Google Site Search

Google
 

Monday, May 24, 2010

US Public Sector Cloud Computing

Last week, I had the privilege of listening to a presentation by Vivek Kundra, US Federal CIO at the US Department of Commerce in Washington DC. I was attending the NIST Cloud Workshop and Forum.

Vivek talked about how the US government tech was 10 years behind the curve and his initial days as the CIO. He basically called for action from NIST and the community to define standards for cloud computing to increase the adoption.

His presentation is available as a CIO report at State of Public Sector Cloud Computing.

The foremost requirement for cloud adoption aired at the workshop was "security". No surprises there.

During the 12+ months reign as the CIO, Vivek has done two things:
a) Jumpstarted Cloud Computing as a paradigm for the government sector. This in turn has energized cloud computing adoption.
b) Placed the emphasis on Identity Management which rejuvenated the ailing OpenId community. (Yeah, the regular LOA1 type work).

I did not have the privilege of meeting Vivek in person.

Thursday, May 13, 2010

Is Facebook - example of IDM in the Cloud?

I remember Giles Hogben of ENISA (during his keynote presentation at the Oasis Security Forum in London in 2008) declaring social networks to be Identity Management systems. Look at slide 9.

Given this, since facebook is the most popular social networking site in the world with about 400 million registered users and it provides a platform for applications to be hosted, I wonder whether Facebook is a good example of Identity Management in the cloud?

"It's like the 'Hotel California,' " said Nipon Das, 34, a director at a biotechnology consulting firm in New York who tried, unsuccessfully, to delete his account this fall. "You can check out any time you like, but you can never leave."

With the latest controversy with Facebook where users are opted into sharing information with partner sites, we clearly  have an example of "identity federation" with attribute sharing. :)

What do you think?

Monday, May 10, 2010

Tip: Debugging JBossXACML/PicketBox XACML

JBossXACML Debugging

If you are looking at getting debug information for the rule evaluation:


JBoss AS Environment :


Add a TRACE level logging category in conf/jboss-log4j.xml(AS5+) or deploy/jboss-logging.xml (AS6+)

<category name="org.jboss.security.xacml">
<priority value="TRACE"/>
</category>



Non-JBoss AS Environment such as Apache Tomcat :

Try to create a logging.properties file
============================
# Specify the handlers to create in the root logger
# (all loggers are children of the root logger)
# The following creates two handlers
handlers = java.util.logging.ConsoleHandler, java.util.logging.FileHandler

# Set the default logging level for the root logger
.level = ALL

# Set the default logging level for new ConsoleHandler instances
java.util.logging.ConsoleHandler.level = ALL

# Set the default logging level for new FileHandler instances
java.util.logging.FileHandler.level = ALL

# Set the default formatter for new ConsoleHandler instances
java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter

# Set the default logging level for the logger named org.jboss
org.jboss.security.xacml.sunxacml.level = FINEST
com.sun.xml.bind.level = OFF
=====================================================

Now pass the system property with the location of this file such as:
-Djava.util.logging.config.file=src/test/resources/logging.properties

Then you should see something like:
=========================================
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.combine.StandardCombiningAlgFactory initAlgorithms
CONFIG: Initializing standard combining algorithms
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.StandardFunctionFactory initGeneralFunctions
CONFIG: Initializing standard General functions
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.StandardFunctionFactory initConditionFunctions
CONFIG: Initializing standard Condition functions
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.StandardFunctionFactory initTargetFunctions
CONFIG: Initializing standard Target functions
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.PDP
FINE: creating a PDP
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.finder.PolicyFinder init
FINER: Initializing PolicyFinder
Resource must contain resource-id attr
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:string-bag-size:
:::result=2
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:integer-equal:


::org.jboss.security.xacml.sunxacml.attr.IntegerAttribute@0:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:



0

:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:string-subset:
::
:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:



:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:and:

0

::

:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.combine.DenyOverridesRuleAlg combine
FINE: Rule id:urn:oasis:names:tc:xspa:1.0:org:allowed:organizations:deny:result=3
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:
:::result=15:38:25.553000000-05:00
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:
:::result=00:00:00-08:00
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal:
::
:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:

:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:
:::result=15:38:25.553000000-05:00
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-one-and-only:
:::result=23:59:00-08:00
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal:

::

:::result=false
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:not:


:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.cond.Apply evaluate
FINE: Function:urn:oasis:names:tc:xacml:1.0:function:or:


::


:::result=true
Mar 30, 2009 3:38:25 PM org.jboss.security.xacml.sunxacml.combine.DenyOverridesRuleAlg combine
FINE: Rule id:urn:oasis:names:tc:xspa:1.0:org:hoursofoperation:deny:result=1
=============================

This is very good debug information.

Summary :: Cloud Identity: Past, Present and Future

This is related to my earlier blog post on "Cloudy With A Chance Of Identity".

Basically, the panel discussion hosted by BrightTalk is available at: Panel Discussion (Requires Registration).

Currently, the feedback has been positive (4 out of 5 stars).

The panel discussion was very interesting. The panelists (Russell Dietz, SafeNet; Ravi Srinivasan, IBM; Darren Platz, Simplified) had very interesting experiences from the field to share.

Topics Discussed:-

1. How has the concept of Identity progressed as the industry has progressed from an enterprise architecture to a cloud based environment?

Background: Traditionally, we had enterprise environments servicing customers. Cloud computing has moved from being a buzz word to a mainstream reality. The concept of identity does have a progression associated with this industry transition.

* Identities have progressed very well with the availability of standards.
* Identity Management standards have matured and available in the industry.
* SAML has been popular in enabling B2B type infrastructure. Has been very useful in private and hybrid type environment. OpenID/OAuth/WRAP are quickly enabling public cloud infrastructure.
* User management/Identity Management are increasingly being decoupled from applications. Previously user management was part of individual applications. With the availability of federated sso, applications rely on authentication services from 3rd party sources.
* Federation and claims based systems have seen identity stores away from applications.

2. What significant challenges exist in the 3 types of Cloud Architectures (Public, Private and Hybrid)?

* Typically private clouds constitute widely deployed SOA applications in a virtualized environment, outsourced to a private cloud environment. Challenges include federation and user centric identity. With hybrid clouds, this gets compounded as we have now added some elements of public cloud infrastructure. Challenges in hybrid clouds include increased federation points and synchronization of user identities. With public clouds, it is a challenge to figure out who owns the user's identity, what is the origin of the identity etc.
* There is a need for Trusted Identities. Is there a notion of "reputation" that can go along with identities.
* Identities not just for people but also for services.
* In public/hybrid clouds, the service level identities needs to be propagated from end to end.
* Lot of short cuts (mashups) being used which should be avoided.


3. Standards Development for Identity.


* SAML, WS-Trust and other associated Identity Management standards have existed more from an enterprise environment perspective. Increasingly, OpenID and oAuth are being utilized/developed by the public - internet scale clouds.
* The emphasis has always been on federated SSO but we need to also look at authorization and provisioning. Standards for authorization and provisioning exist but not widely deployed.
* Blogs and forums have had OpenID adoption. This has also included the US Federal Government. But with increased needs for levels of assurance, then you will need to look at SAML and WS-Trust. If there is money riding on transactions, then OpenId will not come into play.
* Increasingly customers in the field are demanding profiles for cloud computing along with standards. Standards are useful to customers but they feel the need for profiles. Profiles can be either industry based or use case based.
* There is a new technical committee at the Oasis standards consortium called the Oasis Identity In The Cloud TC. One of the deliverables out of this TC is the profiles needed for cloud computing.

4. Provisioning

Some questions to ask are:
- If resources in the cloud are tied to identities, how do these resources transition when the identities get de-provisioned or decommissioned?
- CRUD of Identities/ Attributes in a single cloud environment or in a trusted partner cloud system.

* Identities for people including roles and identities for services (attributes and claims). With this separation, provisioning/deprovisioning of people and services is disconnected. This is kept in the environment itself. Then deprovisioning just involves removing an attribute or claim.
* It depends on the data model of the application to show flexibility in permissions.
* With CRUD, organizations are extending internal organizational processes to the cloud.
* Oasis SPML when adopted along with SSO can help in plugging the holes.
* Authorization systems in a new extended system needs to be robust to handle the provisioning of identities.


5. Enterprise Cloud vs Internet Scale Cloud


* Social media (classic public cloud) need reduced SSO and lower levels of assurance.
* Lots of customers are discussing private and hybrid deployments - abilities to abstract security services as a service ( Authentication as a service, authorization as a service, auditing as a service) to provide higher levels of assurance.
* Highly trusted identity systems or loosely coupled systems of today.
* Password policies at one web site may be different from the other web site.
* There is a need for brokering or resolving differences. Trust brokers between IDPs and SPs to negotiate or mediate in the eco system.
* Move away from communities of users to vetted identities system. Proofing/claim assurance is needed.



6. Access Management

Enterprise (XACML) versus Internet (oAuth); Heavyweight versus Lightweight.

* If there is a need for higher levels of assurance and non-repudiation, use the digital signatures used in XACML.
* Both XACML and oAuth are being used at customer sites.


7. Regulations

Privacy based regulations, Verticals based regulations and Location based regulations.

* There will be a move towards users centric identity. If an user identity moves location, then there may be different access control/regulations that need to be applied.



Questions and Answers Session:



1) Intrusion Detection Systems and Intrusion Prevention Systems in Cloud Computing Infrastructure.
2) Fraud Prevention and Risk Mitigation.


* Traditional layer of perimeter security is not sufficient. There is a need for Virtualization security.
* IDS/IPS at Perimeter are different from Virtualization security.
* How well you vet and proof your identities?
* What authentication mechanisms you use for identities? Authorization systems may demand particular authentication mechanisms, to mitigate fraud prevention. Banking systems are currently driving this via multi-factor authentication demands.
* Shared accounts are being used a lot in the industry. This is a big security hole. This is the short cut approach being prevalent in the enterprise, which when applied to cloud computing can be dangerous.


3) Will Trusted Brokers mitigate the problem of proliferation of trusted Identity Providers?


* In the near and mid-term, the brokers are going to help. Since Identity Providers use different protocols etc, brokering can help and mitigate.


Moderated by: Anil Saldhana, Co-Chair, Oasis Identity In The Cloud Technical Committee.


If you are on LinkedIn and you are a security expert or interested in Identity Management, I do suggest joining the free linkedin group  "Identity In The Cloud".

....

Wednesday, May 5, 2010

Cloudy with a chance of Identity

I have the privilege of moderating and driving an industry round table on the concept of Identity as applied to Cloud Computing. It is being hosted by BrightTalk (http://www.brighttalk.com).

More details about the time, registration, panelists etc are available from:

OASIS IDCloud Co-chair and Members to Participate in Complimentary Cloud Identity Webinar - TOMORROW, 6 May 2010

Some of the topics we will cover:
a) Identity progression as the industry has moved from an enterprise to Cloud environments.
b) Enterprise versus Internet Scale Identity.
c) Access Management in the enterprise cloud to internet clouds (preferring lightweight mechanism).
d) Standards Development
e) Effect of Regulations on Cloud Identity.
f) Provisioning

Monday, May 3, 2010

JUDCon: Community Can Vote on Topics

PicketLink is among the topics that the community can vote to hear at the next JUDCON.

If you want to hear about SSO, SAML etc, then please vote for the PicketLink SSO presentation.

http://community.jboss.org/poll.jspa?poll=1042