_experience the commitment TM

Up 2011 Global Cloud Computing Conference, December, 2011

Up in the Air:  The Future of Cloud Identity Management

Ken Huang, Director of Cloud Security, CGI

About Ken Huang

•Director of Cloud Security at CGI• Cloud Security• Identity and Access Management• Application Security• Frequent Speaker

•Blog: http://cloud-identity.blogspot.com/•Linkedin: www.linkedin.com/in/kenhuang8•Twitter: http://twitter.com/#!/kenhuangus

Agenda

•Why Traditional IDAM is not sufficient for Cloud?

•Discuss 5 different Cloud Identity Initiatives/Standards• OASIC IDCloud • OpenGroup Jericho• CSA’s Trusted Cloud Initiative• Simple Cloud Identity Management• The National Strategy for Trusted Identities in Cyberspace (NSTIC)

•Comparison •Suggestions and future works

Why Traditional IDAM is not sufficient for Cloud?

Identity Management is not completely solved at Enterprise level• Centralized authentication is not a reality yet (still lots of silos)• Identity Federation is hot but not a realty • Centralized Authorization is not mature

Cloud extends the Enterprise beyond DMZ• Deperimeterised• Multiple cloud providers• Need just in time provisioning• Immature technology for IDAM in the cloud• IDAM is needed in IAAS/PAAS/SAAS and in all deployment models(Public,

Private, Hybrid, Community)

Top 8 Reasons Why Cloud Provider needs IDAM

1) To make sure who is using your service.

2) To be compliant with government regulations.

3) To provide Separation of Duty  and Least Privileged access to the data hosted on behalf of cloud consumer.

4) To build a trust relationship with cloud consumer. If you don't care about IAM, you will certainly lose the trust of the customers.

5) For user based subscription model (such as salesforce.com), cloud provider need to have IAM to provision, audit, de-provision users and to provider correct billing statement according to usage.

6) To support potential e-Discovery as required by law enforcement agency.

7) To be able to support wide range of users.

8) To support other functions within Cloud Provider such as BI, Sales, and Executive decisions.

Top 8 Reasons why Cloud Consumer needs IDAM

1) Network security is not enough, Identity Based Security is essential for the Cloud Consumer.

2) Audit tracking and compliance is still Cloud Consumer's responsibility.

3) SSO with the applications on the cloud.

4) The Identity Federation will be in strong need .

5: For small and middle size companies may need to leverage IDAAS to save the cost.

6: Measure effectiveness of the cloud service (you need the identities).

7: Verify the billing provided by Cloud Provider.

8: Modification of existing in house User Provisioning for the Cloud.

IDAM is a Foundational Component for Cloud

1: NIST Reference Architecture has Security and Privacy as Cross Cutting Service. IDAM is the main enabler of Security and Privacy

2: IDAM is essential regardless of Service model (IAAS, PAAS, SAAS, DAAS, XAAS) and deployment model (Public, Private, Community, Hybrid)

1: OASIC IDCloud

•OASIC IDCloud •OpenGroup Jericho•CSA’s Trusted Cloud Initiative•Simple Cloud Identity Management

•The National Strategy for Trusted Identities in Cyberspace (NSTIC)

OASIC IDCloud

OASIS IDCloud TC 

3 Main objectives:

• Identify Use Cases• example: Identity in the virtual environment by redhat

• Define Interoperability Profiles• example: Kerboros profile by MIT

• Gap Analysis of existing Identity Management standards and protocols when applied in the context of Cloud• Based on Use Cases and Interoperability Profiles• Feed analysis back to the WG responsible for a standard

OASIS IDCloud TC

• Other objectives:

• Glossary on Cloud Identity

• Do not re-invent the wheel

• Strong liaison relationships with other international working groups

• ITU-T, Cloud Security Alliance, etc.

OASIS ID Cloud Status

• Deliverables:

• Use Case formalization ( version 1 published on 27 June 2011)

• Defining the Interoperability Profiles for Identity in the Cloud (ETA: December ’11)

• Gap Analysis of existing Identity Management Standards

OASIS ID Cloud : Total 32 Use Cases

Categorizations:• Authentication• Infrastructure Identity Establishment • General Identity Management • Authorization• Account & Attribute Management• Security Tokens• Audit & Compliance

Link: http://wiki.oasis-open.org/id-cloud/

2: OpenGroup Jericho

•OASIC IDCloud •OpenGroup Jericho•CSA’s Trusted Cloud Initiative•Simple Cloud Identity Management

•The National Strategy for Trusted Identities in Cyberspace (NSTIC)

Jericho Cloud Cube

Perimeterised

Deperimeterised

Proprietary Open

Internal

External

Jericho COA

• Jericho Forum has proposed a cloud architecture that uses identity management across all levels of the cloud (infrastructure, platform, software, and process) in a design it calls collaboration-oriented architecture (COA).

•Standardized form of Identity that could be validated across cloud platforms. 

“Identity” Commandments by Jericho

• Total 14 Commandments on the Identity and Entitlement

• Resource Owner define Identity and Attributes• Attributes must not be over exposed• Entity can have multiple Identities • User Centric Identity Management• Link to the commands:

• http://www.opengroup.org/jericho/Jericho%20Forum%20Identity%20Commandments%20v1.0.pdf

3: CSA’s Trusted Cloud Initiative

•OASIC IDCloud •OpenGroup Jericho•CSA’s Trusted Cloud Initiative•Simple Cloud Identity Management

•The National Strategy for Trusted Identities in Cyberspace (NSTIC)

Trusted Cloud Initiative by CSA

•October 18, 2011 – The Cloud Security Alliance (CSA) published first white paper, “Trusted Cloud Initiative Quick Guide to the Reference Architecture”

•The TCI Reference Architecture is both a methodology and a set of tools

• Jericho is part of the Reference Architecture (ITIL, TOGAF and SABSA are the other components)

Domain 12 of CSA Guide

CSA Guide On Identity Management

• Identity Provisioning•Authentication•Federation•Authorization & user profile management• Identity as a Service

Identity Provisioning – Recommendations by CSA

• Avoid custom connectors. • Leverage standard connectors (SPML or SCIM).• Schema Extension for the cloud.

Authentication Recommendation for SAAS/PAAS by CSA

• Authentication via IDP and establish Circle of Trust with CSP for Identity Federation (not your typical application level login module anymore).

• Leverage user-centric authentication such as Google, Yahoo, OpenID, Live ID for accessing low sensitive data

• Avoid proprietary security token, use standard token such as SAML instead (need to consider security vs. performance) .

Authentication Recommendation for IAAS by CSA

• For admin users, leverage VPN.• If possible, use dedicated VPN. • If dedicated VPN tunnel is not feasible, use Identity Federation Standards over SSL (SAML, WS-Federation).

• Judicial use of OpenID. • For OTP or other form of strong authentication, make sure it is OATH compliant.

• Cloud providers should consider supporting various strong authentication options such as One-Time Passwords, biometrics, digital certificates, and Kerberos. This will provide another option for enterprises to use their existing infrastructure.

Federation Recommendation by CSA

• Cloud Providers should support multiple Federation standards.

• Cloud providers desiring to support multiple federation token formats should consider implementing some type of federation gateway or STS.

• Cloud Consumer should evaluate Federated Public SSO (open standard based) versus Federated Private SSO (Custom security token based, may provide quick win).

• Cloud Consumer can delegate issuing various security token types to the federation gateway, which then handles translating tokens from one format to another (STS).

Access Control Recommendation by CSA

• Review Access Control Model (SoD, LP).• Identify authoritative sources.• Enforce privacy policies for the data (conduct PIA).• Select a format in which to specify policy and user information

(XACML).• Determine the mechanism to transmit policy from a Policy

Administration Point (PAP) to a Policy Decision Point (PDP).• Determine the mechanism to transmit user information from a

Policy Information Point (PIP) to a Policy Decision Point (PDP).• Request a policy decision from a Policy Decision Point (PDP).• Enforce the policy decision at the Policy Enforcement Point

(PEP).• Log information necessary for audits

IDaaS Recommendations by CSA

•The reduction of cost from using IDaaS needs to be balanced against risk mitigation.

• Application Security (such as SQL Injection and Cross Site Scripting, among many others) must be considered and protected against.

• IDaaS vendors should support industry standards for IDAM.

•Proprietary IDaaS is often less secure, less robust, and less interoperable.

4: Simple Cloud Identity Management

•OASIC IDCloud •OpenGroup Jericho•CSA’s Trusted Cloud Initiative•Simple Cloud Identity Management

•The National Strategy for Trusted Identities in Cyberspace (NSTIC)

Simple Cloud Identity Management (SCIM)

•SCIM is a specification for a universal SAAS Identity connector based on Restful API.

•Mainly focus on Identity Model and User life cycle management (provisioning and de-provisionnig)

•PingIdentity, CISCO, Salesforce.com, Sailpoint, UnboundID etc.

SCIM deliverables

• Scenarios Doc - draft 4• Core Schema 1.0 - draft 2• REST API - draft 1• SAML 2.0 Binding - draft 1

SCIM Restful Web Service API endpoints

Resource Endpoint Operations Description

User /User GET, POST, PUT, PATCH, DELETE Retrieve/Modify Users

User Query/Listing /Users GET Retrieve User(s) via ad hoc queries

Group /Group GET, POST, PUT, PATCH, DELETE Retrieve/Modify Groups

User Query/Listing /Groups GET Retrieve Group(s) via ad hoc queries

User Password /User/{userId}/password PATCH Change a User's password

Service Provider Configuration /ServiceProviderConfig GET Retrieve the Service Provider's Configuration

Resource Schema /Schema GET Retrieve a Resource's Schema

Resource Schema Query/Listing /Schemas GET Retrieve Resource Schema(s) via ad hoc queries

Bulk /Bulk POST Bulk modify Resources

5: NSTIC

•OASIC IDCloud •OpenGroup Jericho•CSA’s Trusted Cloud Initiative•Simple Cloud Identity Management

•The National Strategy for Trusted Identities in Cyberspace (NSTIC)

US Government on Cloud Identity Policy Initiatives

•President signed NSTIC in April 2011

•NSTIC: National Strategy for Trusted

Identities in Cyberspace

•Identity Ecosystem

•It is a Strategy Document.

Guiding Principles for NSTIC

•Privacy enhancing and voluntary

•Secure and resilient

•Interoperable

•Cost-effective and easy to use

Comparison

StandardOr Initiative

Deliverable Industrial support

OASIS IDCloud Use case, profiles and gap analysis 21 sponsors including DoD, Microsoft, CA, IBM, CISCO, Symantec, SAP

Jericho White paper 58 members including DoD, HP, IBM, Microsoft, Oracle, Raytheon, Mitre

CSA TCI Guide Over 100 members. Novell is the initial sponsor for TCI

SCIM Use case, Restful API guide, SAML profile, Core schema

Ping Identity, The UnboundID SCIM SDK, Sailpoint, etc

NSTIC Strategy document Paypal, IBM, Microsoft, CA etc

Recommendation

• Don’t re-invent wheel• Re-use existing building blocks such as SAML, XACML, Oauth, OpenID, etc.

• Evaluate not so successful standards such as SPML (SCIM seems a better alternative?)

• Close collaboration between standard organizations and different initiatives

• Compliance (FISMA, HIPAA, SOX, PCI/DSS, FedRamp, SAS 70 Type II, ISO 27001)

Conclusion and Q/A

•It is still up in the air•Executive buy-in is essential for IDAM in the Cloud

•It will be still few more years before we see mature standards and technology for IDAM in the Cloud