OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

id-cloud message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Anil Saldhana - Red Hat Use Cases in Normative Template


  Submitter: Anil Saldhana
Company: Red Hat Inc.
Version: 1
Comments:
* Original Submission: 
http://lists.oasis-open.org/archives/id-cloud/201005/msg00033.html
* Refinement and diagrams to follow.



Use Case 1: Virtualization Security and Application Security

** Description/User Story **

Cloud Computing environments have one or more virtual machines/images 
running on a Host Operating System on a server.  Applications run inside 
these virtual machines (Guest Operating systems).  Applications can run 
directly on the host operating system. Identities can be associated with 
each of these virtual machines. Identities can be associated with the 
applications running on that server (including the virtual machines). 
Virtual Machines can be owned by different owners.

We have identities that administer the virtual machines. We have 
identities that use the applications. The Virtual Machine identities may 
not be the same as the application identities. Authentication and 
validation of Identities by the cloud infrastructure may not be 
sufficient for the owners of virtual machines.

** Goal or Desired Outcome **

Since a cloud server can have multiple virtual machines and applications 
run on these guest operating systems, it is important to manage the 
identities that exist in the host operating system, virtual machines as 
well as applications. Additionally, it should be possible for VM owners 
to do their own proofing of identities.


** Categories Covered **

- General Identity Management.
- Account and Attribute Management. (Provisioning)
- Audit and Compliance.

** Applicable Deployment and Service Models **

- All Cloud Deployment Models (Private, Public, Community and Hybrid)
- All Service Models (SaaS, Paas and Iaas)


** Actors **
- Server Administrator.
- Virtual Machine owner.
- Virtual Machine Administrator.
- Application Deployer.
- Application User.

** Notable Services **

- Virtual Machines.
- Hypervisors.
- Host Operating System.
- Cloud Identity Stores.


** Dependencies **
N/A

** Assumptions **

- Multiple virtual machines run on a single host operating system.
- Not all virtual machines running on a single host operating system is 
owned by a single entity.

** Process Flow **
A Server Administrator (One type of identity) administers a server in 
the cloud. He has privileges to administer the host operating system and 
its services. A Virtual Machine Owner (an identity) or a virtual machine 
administrator( an identity) commissions a virtual machine to run on this 
server. An application deployer (an identity) then deploys an 
application on a virtual machine. An application user (an identity) then 
makes use of this application. The identities are 
authenticated/validated/transformed against an identity store/service 
that exists in the cloud. The cloud identity system can transform a 
federated identity to a local identity if needed.










Use Case 2: Identity Provisioning

** Description/User Story **

Resources exist in the cloud. These resources can be virtual machines 
running on a server, applications running inside a virtual machine or a 
document created/stored on a public cloud. Eventually, the cloud 
identities that own these resources may get decomissioned. If the link 
between the resource and its decommissioned owner is lost, it is 
possible that the particular resource is lost for ever. Ideally, 
facilities via design should exist to transition the resources to new 
owners.

As an example consider the case when an employee creates company 
documents in a public cloud. These are official company documents hosted 
on a public cloud infrastructure. Now when the employee leaves the 
company, his employer should be able to transition the documents to 
another employee.


** Goal or Desired Outcome **

When identities get decomissioned, the resources owned by these 
identities should not be automatically decomissioned. There should be 
facilities and policies available to transition these resources to new 
identities.

** Categories Covered **

- Account and Attribute Management. (Provisioning)
- Audit and Compliance.

** Applicable Deployment and Service Models **

- Cloud Deployment Models (Public, Community and Hybrid)
- Service Models (SaaS)


** Actors **
- Administrator.
- Application User.

** Notable Services **

- Cloud applications.
- Cloud Identity Stores.


** Dependencies **
N/A

** Assumptions **
N/A

** Process Flow **
An Application User or administrator creates multiple cloud resources. 
He owns those resources.  Now when he is decomissioned, an administrator 
that manages the application or the server should be able to transition 
the resources to another user.












Use Case 3: Identity Audit

** Description/User Story **

Users and Administrators of the cloud environment perform security 
sensitive operations. There is a need to audit their actions in a tamper 
proof fashion.


** Goal or Desired Outcome **

For compliance purposes, it is important to audit/log sensitive 
operations performed by users and administrators in the cloud environment.

** Categories Covered **

- General Identity Management.
- Authentication.
- Authorization.
- Audit and Compliance.

** Applicable Deployment and Service Models **

- All Cloud Deployment Models (Private, Public, Community and Hybrid)
- All Service Models (SaaS, Paas, Iaas )


** Actors **
- Administrator.
- Application User.

** Notable Services **

- Cloud applications.
- Cloud Identity Stores.


** Dependencies **
- Common Logging/Auditing standards.

** Assumptions **
N/A

** Process Flow **
A common auditing standard is used to log all sensitive operations 
happening in the cloud environment.












Use Case 4: Identity Configuration

** Description/User Story **

Cloud Applications use identities. The cloud infrastructure uses 
identities. If there is a configuration that is an accepted standard, 
then it is easy to migrate the configuration across cloud infastructures.

** Goal or Desired Outcome **

Portable standards exist for configuration of identities in the 
applications and the infrastructure (virtual machines, servers etc).


** Categories Covered **

- General Identity Management.
- Audit and Compliance.

** Applicable Deployment and Service Models **

- All Cloud Deployment Models (Private, Public, Community and Hybrid)
- All Service Models (SaaS, Paas, Iaas )


** Actors **
- Administrator.
- Application User.

** Notable Services **

- Cloud Applications.
- Cloud Identity Stores.
- Cloud Metadata Services.


** Dependencies **

** Assumptions **
N/A

** Process Flow **
A standard configuration template is used to load identities into an 
application. Similarly a standard configuration template is used to load 
infrastructure identities.














Use Case 5: Middleware Container in a public cloud infrastructure

** Description/User Story **

Middleware containers are services that are able to host applications on 
a server.  A middleware container such as a Java EE Application Server 
can run on a virtual machine in the cloud. Administrator identities can 
exist to manage these middleware containers. Deployer identities may 
exist to manage the deployment lifecycle of applications running in the 
middleware containers. In a clustered environment, a middleware set up 
may spawn multiple virtual machines across one or more servers.

** Goal or Desired Outcome **

Identities are accounted and administered by the cloud to manage 
middleware containers and their applications.


** Categories Covered **

- General Identity Management.
- Authentication
- Authorization
- Account and Attribute Management.
- Audit and Compliance.

** Applicable Deployment and Service Models **

- All Cloud Deployment Models (Private, Public, Community and Hybrid)
- Service Models (Paas, Iaas )


** Actors **
- Middleware Administrator.
- Middleware Deployer.
- Application User.

** Notable Services **

- Cloud Applications.
- Cloud Identity Stores.


** Dependencies **

** Assumptions **
N/A

** Process Flow **
A Middleware Administrator creates a middleware container on a virtual 
machine. A Deployer then manages the deployment of applications on this 
middleware container. The Cloud Authentication and Authorization system 
is used to identify the identity.















Use Case 6: Federated SSO and Attribute Sharing

** Description/User Story **
There are multiple applications hosted in the cloud. If you view a cloud 
as a single security domain, then a collection of cloud environments 
encompass multiple security domains. An user in one domain should be 
able to access applications hosted in another cloud or domain as long as 
a trust relationship exists between the two cloud environments.

Additionally, for users coming in from external cloud or domains, it 
should be possible to map attributes to the local environment.

** Goal or Desired Outcome **

Federated Single Sign On (SSO) is achieved with multiple cloud environments.


** Categories Covered **

- General Identity Management.
- Authentication
- Authorization
- Account and Attribute Management.
- Audit and Compliance.

** Applicable Deployment and Service Models **

- All Cloud Deployment Models (Private, Public, Community and Hybrid)
- Service Models (Saas, Paas, Iaas )


** Actors **
- Application User.
- Administrator.

** Notable Services **

- Cloud Applications.
- Cloud Identity Stores.
- Cloud Attribute Services.


** Dependencies **

** Assumptions **
N/A

** Process Flow **
An user accesses an application in the cloud. The call comes with a 
federated identity attached. The cloud identity services accept the 
federated identity of the user, do the necessary transformation (and 
back channel operations) to provide a local cloud access to the application.













Use Case 7: Identity silos in the clouds

** Description/User Story **

Identity information can be stored in stores such as a Directory within 
a single cloud computing environment, multiple cloud environments or 
outside the cloud.


** Goal or Desired Outcome **

Identity Attributes can be aggregated based on multiple silos within a 
cloud, a group of clouds or from outside the cloud.


** Categories Covered **

- General Identity Management.
- Authentication
- Authorization
- Account and Attribute Management.
- Audit and Compliance.

** Applicable Deployment and Service Models **

- All Cloud Deployment Models (Private, Public, Community and Hybrid)
- Service Models (Saas, Paas, Iaas )


** Actors **
- Directories or Identity Stores.

** Notable Services **

- Cloud Applications.
- Cloud Identity Stores.
- Cloud Attribute Services.


** Dependencies **

** Assumptions **
N/A

** Process Flow **
An user accesses an application in the cloud. The Cloud Identity 
infrastructure has to authenticate, authorize and proof this user based 
on information stored in its directory servers as well as get additional 
attributes from the employer's directory server or any attribute service 
that exists outside the cloud.















Use Case 8: Identity Privacy in a shared cloud environment

** Description/User Story **
Identities operate in the cloud. Many attributes associated with the 
identity may be confidential and need to be protected in a multi-tenant 
environment. There is a need for Privacy controls and Governance 
frameworks in the cloud to protect the privacy of the identity.


** Goal or Desired Outcome **

Controls exist to maintain privacy of identities operating in a cloud if 
desired.


** Categories Covered **

- General Identity Management.
- Account and Attribute Management.
- Audit and Compliance.

** Applicable Deployment and Service Models **

- All Cloud Deployment Models (Private, Public, Community and Hybrid)
- Service Models (Saas, Paas, Iaas )


** Actors **
- Identities.
- Privacy control policies.

** Notable Services **

- Cloud Applications.
- Cloud Identity Stores.
- Cloud Attribute Services.


** Dependencies **

** Assumptions **
There exist privacy control policy standards as well as Identity 
Governance Framework standards.

** Process Flow **
An user accesses an application in the cloud. The cloud identity 
services authenticate and proof the user. They determine that this is a 
VVIP whose attributes should be masked from other users in the cloud. 
Appropriate privacy controls are applied such that the attributes of the 
identity are not visible to other users or applications in the cloud.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]