#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Up 2011-ken huang
1. Up 2011 Global Cloud Computing Conference, December, 2011 Up in the Air: The Future of Cloud Identity Management Ken Huang, Director of Cloud Security, CGI
2.
3.
4.
5. Top 8 Reasons Why Cloud Provider needs IDAM 1) To make sure who is using your service. 2) To be compliant with government regulations. 3) To provide Separation of Duty and Least Privileged access to the data hosted on behalf of cloud consumer. 4) To build a trust relationship with cloud consumer. If you don't care about IAM, you will certainly lose the trust of the customers. 5) For user based subscription model (such as salesforce.com ), cloud provider need to have IAM to provision, audit, de-provision users and to provider correct billing statement according to usage. 6) To support potential e-Discovery as required by law enforcement agency. 7) To be able to support wide range of users. 8) To support other functions within Cloud Provider such as BI, Sales, and Executive decisions.
6. Top 8 Reasons why Cloud Consumer needs IDAM 1) Network security is not enough, Identity Based Security is essential for the Cloud Consumer. 2) Audit tracking and compliance is still Cloud Consumer's responsibility. 3) SSO with the applications on the cloud. 4) The Identity Federation will be in strong need . 5: For small and middle size companies may need to leverage IDAAS to save the cost. 6: Measure effectiveness of the cloud service (you need the identities). 7: Verify the billing provided by Cloud Provider. 8: Modification of existing in house User Provisioning for the Cloud.
7. IDAM is a Foundational Component for Cloud 1: NIST Reference Architecture has Security and Privacy as Cross Cutting Service. IDAM is the main enabler of Security and Privacy 2: IDAM is essential regardless of Service model (IAAS, PAAS, SAAS, DAAS, XAAS) and deployment model (Public, Private, Community, Hybrid)
8.
9.
10.
11.
12.
13.
14. Jericho Cloud Cube Perimeterised Deperimeterised Proprietary Open Internal External
30. SCIM Restful Web Service API endpoints Resource Endpoint Operations Description User /User GET , POST , PUT , PATCH , DELETE Retrieve/Modify Users User Query/Listing /Users GET Retrieve User(s) via ad hoc queries Group /Group GET , POST , PUT , PATCH , DELETE Retrieve/Modify Groups User Query/Listing /Groups GET Retrieve Group(s) via ad hoc queries User Password /User/{userId}/password PATCH Change a User's password Service Provider Configuration /ServiceProviderConfig GET Retrieve the Service Provider's Configuration Resource Schema /Schema GET Retrieve a Resource's Schema Resource Schema Query/Listing /Schemas GET Retrieve Resource Schema(s) via ad hoc queries Bulk /Bulk POST Bulk modify Resources
31.
32.
33.
34. Comparison Standard Or Initiative Deliverable Industrial support OASIS IDCloud Use case, profiles and gap analysis 21 sponsors including DoD, Microsoft, CA, IBM, CISCO, Symantec, SAP Jericho White paper 58 members including DoD, HP, IBM, Microsoft, Oracle, Raytheon, Mitre CSA TCI Guide Over 100 members. Novell is the initial sponsor for TCI SCIM Use case, Restful API guide, SAML profile, Core schema Ping Identity, The UnboundID SCIM SDK, Sailpoint, etc NSTIC Strategy document Paypal, IBM, Microsoft, CA etc
35.
36.
Editor's Notes
Use Case driven
ITU: International Telecommunication Union
Infrastructure Identity Establishment : This category includes use cases that feature establishment of identity and trust between cloud providers their partners and customers and includes consideration of topics such as Certificate Services (e.g. x.509), Signature Validation, Transaction Validation, Non-repudiation, etc.. Infrastructure Identity Management: This subcategory includes use cases that feature Virtualization, Separation of Identities across different IT infrastructural layers (e.g. Server Platform, Operating System (OS), Middleware, Virtual Machine (VM), Application, etc).
Overall Jericho thinks that deperimeterised cloud formation is most important formation of the cloud and should be focus of the work for the cloud security. Identity is shifting from Enterprise Centric to Principal Centric and from ACL List to Resource centric.