[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [id-cloud] Minutes of 1 day F2F held on 29 September 2010
On 10/16/2010 11:16 PM, Anil Saldhana wrote: > Acknowledgement: Thanks to Steve Coplan for scribing the minutes. :) > > > Minutes of 29 September 2010 Oasis IDCloud TC Meeting held at > Washington DC. > > ** 1. Roll Call and Agenda Review ** > > Attendees: > > Kurt Roemer Citrix Systems, Inc. > David Turner, Microsoft Corp. > Robert Cope Homeland Security Consultants > Matthew Rutkowski IBM > Gershon Janssen Individual > Thomas Hardjono M.I.T. > Anthony Nadalin Microsoft Corporation > Colin Wallis New Zealand Government > Patrick Harding Ping Identity Corporation > Tomas Gustavsson PrimeKey Solutions AB > Anil Saldhana Red Hat > Doron Cohen SafeNet, Inc. > Darran Rolls SailPoint Technologies > Darren Platt Symplified > Stephen Coplan The 451 Group > John Tolbert The Boeing Company > Brian Marshall Vanguard Integrity Professionals > Siddharth Bajaj VeriSign > Daniel Turissini WidePoint Corporation > Abbie Barbir Individual > > Quorum: 12 out of 23 voting members (52%) Achieved. > Status Changes: Bill Becker (SafeNet) loses voting rights. Doron Cohen (SafeNet), Kurt Roemer( Citrix) gain voting rights. > * Steve Coplan agrees to be the minute taker for a few hours. > > > **2. Meeting Minutes Approval.** > Deferred. > > > ** 3. Discussion of Definitions/Terminology/Glossary ** > > Saldhana: Several options exist to integrate definitions into the TC's > output: > Definitions as a separate document > Hyperlinks within glossary > Noted definitions baked into the TC charter, and TC output is intended > to serve as a reference document > > Should definitions be internally defined, or can the TC leverage > existing work? > Possibility exists to adopt definitions that overlap with existing > OASIS definitions – SAML, WS-Trust, ITU-T. > Option to adopt NIST definitions. NIST introduces political > sensitivities, since it can be perceived as US-centric and focused on > concerns of US federal agencies. However, since OASIS seen as a > neutral organization, folding NIST definitions into TC output could > reinforce the neutrality. > > Consensus on iterative approach driven by use case profiles work > definitions emerge from use cases and follow a normalization process > when definitions reach a critical point, they can be consolidated into > a separate document > > > > ** 4. Use Cases Document Template discussion ** > > Saldhana: should we revisit categorizations, or is the current set and > format appropriate? > Harding: Create a matrix for use cases based on categorizations, would > help to determine where use cases span more than a single category and > identify categories where no use cases exist > Harding: Federation is a “catch all” term for a building block or > enabling technology for other categories > Roemer: Could we list the technologies that support the use case? > Would serve the purpose of addressing problem space and provide guidance > Saldhana: Should we expand category definitions to make them less > technology-specific? > Coplan: There should be consistency in the category characteristics > Rolls: We should look to traditional identity management categories, > and add account and attribute management: > 1.Authentication > 2.Authorization > 3.Audit > 4.Administration > 5.Account and Attribute Management > > Constructing a matrix around these categories, with additional > technologies subsumed, would make the deployment models more > comprehensible > > Rutkowski: Consensus reached on categories, with 'Account Types' > category held in abeyance until later date. > > Harding: Should security tokens be subsumed under authentication, > authorization or SSO? > Saldanha: Leave a topic as standalone if it falls under multiple > categories > > Harding: Three-dimensional matrix with initial use case, technology > components deployment options > Private > Public > Community > Hybrid > and > service models - SaaS, Paas and IaaS > > Rolls: Does that imply that we are working on a reference framework on > top of existing standard discussions – is that an issue of scope? > > Saldhana: Not a question of extending or replicating work done in > other TCs. Intended to supplement standards work by undertaking the > process of gap analysis of existing standard scopes and generating use > case profiles to illustrate how standards can be effectively implemented. > > Rutkowski: Current use case format seems too rigid. Do we want a > narrative model with a clear outcome or more of a structured format? > > Saldhana: Intention is provide a template that can support a number of > use cases, but the intention is to generate the framework out of the > exercise of evaluating several examples, that allows for granularity > and defines the outcome. First example is Safenet's administrator > authentication to SaaS app. > > Rolls: Could we add an 'actors' section to the use case – that would > help call out who the use case applies to. > > Rutkowski: What is the user story? > > Cohen: The user story is that an admin of a SaaS instance is required > to perform administrative duties. The requirement is that the user is > authenticated and the necessary identity assurance is performed. The > technology requirement is that the admin use strong authentication > > Coplan: Is strong authentication the appropriate term? How do we avoid > making a direct product reference. Is it better to phrase it the > technical requirement as the admin must authenticate with the > appropriate strength based on a risk model? > > Tolbert: Could we expand on this use case to be broader as 'SaaS' > Privileged Account Access, so that we separate out the workflow to > create a privileged account within a SaaS instance and the > requirements for user to authenticate with a set of credentials? > > Saldhana: Use cases are not intended to be exhaustive – they should > represent an angle or an aspect of identity in the cloud. We should > have a separate use for admin authentication. > > Saldhana: Can we discuss a generic user authentication to SaaS use > case that would serve as a exercise in defining the template? > > Coplan: User story is that a user wants to access a third-party > resource, and the organization's risk management practices require > that their identity be validated based on an internal identity profile. > > Rutkowski: Do we want to use the term resource. Isn't that user story > too technical and non-specific? > > Roemer: We do want some generic description, with some degree of > technical depth, so the description has broad applicability. > > Harding: We should also define dependencies and assumptions about the > use case – context, environment, business process etc > > > > ** 5. Review of Use Cases ** > - Boeing Use Cases > - Homeland Security Consultants Use Cases > - Citrix Use Cases > - Primekey Use Cases > > > Boeing use case :- > > Tolbert: TSCP – defense contractors doc sharing conventions – requires > strong auth, reference to NIST specs, > Tolbert: Integration of documents between collaboration platforms > establishes need for SSO, authentication, token exchange, level of > assurance > > Saldhana: Establish a deadline for use case submission – 20 days (oct 20) > > Wallis: NZ Govt use case – account linking service – service delivery > contingent on identity attributes – aggregation > > > HSC Use Cases :- > Bob Cope: Use case: Distributed HR repositories within an agency, and > central data collection systems. Need for central point of account > provisioning, and anchor account used to create local accounts. > Issues: no coordination of user data, directory synchronization > complex and just in time provisioning not in place. > Issue of attribute sources – three identity providers accessing a > resource shared with between three organizations. > Summary: Provisioning. Attribute /Account Management. Synchronization > and JIT Provisioning. > > PrimeKey Use Cases :- > Tomas described his use cases in reasonable detail primarily the Cloud > Signature Services which require strong authentication. > > ** 6. Voting on Use Case Template. ** > Approved without objection. > > > ** 7. Example Use Case converted into the template ** > We chose SafeNet's use cases and Doron Cohen was gracious in helping > the conversion of his use cases into the normative template. > > > ** 8. Further Discussion of Use Cases ** > Citrix Use Cases :- > Kurt Roemer – Logging/Audit Use Case review: how do we generate event > logs and and audits when users are consuming third-party applications? > Rolls: Is it better to think of this as governance? Audit is the > business level requirement and logging is the technical requirement. > Do we want to maintain a standalone category for audit? > Saldhana: Keep as a separate section > > Roemer: Do we want to consider non-repudiation as being within the > scope of audit? > Saldhana: avoided for the moment given legal considerations (based on > discussion in the room) > > Rolls: Logging in the cloud – within scope our outside of scope? > Saldhana: This should be part of our gap analysis – bearing in mind > that there is a CloudAudit WG on a cloud logging standard. > There was a mention of "cascaded decommissioning", an important problem. > > > Darren Platt: In order to make this a useful doc, like the idea of > having a top-down way to organize the use cases. This will help > organizations identify distinctions between privileged account access > vs user access in SaaS fairly easy. > Resolution: add an attribute to the use case template which says to > which of IaaS, Saas etc is this particular use case applicable. > > > ** 9. Adjournment ** > > Open Questions/Take-aways:- > 1) We need a longer f2f when we are ready to normalize the use cases. > Preferably at a member location with good wifi/internet connectivity. > 2) Provisioning/JIT account management is an open question that needs > to be addressed.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]