This is intended as a Non-Standards Track Work Product.

The patent provisions of the OASIS IPR Policy do not apply.

Identity in the Cloud Gap Analysis Version 1.0

Working Draft 01d

18 May 2011

Technical Committee:

OASIS Identity in the Cloud TC

Chairs:

Anil Saldhana, Redhat

Anthony Nadalin, Microsoft

Editors:

Gershon Janssen, Individual

Matt Rutkowski, IBM

Roger Bass, Traxian

Dominique Nguyen, Bank of America

Related work:

OASIS Identity in the Cloud TC Use Cases Version 1.0, Committee Note Draft 03 / Public Review Draft 02, 19 March 2012, http://www.oasis-open.org/committees/download.php/45281/id-cloud-usecases-v1.0-cnprd02.zip

Abstract:

This document is intended to provide an analysis of gaps or requirements that may exist in current identity mgmt. standards. Basis for the gap analysis are normative use cases

Status:

This Working Draft (WD) has been produced by one or more TC Members; it has not yet been voted on by the TC or approved as a Committee Draft (Committee Specification Draft or a Committee Note Draft). The OASIS document Approval Process begins officially with a TC vote to approve a WD as a Committee Draft. A TC may approve a Working Draft, revise it, and re-approve it any number of times as a Committee Draft.

Copyright © OASIS Open 2011. All Rights Reserved.

All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.

IDCloud-gap-V1.0-wd01d Working Draft 01 19 February 2012

Copyright © OASIS Open 2011. All Rights Reserved. Non-Standards Track Page 53 of 54

This is intended as a Non-Standards Track Work Product.

The patent provisions of the OASIS IPR Policy do not apply.

Table of Contents

Table of Contents 2

1 Introduction 8

1.1 References 8

2 Relevant standards 9

2.1 Tiers of work 9

2.2 List of relevant standards 9

3 Gap Analysis per Use Case 12

3.1 Use Case 1: Application and Virtualization Security in the Cloud 12

3.1.1 Short description 12

3.1.2 Relevant applicable standards 12

3.1.3 Analysis notes 12

3.1.4 Possible GAPs identified 12

3.2 Use Case 2: Identity Provisioning 13

3.2.1 Short description 13

3.2.2 Relevant applicable standards 13

3.2.3 Analysis notes 13

3.2.4 Possible GAPs identified 13

3.3 Use Case 3: Identity Audit 14

3.3.1 Short description 14

3.3.2 Relevant applicable standards 14

3.3.3 Analysis notes 14

3.3.4 Possible GAPs identified 14

3.4 Use Case 4: Identity Configuration 15

3.4.1 Short description 15

3.4.2 Relevant applicable standards 15

3.4.3 Analysis notes 15

3.4.4 Possible GAPs identified 15

3.5 Use Case 5: Middleware Container in a Public Cloud 16

3.5.1 Short description 16

3.5.2 Relevant applicable standards 16

3.5.3 Analysis notes 16

3.5.4 Possible GAPs identified 16

3.6 Use Case 6: Federated SSO and Attribute Sharing 17

3.6.1 Short description 17

3.6.2 Relevant applicable standards 17

3.6.3 Analysis notes 17

3.6.4 Possible GAPs identified 17

3.7 Use Case 7: Identity Silos in the Cloud 18

3.7.1 Short description 18

3.7.2 Relevant applicable standards 18

3.7.3 Analysis notes 18

3.7.4 Possible GAPs identified 18

3.8 Use Case 8: Identity Privacy in a Shared Cloud Environment 19

3.8.1 Short description 19

3.8.2 Relevant applicable standards 19

3.8.3 Analysis notes 19

3.8.4 Possible GAPs identified 19

3.9 Use Case 9: Cloud Signature Services 20

3.9.1 Short description 20

3.9.2 Relevant applicable standards 20

3.9.3 Analysis notes 20

3.9.4 Possible GAPs identified 20

3.10 Use Case 10: Cloud Tenant Administration 21

3.10.1 Short description 21

3.10.2 Relevant applicable standards 21

3.10.3 Analysis notes 21

3.10.4 Possible GAPs identified 21

3.11 Use Case 11: Enterprise to Cloud SSO 22

3.11.1 Short description 22

3.11.2 Relevant applicable standards 22

3.11.3 Analysis notes 22

3.11.4 Possible GAPs identified 22

3.12 Use Case 12: Consumer Cloud Identity Management, Single Sign-On (SSO) and Authentication 23

3.12.1 Short description 23

3.12.2 Relevant applicable standards 23

3.12.3 Analysis notes 23

3.12.4 Possible GAPs identified 23

3.13 Use Case 13: Transaction Validation and Signing in the Cloud 24

3.13.1 Short description 24

3.13.2 Relevant applicable standards 24

3.13.3 Analysis notes 24

3.13.4 Possible GAPs identified 24

3.14 Use Case 14: Enterprise Purchasing from a Public Cloud 25

3.14.1 Short description 25

3.14.2 Relevant applicable standards 25

3.14.3 Analysis notes 25

3.14.4 Possible GAPs identified 25

3.15 Use Case 15: Access to Enterprise’s Workforce Applications Hosted in Cloud 26

3.15.1 Short description 26

3.15.2 Relevant applicable standards 26

3.15.3 Analysis notes 26

3.15.4 Possible GAPs identified 26

3.16 Use Case 16: Offload Identity Management to External Business Entity 27

3.16.1 Short description 27

3.16.2 Relevant applicable standards 27

3.16.3 Analysis notes 27

3.16.4 Possible GAPs identified 27

3.17 Use Case 17: Per Tenant Identity Provider Configuration 28

3.17.1 Short description 28

3.17.2 Relevant applicable standards 28

3.17.3 Analysis notes 28

3.17.4 Possible GAPs identified 28

3.18 Use Case 18: Delegated Identity Provider Configuration 29

3.18.1 Short description 29

3.18.2 Relevant applicable standards 29

3.18.3 Analysis notes 29

3.18.4 Possible GAPs identified 29

3.19 Use Case 19: Auditing Access to Company Confidential Videos in Public Cloud 30

3.19.1 Short description 30

3.19.2 Relevant applicable standards 30

3.19.3 Analysis notes 30

3.19.4 Possible GAPs identified 30

3.20 Use Case 20: Government Provisioning of Cloud Services 31

3.20.1 Short description 31

3.20.2 Relevant applicable standards 31

3.20.3 Analysis notes 31

3.20.4 Possible GAPs identified 31

3.21 Use Case 21: Mobile Customers’ Identity Authentication Using a Cloud provider 32

3.21.1 Short description 32

3.21.2 Relevant applicable standards 32

3.21.3 Analysis notes 32

3.21.4 Possible GAPs identified 32

3.22 Use Case 22: Cloud-based Two-Factor Authentication Service 33

3.22.1 Short description 33

3.22.2 Relevant applicable standards 33

3.22.3 Analysis notes 33

3.22.4 Possible GAPs identified 33

3.23 Use Case 23: Cloud Application Identification using Extended Validation Certificates 34

3.23.1 Short description 34

3.23.2 Relevant applicable standards 34

3.23.3 Analysis notes 34

3.23.4 Possible GAPs identified 34

3.24 Use Case 24: Cloud Platform Audit and Asset Management using Hardware-based Identities 35

3.24.1 Short description 35

3.24.2 Relevant applicable standards 35

3.24.3 Analysis notes 35

3.24.4 Possible GAPs identified 35

3.25 Use Case 25: Inter-cloud Document Exchange and Collaboration 36

3.25.1 Short description 36

3.25.2 Relevant applicable standards 36

3.25.3 Analysis notes 36

3.25.4 Possible GAPs identified 36

3.26 Use Case 26: Identity Impersonation / Delegation 37

3.26.1 Short description 37

3.26.2 Relevant applicable standards 37

3.26.3 Analysis notes 37

3.26.4 Possible GAPs identified 37

3.27 Use Case 27: Federated User Account Provisioning and Management for a Community of Interest (CoI) 38

3.27.1 Short description 38

3.27.2 Relevant applicable standards 38

3.27.3 Analysis notes 38

3.27.4 Possible GAPs identified 38

3.28 Use Case 28: Cloud Governance and Entitlement Management 39

3.28.1 Short description 39

3.28.2 Relevant applicable standards 39

3.28.3 Analysis notes 39

3.28.4 Possible GAPs identified 39

3.29 Use Case 29: User Delegation of Access to Personal Data in a Public Cloud 40

3.29.1 Short description 40

3.29.2 Relevant applicable standards 40

3.29.3 Analysis notes 40

3.29.4 Possible GAPs identified 40

Appendix A. Acknowledgments 41

Appendix B. Non-Normative Section 42

Appendix C. Revision History 43

1  Introduction

@

1.1 References

@

2  Relevant standards

2.1 Tiers of work

Standards which are included in this GAP analysis are amongst others standards, specifications, recommendations, notes and ‘work in progress’ from both SDO’s as well as non-SDO’s.

Applicability of the various standards work is considered in the following order:

1. OASIS SDO standards

2. Other SDOs standards

3. Specifications, recommendations and notes from SDOs and non-SDOs

4. ‘Work in progress’

2.2 List of relevant standards

The table below lists the relevant standards.

Column details:

·  Tier: see paragraph 2.1

·  Category: Standard category, e.g. privacy, authentication, provisioning, etc.

·  Name / descriptor: Name or descriptor of the standard

·  Version: Version of the standard, specification or recommendation

·  Organization: Organization who maintains and publishes the standard

·  Status: State of the standard, e.g. standard, recommendation, note.

Tier / Category / Name / Descriptor / Version / Organization / Status
1 / DSS / 1.0 / OASIS / Standard
1 / KMIP / OASIS / Standard
1 / SAML / 2.0 / OASIS / Standard
1 / SPML / 2.0 / OASIS / Standard
1 / WS-Federation / OASIS / Standard
1 / WS-Transaction / 1.2 / OASIS / Standard
1 / WS-Trust / 1.4 / OASIS / Standard
1 / XACML / 3.0 / OASIS / Standard
1 / XSPA / OASIS
4 / EICTEM / OASIS
4 / PMRM / OASIS
4 / TOSCA / OASIS
2 / EV certificates / CA/Browser Forum
4 / CloudAudit / CSA
2 / OVF / DMTF
4 / Cloud Management WG / DMTF
2 / IPsec / IETF
2 / Kerberos / IETF
2 / LDAP / IETF
2 / LDIF / IETF
2 / oAuth / 1.0 / IETF / Standard
2 / RADIUS / IETF
3 / oAuth / 2.0 / IETF / Specification
4 / JWE / IETF / Draft
4 / JWS / IETF / Draft
4 / JWT / IETF / Draft
2 / X.500 / ITU-T
2 / X.509 / 3.0 / ITU-T / Standard
2 / IGF / 1.1 / Kantara Initiative
4 / UMA / Kantara Initiative
1 / ebXML CPPA / OASIS
1 / IMI / OASIS
2 / OTS / Object Management Group
3 / SCIM / 1.0 / Open Web Foundation
2 / OpenID / 2.0 / OpenID Foundation
3 / OpenID Connect / OpenID Foundation
2 / OpenSocial / OpenSocial Foundation
2 / JavaEE / Oracle
2 / JTS / Oracle
2 / UUID / OSF
2 / CDMI / 1.0.1 / SNIA / Standard
2 / TPM / 1.2 / Trusted Computing Group
1 / XMLDsig / W3C / Recommendation
2 / P3P / W3C

3  Gap Analysis per Use Case

3.1 Use Case 1: Application and Virtualization Security in the Cloud

3.1.1 Short description

Feature the importance of managing identities that exist in cloud at all levels, including the host operating system, virtual machines as well as applications. Ownership and management of identities may vary at each level and also be external to the cloud provider.

3.1.2 Relevant applicable standards

·  SAML

·  WS-Trust

·  OpenID

·  oAuthOAuth

·  OVF

·  X.500

·  LDAP

·  IPsec

·  RADIUS

·  SPML

·  SCIM

3.1.3 Analysis notes

·  Diagram is pictorial representation of the use case

·  The Cloud Provider’s Identity Mgmt. System is able to handle identity management for multiple tenants on various infrastructure levels.

·  Multiple administrator roles exist: for servers, host OS, virtual machines, guest OS and applications.

·  Applicable categories of standards and / or specifications are: Authentication, Authorization, Federated Identity, Virtual Machines, Provisioning, Directory and VPN

·  Each administrative role has its own scope (what it can do, or should not be able to do). E.g. a Virtual Machine administrator can provision and decommission / destroy Virtual Machines, but cannot access the actual runtime.

·  A user becomes an administrative user (in any role) by group membership(s) or special attribute(s) being set. Typically attributes map to LDAP / X.500 group memberships.

·  Both these groups and attributes are not universal; we might need a wider standardization on attributes and groups. Are standards for groups and / or attributes available that make a user an administrative user?

·  Specific groups for subscribers and providers, so they are not intermingled

·  A unique identifier for virtual machines

·  A requirement for uniqueness for identities or devices

·  Mechanism, and audit requirements for this are e.g. global / local uniqueness: global registrar, time considerations, URI (if represented like that)

·  Can apply not only to VMs, but also to appliances, switches, etc.

· 

·  Authentication for administrative users requires being strong and / or multi-factor.

·  The identity store plays an important role in this use case. Administrative users may be required to exist in different stores, e.g. at the server level in password files or in network based directory services such as yellowpages.

·  In an ideal world one could create this by using one single directory service

·  How to handle ownership of identities in multi-tenant setups?

3.1.4 Possible GAPs identified

·  No particular standards for attribute management

·  Most standards that include IDs don’t often make recommendations for uniqueness in virtual machines, appliances, software, etc.

3.2 Use Case 2: Identity Provisioning

3.2.1 Short description

Feature the need support and manage customer policies for identity decommissioning including transitioning of affected resources to new identities.

3.2.2 Relevant applicable standards

·  Standards that provision UUIDuid’s

·  Cloud Management WG

·  SPML

·  OSLC (open-services.net) – open services for life cycle collaboration stds

·  SCIM

·  DMTF CIMI

3.2.3 Analysis notes

·  Provisions and policies for life cycle management

3.2.4 Possible GAPs identified

The following possible GAPs have been identified:

·  CRUD of Vvirtual Machinesentities