[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Anil Saldhana - Red Hat Use Cases in Normative Template
Submitter: Anil Saldhana Company: Red Hat Inc. Version: 1 Comments: * Original Submission: http://lists.oasis-open.org/archives/id-cloud/201005/msg00033.html * Refinement and diagrams to follow. Use Case 1: Virtualization Security and Application Security ** Description/User Story ** Cloud Computing environments have one or more virtual machines/images running on a Host Operating System on a server. Applications run inside these virtual machines (Guest Operating systems). Applications can run directly on the host operating system. Identities can be associated with each of these virtual machines. Identities can be associated with the applications running on that server (including the virtual machines). Virtual Machines can be owned by different owners. We have identities that administer the virtual machines. We have identities that use the applications. The Virtual Machine identities may not be the same as the application identities. Authentication and validation of Identities by the cloud infrastructure may not be sufficient for the owners of virtual machines. ** Goal or Desired Outcome ** Since a cloud server can have multiple virtual machines and applications run on these guest operating systems, it is important to manage the identities that exist in the host operating system, virtual machines as well as applications. Additionally, it should be possible for VM owners to do their own proofing of identities. ** Categories Covered ** - General Identity Management. - Account and Attribute Management. (Provisioning) - Audit and Compliance. ** Applicable Deployment and Service Models ** - All Cloud Deployment Models (Private, Public, Community and Hybrid) - All Service Models (SaaS, Paas and Iaas) ** Actors ** - Server Administrator. - Virtual Machine owner. - Virtual Machine Administrator. - Application Deployer. - Application User. ** Notable Services ** - Virtual Machines. - Hypervisors. - Host Operating System. - Cloud Identity Stores. ** Dependencies ** N/A ** Assumptions ** - Multiple virtual machines run on a single host operating system. - Not all virtual machines running on a single host operating system is owned by a single entity. ** Process Flow ** A Server Administrator (One type of identity) administers a server in the cloud. He has privileges to administer the host operating system and its services. A Virtual Machine Owner (an identity) or a virtual machine administrator( an identity) commissions a virtual machine to run on this server. An application deployer (an identity) then deploys an application on a virtual machine. An application user (an identity) then makes use of this application. The identities are authenticated/validated/transformed against an identity store/service that exists in the cloud. The cloud identity system can transform a federated identity to a local identity if needed. Use Case 2: Identity Provisioning ** Description/User Story ** Resources exist in the cloud. These resources can be virtual machines running on a server, applications running inside a virtual machine or a document created/stored on a public cloud. Eventually, the cloud identities that own these resources may get decomissioned. If the link between the resource and its decommissioned owner is lost, it is possible that the particular resource is lost for ever. Ideally, facilities via design should exist to transition the resources to new owners. As an example consider the case when an employee creates company documents in a public cloud. These are official company documents hosted on a public cloud infrastructure. Now when the employee leaves the company, his employer should be able to transition the documents to another employee. ** Goal or Desired Outcome ** When identities get decomissioned, the resources owned by these identities should not be automatically decomissioned. There should be facilities and policies available to transition these resources to new identities. ** Categories Covered ** - Account and Attribute Management. (Provisioning) - Audit and Compliance. ** Applicable Deployment and Service Models ** - Cloud Deployment Models (Public, Community and Hybrid) - Service Models (SaaS) ** Actors ** - Administrator. - Application User. ** Notable Services ** - Cloud applications. - Cloud Identity Stores. ** Dependencies ** N/A ** Assumptions ** N/A ** Process Flow ** An Application User or administrator creates multiple cloud resources. He owns those resources. Now when he is decomissioned, an administrator that manages the application or the server should be able to transition the resources to another user. Use Case 3: Identity Audit ** Description/User Story ** Users and Administrators of the cloud environment perform security sensitive operations. There is a need to audit their actions in a tamper proof fashion. ** Goal or Desired Outcome ** For compliance purposes, it is important to audit/log sensitive operations performed by users and administrators in the cloud environment. ** Categories Covered ** - General Identity Management. - Authentication. - Authorization. - Audit and Compliance. ** Applicable Deployment and Service Models ** - All Cloud Deployment Models (Private, Public, Community and Hybrid) - All Service Models (SaaS, Paas, Iaas ) ** Actors ** - Administrator. - Application User. ** Notable Services ** - Cloud applications. - Cloud Identity Stores. ** Dependencies ** - Common Logging/Auditing standards. ** Assumptions ** N/A ** Process Flow ** A common auditing standard is used to log all sensitive operations happening in the cloud environment. Use Case 4: Identity Configuration ** Description/User Story ** Cloud Applications use identities. The cloud infrastructure uses identities. If there is a configuration that is an accepted standard, then it is easy to migrate the configuration across cloud infastructures. ** Goal or Desired Outcome ** Portable standards exist for configuration of identities in the applications and the infrastructure (virtual machines, servers etc). ** Categories Covered ** - General Identity Management. - Audit and Compliance. ** Applicable Deployment and Service Models ** - All Cloud Deployment Models (Private, Public, Community and Hybrid) - All Service Models (SaaS, Paas, Iaas ) ** Actors ** - Administrator. - Application User. ** Notable Services ** - Cloud Applications. - Cloud Identity Stores. - Cloud Metadata Services. ** Dependencies ** ** Assumptions ** N/A ** Process Flow ** A standard configuration template is used to load identities into an application. Similarly a standard configuration template is used to load infrastructure identities. Use Case 5: Middleware Container in a public cloud infrastructure ** Description/User Story ** Middleware containers are services that are able to host applications on a server. A middleware container such as a Java EE Application Server can run on a virtual machine in the cloud. Administrator identities can exist to manage these middleware containers. Deployer identities may exist to manage the deployment lifecycle of applications running in the middleware containers. In a clustered environment, a middleware set up may spawn multiple virtual machines across one or more servers. ** Goal or Desired Outcome ** Identities are accounted and administered by the cloud to manage middleware containers and their applications. ** Categories Covered ** - General Identity Management. - Authentication - Authorization - Account and Attribute Management. - Audit and Compliance. ** Applicable Deployment and Service Models ** - All Cloud Deployment Models (Private, Public, Community and Hybrid) - Service Models (Paas, Iaas ) ** Actors ** - Middleware Administrator. - Middleware Deployer. - Application User. ** Notable Services ** - Cloud Applications. - Cloud Identity Stores. ** Dependencies ** ** Assumptions ** N/A ** Process Flow ** A Middleware Administrator creates a middleware container on a virtual machine. A Deployer then manages the deployment of applications on this middleware container. The Cloud Authentication and Authorization system is used to identify the identity. Use Case 6: Federated SSO and Attribute Sharing ** Description/User Story ** There are multiple applications hosted in the cloud. If you view a cloud as a single security domain, then a collection of cloud environments encompass multiple security domains. An user in one domain should be able to access applications hosted in another cloud or domain as long as a trust relationship exists between the two cloud environments. Additionally, for users coming in from external cloud or domains, it should be possible to map attributes to the local environment. ** Goal or Desired Outcome ** Federated Single Sign On (SSO) is achieved with multiple cloud environments. ** Categories Covered ** - General Identity Management. - Authentication - Authorization - Account and Attribute Management. - Audit and Compliance. ** Applicable Deployment and Service Models ** - All Cloud Deployment Models (Private, Public, Community and Hybrid) - Service Models (Saas, Paas, Iaas ) ** Actors ** - Application User. - Administrator. ** Notable Services ** - Cloud Applications. - Cloud Identity Stores. - Cloud Attribute Services. ** Dependencies ** ** Assumptions ** N/A ** Process Flow ** An user accesses an application in the cloud. The call comes with a federated identity attached. The cloud identity services accept the federated identity of the user, do the necessary transformation (and back channel operations) to provide a local cloud access to the application. Use Case 7: Identity silos in the clouds ** Description/User Story ** Identity information can be stored in stores such as a Directory within a single cloud computing environment, multiple cloud environments or outside the cloud. ** Goal or Desired Outcome ** Identity Attributes can be aggregated based on multiple silos within a cloud, a group of clouds or from outside the cloud. ** Categories Covered ** - General Identity Management. - Authentication - Authorization - Account and Attribute Management. - Audit and Compliance. ** Applicable Deployment and Service Models ** - All Cloud Deployment Models (Private, Public, Community and Hybrid) - Service Models (Saas, Paas, Iaas ) ** Actors ** - Directories or Identity Stores. ** Notable Services ** - Cloud Applications. - Cloud Identity Stores. - Cloud Attribute Services. ** Dependencies ** ** Assumptions ** N/A ** Process Flow ** An user accesses an application in the cloud. The Cloud Identity infrastructure has to authenticate, authorize and proof this user based on information stored in its directory servers as well as get additional attributes from the employer's directory server or any attribute service that exists outside the cloud. Use Case 8: Identity Privacy in a shared cloud environment ** Description/User Story ** Identities operate in the cloud. Many attributes associated with the identity may be confidential and need to be protected in a multi-tenant environment. There is a need for Privacy controls and Governance frameworks in the cloud to protect the privacy of the identity. ** Goal or Desired Outcome ** Controls exist to maintain privacy of identities operating in a cloud if desired. ** Categories Covered ** - General Identity Management. - Account and Attribute Management. - Audit and Compliance. ** Applicable Deployment and Service Models ** - All Cloud Deployment Models (Private, Public, Community and Hybrid) - Service Models (Saas, Paas, Iaas ) ** Actors ** - Identities. - Privacy control policies. ** Notable Services ** - Cloud Applications. - Cloud Identity Stores. - Cloud Attribute Services. ** Dependencies ** ** Assumptions ** There exist privacy control policy standards as well as Identity Governance Framework standards. ** Process Flow ** An user accesses an application in the cloud. The cloud identity services authenticate and proof the user. They determine that this is a VVIP whose attributes should be masked from other users in the cloud. Appropriate privacy controls are applied such that the attributes of the identity are not visible to other users or applications in the cloud.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]