[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [id-cloud] Doron Cohen (SafeNet) - updated submission with use casetemplate
Submitter: Doron Cohen Affiliation: SafeNet Inc Version: 1.1 Comments: * Original Submission: http://lists.oasis-open.org/archives/id-cloud/201006/msg00032.html Use Case 1: Cloud Tenant Administration of an application *** Description/User Story This use case demonstrates Cloud Tenant Administration of an application in the cloud. The Application is multi-tenant and may be either SaaS application deployed in a public cloud or a multi-tenant application in other deployment models . A business owner of an application in a cloud authenticates to the cloud application provider and is granted privileged administrative access to only its tenant application. Such privileges are elevated privileges compared to standard users thus the use of those privileges and the access of the cloud tenant administrator to the service need to be controlled and audited . Once authenticated, the administrator is able to perform administrative operations such as configuration of security policies and identities for other users (roles) at their company. The cloud provider that hosts the application must account for the privileged user access (identity) and any administrative actions they take on that particular application for security auditing purposes. *** Goal or Desired Outcome User is authenticated strong fashion to the public cloud and obtains elevated privileges to administer an application *** Categories Covered - Authentication - be able to authenticate using the appropriate levels of assurance, authentication schemes, and multi factor authentication. - Authorization - fine grain administrative controls with approval workflow schemes - Audit and compliance - Privileged accounts auditing and attestation *** Applicable Deployment and Service Models - All Cloud Deployment Models (Private, Public, Community and Hybrid) - SaaS and Paas *** Actors - Cloud Tenant Administrator - Cloud Resource / SaaS Administrator (setting up of Tenant Administrator) *** Systems - Cloud Application Administration System - Cloud Identity Store - Cloud Authorization/Policy Store - Cloud Auditing store *** Notable Services - Cloud Application Authentication Validation Service - Cloud Application Access Control System Service - Cloud Application Auditing Service - Cloud Application Administration Service *** Dependencies - Prior to Authentication, the Cloud Application Administrator have set up the cloud tenant account and associated policies and provided the authentication credentials to the application business owner of band. *** Assumptions - The Business Owner identity is known and proofed - the use case does not cover the identity proofing process. The process is happening out of band to the use case *** Process Flow - TBD Use Case 2: Enterprise to Cloud Single Sign-On *** Description/User Story This use case demonstrates how a user logs into their enterprise security services , and once authenticated, she is able to access cloud resources without the need to re-authenticate to the cloud provider. The use case allows users to extend their enterprise identity and apply it to consuming cloud applications services in a seamless manner. With enterprises expanding their application deployments using private and public clouds, the identity management and authentication of users to the services should be decoupled from the cloud service in a similar fashion to the decoupling of identity from application in the enterprise. Users expect and need to have their enterprise identity extend to the cloud and used to obtain different services from different providers rather than logging to each service individually By accessing services via a federated enterprise identity, not only the user experience of SSO is to gain, but also Enterprise compliance and for control of user access, ensuring only valid identities may access cloud services. *** Goal or Desired Outcome A user is able to access resource within their enterprise environment or within a cloud deployment using a single identity. Once authenticated , the user access to the application is authorized and audited by the cloud application *** Categories Covered - General Identity Management. - Authentication SSO - FIM *** Applicable Deployment and Service Models - All Cloud Deployment Models (Private, Public, Community and Hybrid) - All Cloud Service Models (SaaS, Paas, IaaS) *** Actors - Cloud Tenant Administrator - Enterprise User - Enterprise Identity Administrator *** Systems - Cloud Application Administration System - Cloud Identity Store - Cloud Authorization/Policy Store - Cloud Auditing store *** Notable Services - Cloud Application Federation Service - Cloud Application Identity Mapping / Linking Service - Cloud Application Authorization Service - Cloud Application Auditing Service - Cloud Application Administration Service *** Dependencies - Prior to Authentication, the tenant Application Administrator have set up the Enterprise user account in the cloud App out of band OR just-in-time provisioning takes care of that - The federated trust relationship between the cloud application and enterprise identity provider was previously set by the Cloud tenant Administrator *** Assumptions The Business Owner identity is known and proofed - the use case does not cover the identity proofing process. The process is happening out of band to the use case *** Process Flow - TBD Use Case 3: Cloud Identity SSO - Authentication as a Service *** Description/User Story With the broadening of services offered in the cloud, the identity management and authentication of users to the services is under pressure to be decoupled from the cloud services themselves. From a user perspective, Users subscribing to an array of cloud services expect and need to have an interoperable identity that would be used to obtain different services from different providers. From a cloud provider perspective, being able to interoperate with identities the user already have, helps to attract new customers, and would simplify the identity management overhead of the service provider. A cloud centric authentication service, using federated identity standards such as SAML and WS-Federation, is a key component of a streamlined user experience and obtaining trust in the cloud *** Goal or Desired Outcome A user is able to access multiple SaaS Application using a single identity. Once authenticated using the Identity Provider , the user access to different SaaS provider applications does not require the user to re-authenticate to each application individually *** Categories Covered - General Identity Management. - Authentication SSO - FIM *** Applicable Deployment and Service Models - Cloud Deployment Models - Public, Community - Cloud Service Models - SaaS *** Actors - SaaS Application User - SaaS provider Administrator *** Systems - SaaS Applications - Identity Provider *** Notable Services - SaaS Federation Service - SaaS Application Identity Mapping / Linking Service *** Dependencies - The federated trust relationship between the SaaS application and the identity provider was previously set by the Cloud tenant Administrator - The user accessing the service is already registered and enrolled with the Identity Provider of choice *** Assumptions - User enrollment to a SaaS application is out of scope for the use case. The user enrollment process can be done using a registration process out of band, or using just-in-time provisioning *** Process Flow - TBD Use Case 4: Transaction Validation & Signing in the Cloud <<< This use case is a duplicate of the signature services use case by PrimeKey, I have therefore not re-formatted it , as it is discussed already separately >>> The information contained in this electronic mail transmission may be privileged and confidential, and therefore, protected from disclosure. If you have received this communication in error, please notify us immediately by replying to this message and deleting it from your computer without copying or disclosing it.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]