RE: [id-cloud] Gap Analysis Use Case 1: Application and Virtualization Security in the Cloud

["Nguyen, Dominique V" <dominique.v.nguyen@bankofamerica.com>]

Dominique Nguyen's contribution to the First pass

Analysis notes/Possible GAPs identified:

SAML 2.0 - need user identity and role associated/bind to devices (virtual machine, guest operating system, host operating system - current common frame work is limited to creating, requesting and exchanging security assertions between entities (human or corporation) http://www.oasis-open.org/committees/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf

WE-Trust V 1.4 - No gap - Specification uses base mechanisms and defines additional primitives and extensions for security token exchange to enable the issuance and dissemination of credentials within different trust domains - can be applied to non-human entities security token exchange http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html

OpenID - similar to SAML 2.0, need user identity and role associated/bind to virtual machine, guest operating system, host operating system - current common frame work is limited to creating, requesting and exchanging security assertions between entities (human or corporation) http://openid.net/get-an-openid/what-is-openid/

oAuth 1.0 Similar to OpenID and to SAML 2.0, need user identity and role associated/bind to virtual machine, guest operating system, host operating system - current common frame work is limited to creating, requesting and exchanging security assertions between entities (human or corporation), http://oauth.net/about/

OVF - Open Virtualization Format (OVF), a platform independent, efficient, extensible, and open packaging and distribution format for virtual machines. This may not apply for this use case http://www.vmware.com/technical-resources/virtualization-topics/virtual-appliances/ovf  http://www.vmware.com/technical-resources/virtualization-topics/virtual-appliances/ovf

X.500 - Is X.509 (Directory: Public-key and attribute certificate frameworks) a better fit? http://en.wikipedia.org/wiki/X.500
X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm http://en.wikipedia.org/wiki/X.509

LDAP - gap: allow Anonymous Bind (The server typically checks the password against the userPassword attribute in the named entry. Anonymous Bind (with empty DN and password) resets the connection to anonymous state) http://en.wikipedia.org/wiki/Ldap

IPSec - No gap: allow Transport mode allows host-to-host communication but as not as secure as Tunnel mode http://en.wikipedia.org/wiki/IPsec

RADIUS: Similar to SAML 20.0, OpenID and oAuth, need user identity and role associated/bind to virtual machine, guest operating system, host operating system - current common frame work is limited to creating, requesting and exchanging security assertions between entities (human or corporation)(Radius is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations  http://www.gnu.org/software/radius/

SPML - Appears to have no gap in first past (SPML Version 2 (SPMLv2) defines a core protocol [SPMLv2] over which different data models can be used to define the actual provisioning data. The combination of a data model with the SPML core specification is referred to as a profile. The use of SPML requires that a specific profile is used, although the choice of which profile is used to negotiate out-of-band by the participating parties) C:\Documents and Settings\nbd87i3\Local Settings\Temp\PK2D33.tmp\pstc-spml2-dsml-profile-os.html

SCIM - Is this what we want? SCIM = Smart Common Input Method platform (SCIM) is an input method (IM) platform containing support for more than thirty languages (CJK and many European languages) for POSIX-style operating systems including Linux and BSD.
It uses a clear architecture and provides a simple and powerful programming interface, which is meant to reduce the time required for developing individual IMs. http://en.wikipedia.org/wiki/Scim  Don't think it is relevant to our topic.

-----Original Message-----
From: id-cloud@lists.oasis-open.org [mailto:id-cloud@lists.oasis-open.org] On Behalf Of Gershon Janssen
Sent: Sunday, February 05, 2012 2:14 PM
To: id-cloud@lists.oasis-open.org
Subject: [id-cloud] Gap Analysis Use Case 1: Application and Virtualization Security in the Cloud

---

This discussion thread is to start an on-list discussion on the Gap Analysis of individual use cases. Use case numbers refer to the use cases as described in the 'OASIS Identity in the Cloud TC Use Cases' Version 1.0, Working Draft 02, 15 December 2011, which is available at http://www.oasis-open.org/committees/document.php?document_id=44915&wg_abbre
v=id-cloud

The information below describes the current state. You are invited to respond on-list to this thread with any comments, insights, additions, etc.
All input will be gathered from the list and consolidated into the next revision of the Gap Analysis document.

---

Use Case 1: Application and Virtualization Security in the Cloud

Short description:
Feature the importance of managing identities that exist in cloud at all levels, including the host operating system, virtual machines as well as applications. Ownership and management of identities may vary at each level and also be external to the cloud provider.

Relevant applicable standards:
-	SAML
-	WS-Trust
-	OpenID
-	oAuth
-	OVF 
-	X.500
-	LDAP
-	IPsec
-	RADIUS
-	SPML
-	SCIM

Analysis notes:

Possible GAPs identified:
[Dominique Nguyen] First pass
SAML 2.0 - need user identity and role associated/bind to devices (virtual machine, guest operating system, host operating system - current common frame work is limited to creating, requesting and exchanging security assertions between entities (human or corporation) http://www.oasis-open.org/committees/download.php/11511/sstc-saml-tech-overview-2.0-draft-03.pdf

WE-Trust V 1.4 - No gap - Specification uses base mechanisms and defines additional primitives and extensions for security token exchange to enable the issuance and dissemination of credentials within different trust domains - can be applied to non-human entities security token exchange http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html

OpenID - similar to SAML 2.0, need user identity and role associated/bind to virtual machine, guest operating system, host operating system - current common frame work is limited to creating, requesting and exchanging security assertions between entities (human or corporation) http://openid.net/get-an-openid/what-is-openid/

oAuth 1.0 Similar to OpenID and to SAML 2.0, need user identity and role associated/bind to virtual machine, guest operating system, host operating system - current common frame work is limited to creating, requesting and exchanging security assertions between entities (human or corporation), http://oauth.net/about/

OVF - Open Virtualization Format (OVF), a platform independent, efficient, extensible, and open packaging and distribution format for virtual machines. This may not apply for this use case http://www.vmware.com/technical-resources/virtualization-topics/virtual-appliances/ovf  http://www.vmware.com/technical-resources/virtualization-topics/virtual-appliances/ovf

X.500 - Is X.509 (Directory: Public-key and attribute certificate frameworks) a better fit? http://en.wikipedia.org/wiki/X.500
X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm http://en.wikipedia.org/wiki/X.509

LDAP - gap: allow Anonymous Bind (The server typically checks the password against the userPassword attribute in the named entry. Anonymous Bind (with empty DN and password) resets the connection to anonymous state) http://en.wikipedia.org/wiki/Ldap

IPSec - No gap: allow Transport mode allows host-to-host communication but as not as secure as Tunnel mode http://en.wikipedia.org/wiki/IPsec

RADIUS: Similar to SAML 20.0, OpenID and oAuth, need user identity and role associated/bind to virtual machine, guest operating system, host operating system - current common frame work is limited to creating, requesting and exchanging security assertions between entities (human or corporation)(Radius is a server for remote user authentication and accounting. Its primary use is for Internet Service Providers, though it may as well be used on any network that needs a centralized authentication and/or accounting service for its workstations  http://www.gnu.org/software/radius/

SPML - Appears to have no gap in first past (SPML Version 2 (SPMLv2) defines a core protocol [SPMLv2] over which different data models can be used to define the actual provisioning data. The combination of a data model with the SPML core specification is referred to as a profile. The use of SPML requires that a specific profile is used, although the choice of which profile is used to negotiate out-of-band by the participating parties) C:\Documents and Settings\nbd87i3\Local Settings\Temp\PK2D33.tmp\pstc-spml2-dsml-profile-os.html

SCIM - Is this what we want? SCIM = Smart Common Input Method platform (SCIM) is an input method (IM) platform containing support for more than thirty languages (CJK and many European languages) for POSIX-style operating systems including Linux and BSD.
It uses a clear architecture and provides a simple and powerful programming interface, which is meant to reduce the time required for developing individual IMs. http://en.wikipedia.org/wiki/Scim  Don't think it is relevant to our topic.


--


---------------------------------------------------------------------
To unsubscribe, e-mail: id-cloud-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: id-cloud-help@lists.oasis-open.org

----------------------------------------------------------------------
This message w/attachments (message) is intended solely for the use of the intended recipient(s) and may contain information that is privileged, confidential or proprietary. If you are not an intended recipient, please notify the sender, and then please delete and destroy all copies and attachments, and be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this message is prohibited. 
Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Sender. Subject to applicable law, Sender may intercept, monitor, review and retain e-communications (EC) traveling through its networks/systems and may produce any such EC to regulators, law enforcement, in litigation and as required by law. 
The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or free of errors or viruses. 

References to "Sender" are references to any subsidiary of Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this EC may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: 
http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you consent to the foregoing.