[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Public review comment for CloudAuthZ-usecases-v1.0-cnprd01: 2.2 Identity ManagementCategorizations
This section is the closest thing in the doc to a statement of the
scope of the Cloud authorization architecture (or at least
ontology.) I suggest it should be expanded to include "protected resource" (data) tagging/labeling. Without data-object level metadata tagging that is accessible by the PDP, we can't really have fine-grained authorization that enforces security or other policy. This area (data tagging, and protected-resource metadata binding) is a lagging part of the whole ABAC/PBAC standards and "best-practice" picture. This is a problem for both Cloud and non-Cloud environments, but it is particularly important for the Cloud environment, because: (1) a major benefit of Cloud (at least of Community Clouds) is the ability to share and mix data from lots of sources easily, and unless access can be controlled at the level of the individual record, document, or cell, this mixing will not be permitted; and (2) using analytics with noSQL data types presents a real challenge as to where access-control policy can be applied effectively. I think data tagging is a critical issue for AuthZ in the Cloud . . . if I haven't made my point convincingly, would appreciate some feedback as to what I'm missing or not addressing. Thanks, Martin -- |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]