OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cloudauthz-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cloudauthz-comment] Public review comment for CloudAuthZ-usecases-v1.0-cnprd01: 2.2 Identity ManagementCategorizations


Radu--thanks for the response. 

Perhaps we could discuss "where attributes and tags come from" at some point. That is an area of particular interest to me.

I am not an OASIS member (just retired from Federal service, and I am doing a bit of part-time consulting but don't really have a business that can support membership) so I will rely on the list and any news from the TC to follow these issues.

I do think this is very important work, though it seems there are several OASIS groups (like the XACML TC) with somewhat overlapping agendas.  I gather that's the OASIS way . . . <g>

Best of luck!

Martin
 


On 3/31/2014 9:04 AM, Marian, Radu wrote:

Agree with your points.  Last year we’ve suggested an iam  meta-ontology as a framework for tagging you mentioned below. We can discuss it on our call today.

 

Tags would be mostly around “Tasks” and “Business Resources”

 

Regards,

Radu Marian, MSCS, SCEA, CISSP

Bank of America - Charlotte, NC

VP, Architect 2, Security Architecture and Innovation

Business phone number: (704) 628-6874

an Enterprise without Ontology is like a country without a map.

 

From: cloudauthz-comment@lists.oasis-open.org [mailto:cloudauthz-comment@lists.oasis-open.org] On Behalf Of Martin F Smith, BFC Consulting
Sent: Saturday, March 29, 2014 10:29 PM
To: cloudauthz-comment@lists.oasis-open.org
Subject: [cloudauthz-comment] Public review comment for CloudAuthZ-usecases-v1.0-cnprd01: 2.2 Identity ManagementCategorizations

 

This section is the closest thing in the doc to a statement of the scope of the Cloud authorization architecture (or at least ontology.)

I suggest it should be expanded to include "protected resource" (data) tagging/labeling.  Without data-object level metadata tagging that is accessible by the PDP, we can't really have fine-grained authorization that enforces security or other policy. 

This area (data tagging, and protected-resource metadata binding) is a lagging part of the whole ABAC/PBAC standards and "best-practice" picture.

This is a problem for both Cloud and non-Cloud environments, but it is particularly important for the Cloud environment, because:
(1) a major benefit of Cloud (at least of Community Clouds) is the ability to share and mix data from lots of sources easily, and unless access can be controlled at the level of the individual record, document, or cell, this mixing will not be permitted; and (2) using analytics with noSQL data types presents a real challenge as to where access-control policy can be applied effectively.

I think data tagging is a critical issue for AuthZ in the Cloud . . . if I haven't made my point convincingly, would appreciate some feedback as to what I'm missing or not addressing.

Thanks,

Martin

-- 

Martin F Smith, Principal

BFC Consulting, LLC

McLean, Va 22102

703 389-3224 mobile

 


This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]