XDAS Audit System
The Distributed Audit Service provides accountability for users accessing a system, and
the detection of security policy violations when attempts are made to access the system by
unauthorized users or by users accessing the system in an unauthorized way

The Identity Governance Framework (IGF) is a standards initiative of the Liberty Alliance.
Exchange and control of identity information using standards such as WS-Trust, ID-WSF,
SAML, and LDAP directory services.
Client Attribute Requirements Markup Language (CARML)

User Authentication
OpenID
– Developing industry standard for authenticating “end users” by storing their digital
identity in a common format.
– An identity is created in an OpenID system,
– Information is stored in the system of any OpenID service provider
– Translated into a unique identifier.
– Identifiers take the form of a Uniform Resource Locator (URL) or as an Extensible
Resource Identifier (XRI)
– Authenticated by that OpenID service provider
– unique identity of the URL;
Identity providers
AOL, Facebook, Google, IBM, Microsoft, MySpace, Orange, PayPal, VeriSign,
LiveJournal, Ustream, Yahoo!

Trusted providers and their URL formats
Blogger: .blogger.com or .blogspot.com
MySpace: myspace.com/
Google: https://www.google.com/accounts/o8/id l Google Profile: google.com/profiles/
Microsoft: accountservices.passport.net/
MyOpenID: .myopenid.com
Orange: openid.orange.fr/username or simply orange.fr/ Verisign: .pip.verisinglabs.com
WordPress: .wordpress.com
Yahoo!: openid.yahoo.com
CardSpace
Microsoft software client
The company’s Identity Metasystem and built into the Web Services Protocol Stack.
This stack is built on the OASIS standards (WS-Trust, WS-Security, WS-SecurityPolicy, and WS-
MetadataExchange)
A CardSpace object called an Identity Selector stores a digital identity
Making it available to Windows applications in the form of a visual Information Card
Can be accepted by complying applications and Web sites

Authorization markup languages
Information requests and replies in cloud computing are nearly always in the form of
XML replies or requests
XML files are text files and are self-describing.
XML files contain a schema that describes the data it contains or contains a point to
another text file with its schema
XACML and SAML - specialized XML files are in the identity framework
XACML
Extensible Access Control Markup Language
Separates access control functionality into several components
An attribute-based access control policy language or XML-based language.
Designed to express security policies and access requests to information.
Used for web services, digital rights management, and enterprise security
applications
SAML
Security Assertion Markup Language
open federation standard that allows an identity provider (IdP) to authenticate users
and then pass an authentication token to another application known as a service
provider

SAML integrates with XACML to implement a policy engine in a Service Oriented Architecture to
support identity services authorization.

Policy Administration Point (PAP)
location at which policy is managed
Policy Decision Point (PDP)
Policy requests are passed through to the location(PAP)
where the policy logic can be executed
The result of the policy is transmitted through the PAP
Evaluates policies against access requests provided by Policy Enforcement
Points (PEP) Deciding authority
Policy Enforcement Point (PEP)
Enforces the PDP policy decision
Protects an enterprise's data by enforcing access control
Responsible for receiving authorization requests that are sent to the
policy decision point (PDP) for evaluation data and resources must
be protected
Policy Information Point (PIP)
Provides additional information that can be used to determine policy logic

Security Assertion Markup Language
XML-based markup language for security assertions
statements that service providers use to make access-control
decisions
The statements an identity provider sends to a service provider
that contain
• authentication
• attribute
• authorization decision information
Allows people to sign in once using one set of credentials and
access multiple applications.

Defining Identity as a Service (IDaaS) in Cloud Computing

More Related Content

Similar to Defining Identity as a Service (IDaaS) in Cloud Computing

More from Pyingkodi Maran

Recently uploaded

Defining Identity as a Service (IDaaS) in Cloud Computing