Fellow TC Members,
The purpose of this message is to contribute
Symplified's thoughts on the IDCloud use cases. I apologize for taking
so long to get this message out to the group. I don't have any specific
use cases to submit - but instead some suggestions on the overall
structure of what we create. I think my comments are mostly consistent
(and an extension of) the message posted by Patrick Harding on July 8
regarding this topic.
I think what we create needs to map to most people's conceptual
model of the cloud. The reason being that we've cast a rather wide net
in our charter (cloud security), and for someone to find it useful they
will need to navigate to the section of the document that applies to
them. So I think at the highest level, the document should be organized
around the different 'top-level use cases' for cloud computing - IaaS,
PaaS, and SaaS and the use cases contained therein. And for each of
these environments, we should then describe the scenarios/use cases that
apply. Within each of these scenarios, we should discuss the discuss
how the following security properties apply and/or achieved:
Authentication, Authorization, Provisioning, and Audit.
I believe that most (if not all) of the current use case submissions
could fit inside this framework. Some use cases will apply across
multiple 'top level use cases' and can be designated as such. So, by
way of example, the use cases might look something like:
Infrastructure as a Service
- Administrator accessing host OS
- Administrator Authenticating to host OS
- End user accessing web applications served from IaaS environment
- New Administrator
- New End User
- Deprovision End User
- Single Sign On from End User environment to Web Application
- Single Sign On from Admin environment to host OSes
Software as a Service
-
Administrator accessing SaaS management UI
- End user accessing SaaS application
- New Administrator
- New End User
- Deprovision End User
I
believe that this would be the most applicable and useful type of
document we could create. It would allow people who need to securely
deploy the technology to quickly understand what they are asking for and
how it fits into the rest of their cloud security challenges.
I will be in for the F2F next week if anyone would like to discuss in person.
Regards,
Darren
--
Darren Platt
CTO & Founder
303.775.6212 | mobile
http://www.symplified.com
Symplified
The Cloud Security Company