Google Site Search


Monday, May 10, 2010

Summary :: Cloud Identity: Past, Present and Future

This is related to my earlier blog post on "Cloudy With A Chance Of Identity".

Basically, the panel discussion hosted by BrightTalk is available at: Panel Discussion (Requires Registration).

Currently, the feedback has been positive (4 out of 5 stars).

The panel discussion was very interesting. The panelists (Russell Dietz, SafeNet; Ravi Srinivasan, IBM; Darren Platz, Simplified) had very interesting experiences from the field to share.

Topics Discussed:-

1. How has the concept of Identity progressed as the industry has progressed from an enterprise architecture to a cloud based environment?

Background: Traditionally, we had enterprise environments servicing customers. Cloud computing has moved from being a buzz word to a mainstream reality. The concept of identity does have a progression associated with this industry transition.

* Identities have progressed very well with the availability of standards.
* Identity Management standards have matured and available in the industry.
* SAML has been popular in enabling B2B type infrastructure. Has been very useful in private and hybrid type environment. OpenID/OAuth/WRAP are quickly enabling public cloud infrastructure.
* User management/Identity Management are increasingly being decoupled from applications. Previously user management was part of individual applications. With the availability of federated sso, applications rely on authentication services from 3rd party sources.
* Federation and claims based systems have seen identity stores away from applications.

2. What significant challenges exist in the 3 types of Cloud Architectures (Public, Private and Hybrid)?

* Typically private clouds constitute widely deployed SOA applications in a virtualized environment, outsourced to a private cloud environment. Challenges include federation and user centric identity. With hybrid clouds, this gets compounded as we have now added some elements of public cloud infrastructure. Challenges in hybrid clouds include increased federation points and synchronization of user identities. With public clouds, it is a challenge to figure out who owns the user's identity, what is the origin of the identity etc.
* There is a need for Trusted Identities. Is there a notion of "reputation" that can go along with identities.
* Identities not just for people but also for services.
* In public/hybrid clouds, the service level identities needs to be propagated from end to end.
* Lot of short cuts (mashups) being used which should be avoided.

3. Standards Development for Identity.

* SAML, WS-Trust and other associated Identity Management standards have existed more from an enterprise environment perspective. Increasingly, OpenID and oAuth are being utilized/developed by the public - internet scale clouds.
* The emphasis has always been on federated SSO but we need to also look at authorization and provisioning. Standards for authorization and provisioning exist but not widely deployed.
* Blogs and forums have had OpenID adoption. This has also included the US Federal Government. But with increased needs for levels of assurance, then you will need to look at SAML and WS-Trust. If there is money riding on transactions, then OpenId will not come into play.
* Increasingly customers in the field are demanding profiles for cloud computing along with standards. Standards are useful to customers but they feel the need for profiles. Profiles can be either industry based or use case based.
* There is a new technical committee at the Oasis standards consortium called the Oasis Identity In The Cloud TC. One of the deliverables out of this TC is the profiles needed for cloud computing.

4. Provisioning

Some questions to ask are:
- If resources in the cloud are tied to identities, how do these resources transition when the identities get de-provisioned or decommissioned?
- CRUD of Identities/ Attributes in a single cloud environment or in a trusted partner cloud system.

* Identities for people including roles and identities for services (attributes and claims). With this separation, provisioning/deprovisioning of people and services is disconnected. This is kept in the environment itself. Then deprovisioning just involves removing an attribute or claim.
* It depends on the data model of the application to show flexibility in permissions.
* With CRUD, organizations are extending internal organizational processes to the cloud.
* Oasis SPML when adopted along with SSO can help in plugging the holes.
* Authorization systems in a new extended system needs to be robust to handle the provisioning of identities.

5. Enterprise Cloud vs Internet Scale Cloud

* Social media (classic public cloud) need reduced SSO and lower levels of assurance.
* Lots of customers are discussing private and hybrid deployments - abilities to abstract security services as a service ( Authentication as a service, authorization as a service, auditing as a service) to provide higher levels of assurance.
* Highly trusted identity systems or loosely coupled systems of today.
* Password policies at one web site may be different from the other web site.
* There is a need for brokering or resolving differences. Trust brokers between IDPs and SPs to negotiate or mediate in the eco system.
* Move away from communities of users to vetted identities system. Proofing/claim assurance is needed.

6. Access Management

Enterprise (XACML) versus Internet (oAuth); Heavyweight versus Lightweight.

* If there is a need for higher levels of assurance and non-repudiation, use the digital signatures used in XACML.
* Both XACML and oAuth are being used at customer sites.

7. Regulations

Privacy based regulations, Verticals based regulations and Location based regulations.

* There will be a move towards users centric identity. If an user identity moves location, then there may be different access control/regulations that need to be applied.

Questions and Answers Session:

1) Intrusion Detection Systems and Intrusion Prevention Systems in Cloud Computing Infrastructure.
2) Fraud Prevention and Risk Mitigation.

* Traditional layer of perimeter security is not sufficient. There is a need for Virtualization security.
* IDS/IPS at Perimeter are different from Virtualization security.
* How well you vet and proof your identities?
* What authentication mechanisms you use for identities? Authorization systems may demand particular authentication mechanisms, to mitigate fraud prevention. Banking systems are currently driving this via multi-factor authentication demands.
* Shared accounts are being used a lot in the industry. This is a big security hole. This is the short cut approach being prevalent in the enterprise, which when applied to cloud computing can be dangerous.

3) Will Trusted Brokers mitigate the problem of proliferation of trusted Identity Providers?

* In the near and mid-term, the brokers are going to help. Since Identity Providers use different protocols etc, brokering can help and mitigate.

Moderated by: Anil Saldhana, Co-Chair, Oasis Identity In The Cloud Technical Committee.

If you are on LinkedIn and you are a security expert or interested in Identity Management, I do suggest joining the free linkedin group  "Identity In The Cloud".


No comments: