Minutes - ID-Cloud TC call (12 July 2010)

[Thomas Hardjono <hardjono@MIT.EDU>]

Minutes (draft) - Oasis ID-Cloud TC call (12 July 2010)

[1] Roll Call and Agenda

[2] Approval of minutes from last meeting on 28 June 2010:

- Approval of June 28th Meeting Minutes 
http://lists.oasis-open.org/archives/id-cloud/201007/msg00013.html (Membership Status Changes) 
http://lists.oasis-open.org/archives/id-cloud/201006/msg00048.html (Corrected minutes from Thomas Hardjono)

- Motion to approve minutes.
  Motion: Jerry Smith
  Second: John Dilley.
  No objections. Motion passes. Minutes approved.


[3] Red Hat's Use Cases - Anil Saldhana 
http://lists.oasis-open.org/archives/id-cloud/201005/msg00033.html

1) Virtualization Security and Application Security:
- Similar to SafeNet's use-case on virtual privileged accounts.
- Example: RedHat develops VMs, while Amazon as provider/hoster
  allows VMs to be loaded/run by their customers.
- Certain Identities can access the applications hosted
  on/above the virtual machine layer.
  + Identities accessing applications maybe (are) different
    from identities managing the VMs.
- Example: proofing done by Amazon maybe considered 
    insufficient by RedHat.

2) Identity provisioning:
(2a) Decoupling cloud resources
     - Targets public clouds and hosted providers.
     - Example: A document management system created by 
       a given identity must NOT get automatically 
       de-provisioned when the identity (ie. its creator) 
       gets de-provisioned. We must not lose document 
       management system.

       + John Dilley: 
         o Are the resources contained within an identity?
         o If so, then they are at danger of being de-provisioned.
         o Should identities "own" resources?
         o Perhaps rewording is needed: "reassignment" of
           identities as an old identity gets de-provisioned.

       + Thomas Hardjono: perhaps similar to "roles" that
         own resources.
         o Identities are mapped to roles.
         o Roles stay, even when identity gets de-provisioned.
         o Like traditional role-based access control.

       + Anil: decoupling could mean removal of resources 
         contained within an identity.

       + John Dilley: document management system should not 
         be contained within an identity.
         o Need better explanation of "containment".

(2b) Self-service admin portals:
     - Portals that manage identities that are used
       in use-case (1a) with VMs and Applications.

       + John Dilley: Need lifecycle for identity management.
         o Some identifiers are permanent even after de-provisioning.
         o eg. driver's license numbers never gets re-assigned to
           a new person even after a license is decommissioned.

       + Anil: good use-case. Can JohnD please submit use-case?


3) Identity audit

- Anil: what standards exist today for audit?
  + There is a Cloud Audit group.

- John Dilley: there is research by Peter Druschel on
  tamper-resistant audit/logs.

- Jerry Smith: need to find references and fill this gap.

- Tony Nadalin: Audit depends on individual use-cases,
  thus treat per use-case.

- Kurt Roemer: References needed to internal audit practices.
  + Also need to address Forensics and forensic-logs.


4) Identity Configuration
- Multiple identity services, needing identity configuration info for cloud infrastructure.
  + For VMs, Applications, Infra.

- Does anyone know existing work on configuration management?
  + Perhaps in DMTF, and IETF.
  + OVF open virtualization format
    - related but may not fit cloud requirements.

5) Middleware Container
- RedHat needs middleware containers that work in 
  public cloud infra.
  + eg. DB connectors, messaging, etc. etc.
  + eg. JBoss, WebSphere, etc.

- Applications will be deployed/un-deployed
  + These run in public cloud infra and may have their
    own identities.
  + Need to map identities.
  + Need to tie use-case #5 with use-case #1.

- Cluster of VMs may run these middleware.

6) Federated SSO and attribute sharing
- Identities may come from different cloud infrastructures.
- May need a single security token format
  + eg. SAML-based, OpenID, etc.
- Need Web 2.0 identities to work with Enterprise identities.
- Federation(?) common in many use-cases.

7) Identity silos
- Similar to directories (directory systems)
  + Directory maybe inside an organization or within
    a cloud (or within/across multiple clouds)

8) Privacy and governance
- Subjective topic (privacy).
- Kurt Roemer: If a public cloud is implemented 
  using shared resources, how to ensure privacy.
- Jerry Smith: why only in government? Correction, we are
  talking about "governance".


9) Requirements: listed in Anil's use-case email.

Anil: Tony, how to proceed and extract all these use-cases?
Tony: Start to reduce to the unique set of scenarios.
      - Then go back and fill gaps.



[4] IDTrust Member Section Steering Committee Nomination
- Now seeking nominations.
- Anil and John Bradley are current members.
- What does IDTrust members do:
  + Governs various security-related TCs.
  + Steering committee oversees the security TCs.
  + Organizes Oasis-related events worldwide.
  + Has monthly calls.
  + Volunteer for Program Committee for various Oasis events
    o eg. review submitted speaking-proposals.
  + Attends F2F meetings in Oasis.
  + Participates in workshops/panels, etc.

- Gershon Janssen: does the IDTrust have a working plan?
  + John Bradley: you mean long term strategic plan?
    o Most activities are tactical.
    o One or twice a year send-out planned work items.
    o Originated from old PKI Forum.

[5] Oasis IDCloud Webinar in September
- TC received some negative comments about webinar. Thus
  the ballot was created.
- Please remember to vote.

[6] Call For Action
- TC needs more use-cases and scenarios.

[7] Other business, questions, issues:
- Brian Marshall: 
  + where are the existing use-cases?
    o Anil: posted on TC Wiki (will email URL to mail-list)
  + have the protocols been decided?
    o Anil: charter states TC will work on (i) use-cases,
      then (ii) gap analysis, and then (iii) generate profiles
      for the use-cases.

[8] Adjourn:
- Motion to adjourn: Gershon Janssen.
- Seconded: Jerry Smith
- No objections. Motion passes. Meeting adjourned.

__________________________________________
Chatroom dump:

AnilSaldhana_RedHat: hi all . thanks for joining.
anonymous2 morphed into Dale Moberg (Axway)
anonymous morphed into Kurt Roemer (Citrix)
anonymous1 morphed into Brian Marshall
Brian Marshall morphed into Brian Marshall (Vanguard)
Siddharth Bajaj: Siddharth Bajaj (VeriSign) is on the call
anonymous morphed into Dan Perry (Skyworth TTG)
anonymous morphed into John Dilley (Akamai)
Gershon Janssen: Hi... I'll be joining later due to another TC call overlapping with this meeting.
Kelvin Lawrence (IBM): Have to step away for about 5 minutes. BRB
John Bradley1: Andy Kindred    Acxiom  
John Dilley     Akamai Technologies     
James Ducharme  Aveksa, Inc.    
Kurt Roemer     Citrix Systems, Inc.    
Mark Robinton   HID Global      
Robert Cope     Homeland Security Consultants   
Jason Rouault   HP      Guest
David Kern      IBM     
Kelvin Lawrence IBM     
John Bradley    Individual      
Thomas Hardjono M.I.T.  
Anthony Nadalin Microsoft Corporation   
Dale Olds       Novell* 
Anil Saldhana   Red Hat 
Bill Becker     SafeNet, Inc.   
Daniel Perry    Skyworth TTG Holdings Limited   
Tom Clifford    Symantec Corp.* 
Darren Platt    Symplified      
Jerry Smith     US Department of Defense (DoD)* 
Brian Marshall  Vanguard Integrity Professionals        
Siddharth Bajaj VeriSign
Siddharth Bajaj: Stepping away for few mins...
Gershon Janssen: Gershon Janssen joined
David Kern (IBM): Stepping away for a few minutes...
John Bradley1: update Andy KindredAcxiomGroup Member
John DilleyAkamai TechnologiesGroup Member
James DucharmeAveksa, Inc.Group Member
Kurt RoemerCitrix Systems, Inc.Group Member
Mark RobintonHID GlobalGroup Member
Robert CopeHomeland Security ConsultantsGroup Member
Jason RouaultHPGuest
David KernIBMGroup Member
Kelvin LawrenceIBMGroup Member
John BradleyIndividualGroup Member
Gershon JanssenIndividualGroup Member
Thomas HardjonoM.I.T.Group Member
Anthony NadalinMicrosoft CorporationGroup Member
Dale OldsNovell*Group Member
Anil SaldhanaRed HatGroup Member
Bill BeckerSafeNet, Inc.Group Member
Daniel PerrySkyworth TTG Holdings LimitedGroup Member
Tom CliffordSymantec Corp.*Group Member
Darren PlattSymplifiedGroup Member
Jerry SmithUS Department of Defense (DoD)*Group Member
Brian MarshallVanguard Integrity ProfessionalsGroup Member
Siddharth BajajVeriSignGroup Member
AnilSaldhana_RedHat: Were the use cases so good that we had few questions?

__________________________________________