Re: [id-cloud] Minutes - ID-Cloud TC call (12 July 2010)

[Anil Saldhana <Anil.Saldhana@redhat.com>]

  On 07/12/2010 04:06 PM, Thomas Hardjono wrote:
> Minutes (draft) - Oasis ID-Cloud TC call (12 July 2010)
>
> [1] Roll Call and Agenda
Roll Call is towards the end of this email.

Status Changes:
Richard Sand (Skyworth) lost voting rights.
> [2] Approval of minutes from last meeting on 28 June 2010:
>
> - Approval of June 28th Meeting Minutes
> http://lists.oasis-open.org/archives/id-cloud/201007/msg00013.html (Membership Status Changes)
> http://lists.oasis-open.org/archives/id-cloud/201006/msg00048.html (Corrected minutes from Thomas Hardjono)
>
> - Motion to approve minutes.
>    Motion: Jerry Smith
>    Second: John Dilley.
>    No objections. Motion passes. Minutes approved.
>
>
> [3] Red Hat's Use Cases - Anil Saldhana
> http://lists.oasis-open.org/archives/id-cloud/201005/msg00033.html
>
> 1) Virtualization Security and Application Security:
> - Similar to SafeNet's use-case on virtual privileged accounts.
> - Example: RedHat develops VMs, while Amazon as provider/hoster
>    allows VMs to be loaded/run by their customers.
> - Certain Identities can access the applications hosted
>    on/above the virtual machine layer.
>    + Identities accessing applications maybe (are) different
>      from identities managing the VMs.
> - Example: proofing done by Amazon maybe considered
>      insufficient by RedHat.
>
> 2) Identity provisioning:
> (2a) Decoupling cloud resources
>       - Targets public clouds and hosted providers.
>       - Example: A document management system created by
>         a given identity must NOT get automatically
>         de-provisioned when the identity (ie. its creator)
>         gets de-provisioned. We must not lose document
>         management system.
>
>         + John Dilley:
>           o Are the resources contained within an identity?
>           o If so, then they are at danger of being de-provisioned.
>           o Should identities "own" resources?
>           o Perhaps rewording is needed: "reassignment" of
>             identities as an old identity gets de-provisioned.
>
>         + Thomas Hardjono: perhaps similar to "roles" that
>           own resources.
>           o Identities are mapped to roles.
>           o Roles stay, even when identity gets de-provisioned.
>           o Like traditional role-based access control.
>
>         + Anil: decoupling could mean removal of resources
>           contained within an identity.
>
>         + John Dilley: document management system should not
>           be contained within an identity.
>           o Need better explanation of "containment".
>
> (2b) Self-service admin portals:
>       - Portals that manage identities that are used
>         in use-case (1a) with VMs and Applications.
>
>         + John Dilley: Need lifecycle for identity management.
>           o Some identifiers are permanent even after de-provisioning.
>           o eg. driver's license numbers never gets re-assigned to
>             a new person even after a license is decommissioned.
>
>         + Anil: good use-case. Can JohnD please submit use-case?
>
>
> 3) Identity audit
>
> - Anil: what standards exist today for audit?
>    + There is a Cloud Audit group.
>
> - John Dilley: there is research by Peter Druschel on
>    tamper-resistant audit/logs.
>
> - Jerry Smith: need to find references and fill this gap.
>
> - Tony Nadalin: Audit depends on individual use-cases,
>    thus treat per use-case.
>
> - Kurt Roemer: References needed to internal audit practices.
>    + Also need to address Forensics and forensic-logs.
>
>
> 4) Identity Configuration
> - Multiple identity services, needing identity configuration info for cloud infrastructure.
>    + For VMs, Applications, Infra.
>
> - Does anyone know existing work on configuration management?
>    + Perhaps in DMTF, and IETF.
>    + OVF open virtualization format
>      - related but may not fit cloud requirements.
>
> 5) Middleware Container
> - RedHat needs middleware containers that work in
>    public cloud infra.
>    + eg. DB connectors, messaging, etc. etc.
>    + eg. JBoss, WebSphere, etc.
>
> - Applications will be deployed/un-deployed
>    + These run in public cloud infra and may have their
>      own identities.
>    + Need to map identities.
>    + Need to tie use-case #5 with use-case #1.
>
> - Cluster of VMs may run these middleware.
>
> 6) Federated SSO and attribute sharing
> - Identities may come from different cloud infrastructures.
> - May need a single security token format
>    + eg. SAML-based, OpenID, etc.
> - Need Web 2.0 identities to work with Enterprise identities.
> - Federation(?) common in many use-cases.
>
> 7) Identity silos
> - Similar to directories (directory systems)
>    + Directory maybe inside an organization or within
>      a cloud (or within/across multiple clouds)
>
> 8) Privacy and governance
> - Subjective topic (privacy).
> - Kurt Roemer: If a public cloud is implemented
>    using shared resources, how to ensure privacy.
> - Jerry Smith: why only in government? Correction, we are
>    talking about "governance".
>
>
> 9) Requirements: listed in Anil's use-case email.
>
> Anil: Tony, how to proceed and extract all these use-cases?
> Tony: Start to reduce to the unique set of scenarios.
>        - Then go back and fill gaps.
>
>
>
> [4] IDTrust Member Section Steering Committee Nomination
> - Now seeking nominations.
> - Anil and John Bradley are current members.
> - What does IDTrust members do:
>    + Governs various security-related TCs.
>    + Steering committee oversees the security TCs.
>    + Organizes Oasis-related events worldwide.
>    + Has monthly calls.
>    + Volunteer for Program Committee for various Oasis events
>      o eg. review submitted speaking-proposals.
>    + Attends F2F meetings in Oasis.
>    + Participates in workshops/panels, etc.
>
> - Gershon Janssen: does the IDTrust have a working plan?
>    + John Bradley: you mean long term strategic plan?
>      o Most activities are tactical.
>      o One or twice a year send-out planned work items.
>      o Originated from old PKI Forum.
>
> [5] Oasis IDCloud Webinar in September
> - TC received some negative comments about webinar. Thus
>    the ballot was created.
> - Please remember to vote.
>
> [6] Call For Action
> - TC needs more use-cases and scenarios.
>
> [7] Other business, questions, issues:
> - Brian Marshall:
>    + where are the existing use-cases?
>      o Anil: posted on TC Wiki (will email URL to mail-list)
>    + have the protocols been decided?
>      o Anil: charter states TC will work on (i) use-cases,
>        then (ii) gap analysis, and then (iii) generate profiles
>        for the use-cases.
>
> [8] Adjourn:
> - Motion to adjourn: Gershon Janssen.
> - Seconded: Jerry Smith
> - No objections. Motion passes. Meeting adjourned.
>
> __________________________________________
> Chatroom dump:
>
> AnilSaldhana_RedHat: hi all . thanks for joining.
> anonymous2 morphed into Dale Moberg (Axway)
> anonymous morphed into Kurt Roemer (Citrix)
> anonymous1 morphed into Brian Marshall
> Brian Marshall morphed into Brian Marshall (Vanguard)
> Siddharth Bajaj: Siddharth Bajaj (VeriSign) is on the call
> anonymous morphed into Dan Perry (Skyworth TTG)
> anonymous morphed into John Dilley (Akamai)
> Gershon Janssen: Hi... I'll be joining later due to another TC call overlapping with this meeting.
> Kelvin Lawrence (IBM): Have to step away for about 5 minutes. BRB
> John Bradley1: Andy Kindred    Acxiom
> John Dilley     Akamai Technologies
> James Ducharme  Aveksa, Inc.
> Kurt Roemer     Citrix Systems, Inc.
> Mark Robinton   HID Global
> Robert Cope     Homeland Security Consultants
> Jason Rouault   HP      Guest
> David Kern      IBM
> Kelvin Lawrence IBM
> John Bradley    Individual
> Thomas Hardjono M.I.T.
> Anthony Nadalin Microsoft Corporation
> Dale Olds       Novell*
> Anil Saldhana   Red Hat
> Bill Becker     SafeNet, Inc.
> Daniel Perry    Skyworth TTG Holdings Limited
> Tom Clifford    Symantec Corp.*
> Darren Platt    Symplified
> Jerry Smith     US Department of Defense (DoD)*
> Brian Marshall  Vanguard Integrity Professionals
> Siddharth Bajaj VeriSign
> Siddharth Bajaj: Stepping away for few mins...
> Gershon Janssen: Gershon Janssen joined
> David Kern (IBM): Stepping away for a few minutes...
> John Bradley1: update Andy KindredAcxiomGroup Member
> John DilleyAkamai TechnologiesGroup Member
> James DucharmeAveksa, Inc.Group Member
> Kurt RoemerCitrix Systems, Inc.Group Member
> Mark RobintonHID GlobalGroup Member
> Robert CopeHomeland Security ConsultantsGroup Member
> Jason RouaultHPGuest
> David KernIBMGroup Member
> Kelvin LawrenceIBMGroup Member
> John BradleyIndividualGroup Member
> Gershon JanssenIndividualGroup Member
> Thomas HardjonoM.I.T.Group Member
> Anthony NadalinMicrosoft CorporationGroup Member
> Dale OldsNovell*Group Member
> Anil SaldhanaRed HatGroup Member
> Bill BeckerSafeNet, Inc.Group Member
> Daniel PerrySkyworth TTG Holdings LimitedGroup Member
> Tom CliffordSymantec Corp.*Group Member
> Darren PlattSymplifiedGroup Member
> Jerry SmithUS Department of Defense (DoD)*Group Member
> Brian MarshallVanguard Integrity ProfessionalsGroup Member
> Siddharth BajajVeriSignGroup Member
> AnilSaldhana_RedHat: Were the use cases so good that we had few questions?