Re: [id-cloud] Minutes of 1 day F2F held on 29 September 2010

[Anil Saldhana <Anil.Saldhana@redhat.com>]

  On 10/16/2010 11:16 PM, Anil Saldhana wrote:
>  Acknowledgement: Thanks to Steve Coplan for scribing the minutes. :)
>
>
> Minutes of 29 September 2010 Oasis IDCloud TC Meeting held at 
> Washington DC.
>
> ** 1. Roll Call and Agenda Review **
>
> Attendees:
>
> Kurt Roemer Citrix Systems, Inc.
> David Turner, Microsoft Corp.
> Robert Cope Homeland Security Consultants
> Matthew Rutkowski IBM
> Gershon Janssen Individual
> Thomas Hardjono M.I.T.
> Anthony Nadalin Microsoft Corporation
> Colin Wallis New Zealand Government
> Patrick Harding Ping Identity Corporation
> Tomas Gustavsson PrimeKey Solutions AB
> Anil Saldhana Red Hat
> Doron Cohen SafeNet, Inc.
> Darran Rolls SailPoint Technologies
> Darren Platt Symplified
> Stephen Coplan The 451 Group
> John Tolbert The Boeing Company
> Brian Marshall Vanguard Integrity Professionals
> Siddharth Bajaj VeriSign
> Daniel Turissini WidePoint Corporation
> Abbie Barbir Individual
>
> Quorum: 12 out of 23 voting members (52%) Achieved.
>
Status Changes:
Bill Becker (SafeNet) loses voting rights.
Doron Cohen (SafeNet), Kurt Roemer( Citrix) gain voting rights.

> * Steve Coplan agrees to be the minute taker for a few hours.
>
>
> **2. Meeting Minutes Approval.**
> Deferred.
>
>
> ** 3. Discussion of Definitions/Terminology/Glossary **
>
> Saldhana: Several options exist to integrate definitions into the TC's 
> output:
> Definitions as a separate document
> Hyperlinks within glossary
> Noted definitions baked into the TC charter, and TC output is intended 
> to serve as a reference document
>
> Should definitions be internally defined, or can the TC leverage 
> existing work?
> Possibility exists to adopt definitions that overlap with existing 
> OASIS definitions – SAML, WS-Trust, ITU-T.
> Option to adopt NIST definitions. NIST introduces political 
> sensitivities, since it can be perceived as US-centric and focused on 
> concerns of US federal agencies. However, since OASIS seen as a 
> neutral organization, folding NIST definitions into TC output could 
> reinforce the neutrality.
>
> Consensus on iterative approach driven by use case profiles work
> definitions emerge from use cases and follow a normalization process
> when definitions reach a critical point, they can be consolidated into 
> a separate document
>
>
>
> ** 4. Use Cases Document Template discussion **
>
> Saldhana: should we revisit categorizations, or is the current set and 
> format appropriate?
> Harding: Create a matrix for use cases based on categorizations, would 
> help to determine where use cases span more than a single category and 
> identify categories where no use cases exist
> Harding: Federation is a “catch all” term for a building block or 
> enabling technology for other categories
> Roemer: Could we list the technologies that support the use case? 
> Would serve the purpose of addressing problem space and provide guidance
> Saldhana: Should we expand category definitions to make them less 
> technology-specific?
> Coplan: There should be consistency in the category characteristics
> Rolls: We should look to traditional identity management categories, 
> and add account and attribute management:
> 1.Authentication
> 2.Authorization
> 3.Audit
> 4.Administration
> 5.Account and Attribute Management
>
> Constructing a matrix around these categories, with additional 
> technologies subsumed, would make the deployment models more 
> comprehensible
>
> Rutkowski: Consensus reached on categories, with 'Account Types' 
> category held in abeyance until later date.
>
> Harding: Should security tokens be subsumed under authentication, 
> authorization or SSO?
> Saldanha: Leave a topic as standalone if it falls under multiple 
> categories
>
> Harding: Three-dimensional matrix with initial use case, technology 
> components deployment options
> Private
> Public
> Community
> Hybrid
> and
> service models - SaaS, Paas and IaaS
>
> Rolls: Does that imply that we are working on a reference framework on 
> top of existing standard discussions – is that an issue of scope?
>
> Saldhana: Not a question of extending or replicating work done in 
> other TCs. Intended to supplement standards work by undertaking the 
> process of gap analysis of existing standard scopes and generating use 
> case profiles to illustrate how standards can be effectively implemented.
>
> Rutkowski: Current use case format seems too rigid. Do we want a 
> narrative model with a clear outcome or more of a structured format?
>
> Saldhana: Intention is provide a template that can support a number of 
> use cases, but the intention is to generate the framework out of the 
> exercise of evaluating several examples, that allows for granularity 
> and defines the outcome. First example is Safenet's administrator 
> authentication to SaaS app.
>
> Rolls: Could we add an 'actors' section to the use case – that would 
> help call out who the use case applies to.
>
> Rutkowski: What is the user story?
>
> Cohen: The user story is that an admin of a SaaS instance is required 
> to perform administrative duties. The requirement is that the user is 
> authenticated and the necessary identity assurance is performed. The 
> technology requirement is that the admin use strong authentication
>
> Coplan: Is strong authentication the appropriate term? How do we avoid 
> making a direct product reference. Is it better to phrase it the 
> technical requirement as the admin must authenticate with the 
> appropriate strength based on a risk model?
>
> Tolbert: Could we expand on this use case to be broader as 'SaaS' 
> Privileged Account Access, so that we separate out the workflow to 
> create a privileged account within a SaaS instance and the 
> requirements for user to authenticate with a set of credentials?
>
> Saldhana: Use cases are not intended to be exhaustive – they should 
> represent an angle or an aspect of identity in the cloud. We should 
> have a separate use for admin authentication.
>
> Saldhana: Can we discuss a generic user authentication to SaaS use 
> case that would serve as a exercise in defining the template?
>
> Coplan: User story is that a user wants to access a third-party 
> resource, and the organization's risk management practices require 
> that their identity be validated based on an internal identity profile.
>
> Rutkowski: Do we want to use the term resource. Isn't that user story 
> too technical and non-specific?
>
> Roemer: We do want some generic description, with some degree of 
> technical depth, so the description has broad applicability.
>
> Harding: We should also define dependencies and assumptions about the 
> use case – context, environment, business process etc
>
>
>
> ** 5. Review of Use Cases **
> - Boeing Use Cases
> - Homeland Security Consultants Use Cases
> - Citrix Use Cases
> - Primekey Use Cases
>
>
> Boeing use case :-
>
> Tolbert: TSCP – defense contractors doc sharing conventions – requires 
> strong auth, reference to NIST specs,
> Tolbert: Integration of documents between collaboration platforms 
> establishes need for SSO, authentication, token exchange, level of 
> assurance
>
> Saldhana: Establish a deadline for use case submission – 20 days (oct 20)
>
> Wallis: NZ Govt use case – account linking service – service delivery 
> contingent on identity attributes – aggregation
>
>
> HSC Use Cases :-
> Bob Cope: Use case: Distributed HR repositories within an agency, and 
> central data collection systems. Need for central point of account 
> provisioning, and anchor account used to create local accounts. 
> Issues: no coordination of user data, directory synchronization 
> complex and just in time provisioning not in place.
> Issue of attribute sources – three identity providers accessing a 
> resource shared with between three organizations.
> Summary: Provisioning. Attribute /Account Management. Synchronization 
> and JIT Provisioning.
>
> PrimeKey Use Cases :-
> Tomas described his use cases in reasonable detail primarily the Cloud 
> Signature Services which require strong authentication.
>
> ** 6. Voting on Use Case Template. **
> Approved without objection.
>
>
> ** 7. Example Use Case converted into the template **
> We chose SafeNet's use cases and Doron Cohen was gracious in helping 
> the conversion of his use cases into the normative template.
>
>
> ** 8. Further Discussion of Use Cases **
> Citrix Use Cases :-
> Kurt Roemer – Logging/Audit Use Case review: how do we generate event 
> logs and and audits when users are consuming third-party applications?
> Rolls: Is it better to think of this as governance? Audit is the 
> business level requirement and logging is the technical requirement. 
> Do we want to maintain a standalone category for audit?
> Saldhana: Keep as a separate section
>
> Roemer: Do we want to consider non-repudiation as being within the 
> scope of audit?
> Saldhana: avoided for the moment given legal considerations (based on 
> discussion in the room)
>
> Rolls: Logging in the cloud – within scope our outside of scope?
> Saldhana: This should be part of our gap analysis – bearing in mind 
> that there is a CloudAudit WG on a cloud logging standard.
> There was a mention of "cascaded decommissioning", an important problem.
>
>
> Darren Platt: In order to make this a useful doc, like the idea of 
> having a top-down way to organize the use cases. This will help 
> organizations identify distinctions between privileged account access 
> vs user access in SaaS fairly easy.
> Resolution: add an attribute to the use case template which says to 
> which of IaaS, Saas etc is this particular use case applicable.
>
>
> ** 9. Adjournment **
>
> Open Questions/Take-aways:-
> 1) We need a longer f2f when we are ready to normalize the use cases. 
> Preferably at a member location with good wifi/internet connectivity.
> 2) Provisioning/JIT account management is an open question that needs 
> to be addressed.