Identity in the Cloud Gap Analysis Version 1.0

Committee Note 01

03 February 2014

Specification URIs

This version:

http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cn01/IDCloud-gap-v1.0-cn01.doc (Authoritative)

http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cn01/IDCloud-gap-v1.0-cn01.html

http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cn01/IDCloud-gap-v1.0-cn01.pdf

Previous version:

http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cnprd01/IDCloud-gap-v1.0-cnprd01.doc (Authoritative)

http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cnprd01/IDCloud-gap-v1.0-cnprd01.html

http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cnprd01/IDCloud-gap-v1.0-cnprd01.pdf

Latest version:

http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/IDCloud-gap-v1.0.doc (Authoritative)

http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/IDCloud-gap-v1.0.html

http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/IDCloud-gap-v1.0.pdf

Technical Committee:

OASIS Identity in the Cloud TC

Chairs:

Anil Saldhana (anil.saldhana@redhat.com), Red Hat, Inc.

Anthony Nadalin (tonynad@microsoft.com), Microsoft

Editors:

Gershon Janssen (gershon@qroot.com), Individual

Matt Rutkowski (mrutkows@us.ibm.com), IBM

Roger Bass (roger@traxian.com), Traxian

Dominique Nguyen (dominique.v.nguyen@bankofamerica.com), Bank of America

Related work:

This document is related to:

·         Identity in the Cloud Use Cases Version 1.0. Latest version. http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/IDCloud-usecases-v1.0.html.

Abstract:

This document provides an analysis of gaps or requirements that may exist in current identity management standards. The basis for the gap analysis is the normative use cases from Identity in the Cloud Use Cases Version 1.0.

Status:

This document was last revised or approved by the OASIS Identity in the Cloud TC on the above date. The level of approval is also listed above. Check the “Latest version” location noted above for possible later revisions of this document.

Technical Committee members should send comments on this document to the Technical Committee’s email list. Others should send comments to the Technical Committee by using the “Send A Comment” button on the Technical Committee’s web page at http://www.oasis-open.org/committees/id-cloud/.

Citation format:

When referencing this document the following citation format should be used:

[IDCloud-Gap-v1.0]

Identity in the Cloud Gap Analysis Version 1.0. Edited by Gershon Janssen, Matt Rutkowski, Roger Bass, and Dominique Nguyen. 03 February 2014. OASIS Committee Note 01. http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cn01/IDCloud-gap-v1.0-cn01.html. Latest version: http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/IDCloud-gap-v1.0.html.

 

Copyright © OASIS Open 2014.  All Rights Reserved.

All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.

This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

 

 

Table of Contents

1       Introduction. 12

1.1 Statement of purpose. 12

1.2 GAP analysis. 12

1.2.1 GAP analysis process. 12

1.2.2 GAP analysis structure outline. 13

1.3 List of relevant standards. 13

1.4 References. 13

2       Relevant standards. 14

2.1 Tiers of work. 14

2.2 List of relevant standards. 14

2.2.1 Categorized standards and versions. 14

2.2.2 Standards, versions, status and managing Organization. 17

3       Gap Analysis per Use Case. 21

3.1 Use Case 1: Application and Virtualization Security in the Cloud. 21

3.1.1 Short description. 21

3.1.2 Covered Identity Management Categories. 21

3.1.3 Featured Cloud Deployment or Service Models. 21

3.1.4 Relevant applicable standards. 21

3.1.5 Analysis notes. 22

3.1.6 GAPs identified. 23

3.2 Use Case 2: Identity Provisioning. 24

3.2.1 Short description. 24

3.2.2 Covered Identity Management Categories. 24

3.2.3 Featured Cloud Deployment or Service Models. 24

3.2.4 Relevant applicable standards. 24

3.2.5 Analysis notes. 24

3.2.6 GAPs identified. 24

3.3 Use Case 3: Identity Audit. 26

3.3.1 Short description. 26

3.3.2 Covered Identity Management Categories. 26

3.3.3 Featured Cloud Deployment or Service Models. 26

3.3.4 Relevant applicable standards. 26

3.3.5 Analysis notes. 26

3.3.6 Possible GAPs identified. 27

3.4 Use Case 4: Identity Configuration. 28

3.4.1 Short description. 28

3.4.2 Covered Identity Management Categories. 28

3.4.3 Featured Cloud Deployment or Service Models. 28

3.4.4 Relevant applicable standards. 28

3.4.5 Analysis notes. 28

3.4.6 Possible GAPs identified. 29

3.5 Use Case 5: Middleware Container in a Public Cloud. 30

3.5.1 Short description. 30

3.5.2 Covered Identity Management Categories. 30

3.5.3 Featured Cloud Deployment or Service Models. 30

3.5.4 Relevant applicable standards. 30

3.5.5 Analysis notes. 30

3.5.6 Possible GAPs identified. 31

3.6 Use Case 6: Federated SSO and Attribute Sharing. 32

3.6.1 Short description. 32

3.6.2 Covered Identity Management Categories. 32

3.6.3 Featured Cloud Deployment or Service Models. 32

3.6.4 Relevant applicable standards. 32

3.6.5 Analysis notes. 33

3.6.6 Possible GAPs identified. 33

3.7 Use Case 7: Identity Silos in the Cloud. 34

3.7.1 Short description. 34

3.7.2 Covered Identity Management Categories. 34

3.7.3 Featured Cloud Deployment or Service Models. 34

3.7.4 Relevant applicable standards. 34

3.7.5 Analysis notes. 35

3.7.6 Possible GAPs identified. 35

3.8 Use Case 8: Identity Privacy in a Shared Cloud Environment. 36

3.8.1 Short description. 36

3.8.2 Covered Identity Management Categories. 36

3.8.3 Featured Cloud Deployment or Service Models. 36

3.8.4 Relevant applicable standards. 36

3.8.5 Analysis notes. 36

3.8.6 Possible GAPs identified. 37

3.9 Use Case 9: Cloud Signature Services. 38

3.9.1 Short description. 38

3.9.2 Covered Identity Management Categories. 38

3.9.3 Featured Cloud Deployment or Service Models. 38

3.9.4 Relevant applicable standards. 38

3.9.5 Analysis notes. 38

3.9.6 Possible GAPs identified. 39

3.10 Use Case 10: Cloud Tenant Administration. 40

3.10.1 Short description. 40

3.10.2 Covered Identity Management Categories. 40

3.10.3 Featured Cloud Deployment or Service Models. 40

3.10.4 Relevant applicable standards. 40

3.10.5 Analysis notes. 40

3.10.6 Possible GAPs identified. 41

3.11 Use Case 11: Enterprise to Cloud SSO.. 42

3.11.1 Short description. 42

3.11.2 Covered Identity Management Categories. 42

3.11.3 Featured Cloud Deployment or Service Models. 42

3.11.4 Relevant applicable standards. 42

3.11.5 Analysis notes. 43

3.11.6 Possible GAPs identified. 43

3.12 Use Case 12: Consumer Cloud Identity Management, Single Sign-On (SSO) and Authentication   44

3.12.1 Short description. 44

3.12.2 Covered Identity Management Categories. 44

3.12.3 Featured Cloud Deployment or Service Models. 44

3.12.4 Relevant applicable standards. 44

3.12.5 Analysis notes. 45

3.12.6 Possible GAPs identified. 45

3.13 Use Case 13: Transaction Validation and Signing in the Cloud. 46

3.13.1 Short description. 46

3.13.2 Covered Identity Management Categories. 46

3.13.3 Featured Cloud Deployment or Service Models. 46

3.13.4 Relevant applicable standards. 46

3.13.5 Analysis notes. 46

3.13.6 Possible GAPs identified. 47

3.14 Use Case 14: Enterprise Purchasing from a Public Cloud. 48

3.14.1 Short description. 48

3.14.2 Covered Identity Management Categories. 48

3.14.3 Featured Cloud Deployment or Service Models. 48

3.14.4 Relevant applicable standards. 48

3.14.5 Analysis notes. 48

3.14.6 Possible GAPs identified. 49

3.15 Use Case 15: Access to Enterprise’s Workforce Applications Hosted in Cloud. 50

3.15.1 Short description. 50

3.15.2 Covered Identity Management Categories. 50

3.15.3 Featured Cloud Deployment or Service Models. 50

3.15.4 Relevant applicable standards. 50

3.15.5 Analysis notes. 51

3.15.6 Possible GAPs identified. 51

3.16 Use Case 16: Offload Identity Management to External Business Entity. 52

3.16.1 Short description. 52

3.16.2 Covered Identity Management Categories. 52

3.16.3 Featured Cloud Deployment or Service Models. 52

3.16.4 Relevant applicable standards. 52

3.16.5 Analysis notes. 53

3.16.6 Possible GAPs identified. 53

3.17 Use Case 17: Per Tenant Identity Provider Configuration. 54

3.17.1 Short description. 54

3.17.2 Covered Identity Management Categories. 54

3.17.3 Featured Cloud Deployment or Service Models. 54

3.17.4 Relevant applicable standards. 54

3.17.5 Analysis notes. 54

3.17.6 Possible GAPs identified. 55

3.18 Use Case 18: Delegated Identity Provider Configuration. 56

3.18.1 Short description. 56

3.18.2 Covered Identity Management Categories. 56

3.18.3 Featured Cloud Deployment or Service Models. 56

3.18.4 Relevant applicable standards. 56

3.18.5 Analysis notes. 56

3.18.6 Possible GAPs identified. 56

3.19 Use Case 19: Auditing Access to Company Confidential Videos in Public Cloud. 57

3.19.1 Short description. 57

3.19.2 Covered Identity Management Categories. 57

3.19.3 Featured Cloud Deployment or Service Models. 57

3.19.4 Relevant applicable standards. 57

3.19.5 Analysis notes. 58

3.19.6 Possible GAPs identified. 58

3.20 Use Case 20: Government Provisioning of Cloud Services. 60

3.20.1 Short description. 60

3.20.2 Covered Identity Management Categories. 60

3.20.3 Featured Cloud Deployment or Service Models. 60

3.20.4 Relevant applicable standards. 60

3.20.5 Analysis notes. 60

3.20.6 Possible GAPs identified. 61

3.21 Use Case 21: Mobile Customers’ Identity Authentication Using a Cloud provider. 62

3.21.1 Short description. 62

3.21.2 Covered Identity Management Categories. 62

3.21.3 Featured Cloud Deployment or Service Models. 62

3.21.4 Relevant applicable standards. 62

3.21.5 Analysis notes. 62

3.21.6 Possible GAPs identified. 63

3.22 Use Case 22: Cloud-based Two-Factor Authentication Service. 64

3.22.1 Short description. 64

3.22.2 Covered Identity Management Categories. 64

3.22.3 Featured Cloud Deployment or Service Models. 64

3.22.4 Relevant applicable standards. 64

3.22.5 Analysis notes. 64

3.22.6 Possible GAPs identified. 64

3.23 Use Case 23: Cloud Application Identification using Extended Validation Certificates. 65

3.23.1 Short description. 65

3.23.2 Covered Identity Management Categories. 65

3.23.3 Featured Cloud Deployment or Service Models. 65

3.23.4 Relevant applicable standards. 65

3.23.5 Analysis notes. 65

3.23.6 Possible GAPs identified. 66

3.24 Use Case 24: Cloud Platform Audit and Asset Management using Hardware-based Identities  67

3.24.1 Short description. 67

3.24.2 Covered Identity Management Categories. 67

3.24.3 Featured Cloud Deployment or Service Models. 67

3.24.4 Relevant applicable standards. 67

3.24.5 Analysis notes. 67

3.24.6 Possible GAPs identified. 68

3.25 Use Case 25: Inter-cloud Document Exchange and Collaboration. 69

3.25.1 Short description. 69

3.25.2 Covered Identity Management Categories. 69

3.25.3 Featured Cloud Deployment or Service Models. 69

3.25.4 Relevant applicable standards. 69

3.25.5 Analysis notes. 70

3.25.6 Possible GAPs identified. 70

3.26 Use Case 26: Identity Impersonation / Delegation. 71

3.26.1 Short description. 71

3.26.2 Covered Identity Management Categories. 71

3.26.3 Featured Cloud Deployment or Service Models. 71

3.26.4 Relevant applicable standards. 71

3.26.5 Analysis notes. 71

3.26.6 Possible GAPs identified. 72

3.27 Use Case 27: Federated User Account Provisioning and Management for a Community of Interest (CoI)  73

3.27.1 Short description. 73

3.27.2 Covered Identity Management Categories. 73

3.27.3 Featured Cloud Deployment or Service Models. 73

3.27.4 Relevant applicable standards. 73

3.27.5 Analysis notes. 73

3.27.6 Possible GAPs identified. 74

3.28 Use Case 28: Cloud Governance and Entitlement Management. 75

3.28.1 Short description. 75

3.28.2 Covered Identity Management Categories. 75

3.28.3 Featured Cloud Deployment or Service Models. 75

3.28.4 Relevant applicable standards. 75

3.28.5 Analysis notes. 75

3.28.6 Possible GAPs identified. 76

3.29 Use Case 29: User Delegation of Access to Personal Data in a Public Cloud. 77

3.29.1 Short description. 77

3.29.2 Covered Identity Management Categories. 77

3.29.3 Featured Cloud Deployment or Service Models. 77

3.29.4 Relevant applicable standards. 77

3.29.5 Analysis notes. 77

3.29.6 Possible GAPs identified. 78

Appendix A.    Acknowledgments. 79

Appendix B.     Revision History. 81

 

 


 

1        Introduction

1.1 Statement of purpose

Cloud Computing is turning into an important IT service delivery paradigm. Many enterprises are experimenting with cloud computing, using clouds in their own data centers or hosted by third parties, and increasingly they deploy business applications on such private and public clouds. Cloud Computing raises many challenges that have serious security implications. Identity Management in the cloud is such a challenge.

Many enterprises avail themselves of a combination of private and public Cloud Computing infrastructures to handle their workloads. In a phenomenon known as "Cloud Bursting", the peak loads are offloaded to public Cloud Computing infrastructures that offer billing based on usage. This is a use case of a Hybrid Cloud infrastructure. Additionally, governments around the world are evaluating the use of Cloud Computing for government applications. For instance, the US Government has started apps.gov to foster the adoption of Cloud Computing. Other governments have started or announced similar efforts.

The purpose of the OASIS Identity in the Cloud TC is to:

1.2 GAP analysis

The GAP analysis comprised of a detailed analysis of each Use Case from the Identity in the Cloud Use Cases document [IDCloud-Usecases]. Through this analysis the TC validated if all needs are addressed with current available standards, in such a fashion that the stated goal and outcomes are achieved.

1.2.1 GAP analysis process

In order to analyze each Use Case to determine how it might be implemented, what is required or find what current standards fall short or we perceive as missing, the TC followed the following step-by-step GAP analysis process:

The outcomes of each of those steps are documented in this GAP analysis document.

1.2.2 GAP analysis structure outline

All outcomes of the gap analysis are documented using the following sections:

1.3 List of relevant standards

As a result of the GAP analysis, a list of relevant applicable standards has been composed from all individual Use Cases. Chapter 2 outlines the full categorized list of current standards, versions, statuses and their maintaining organizations.

1.4 References

The following references are used to provide definitions of and information on terms used throughout this document:

[IDCloud-Usecases]

Identity in the Cloud Use Cases Version 1.0. 08 May 2012. OASIS Committee Note 01. http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html

 

 

2        Relevant standards

2.1 Tiers of work

Standards included in this GAP analysis are standards, specifications, recommendations, notes and ‘work in progress’ from both SDO’s as well as non-SDO’s.

Applicability of the various standards work is considered in the following order:

  1. OASIS SDO standards
  2. Other SDOs standards
  3. Specifications, recommendations and notes from SDOs and non-SDOs
  4. ‘Work in progress’

2.2 List of relevant standards

The tables below list the relevant standards.

2.2.1 Categorized standards and versions

Table 1 - Column details:

 

Tier

Category

Identifier

Full name

1

Authentication

DSS-1.0

Digital Signature Services

1

Authentication

SAML-2.0

Security Assertion Markup Language

1

Authorization

XACML-3.0

eXtensible Access Control Markup Language

1

Fed. Identity Mgmt.

WS-Federation-1.2

Web Services Federation Language

1

Fed. Identity Mgmt.

IMI-1.0

Identity Metasystem Interoperability

1

Governance

ebXML CPPA-2.0

ebXML Collaborative Partner Profile Agreement

1

Infra. Identity Mgmt.

WS-ReliableMessaging-1.2

Web Services Reliable Messaging

1

Infra. Identity Mgmt.

WS-SecureConversation-1.4

Web Services Secure Conversation

1

Infra. Identity Mgmt.

KMIP-1.1

Key Management Interoperability Protocol Specification

1

Infra. Identity Mgmt.

WS-Transaction-1.2

Web Services Transaction

1

Infra. Identity Mgmt.

WS-Trust-1.4

Web Service Secure Exchange

1

Provisioning

SPML-2.0

Service Provisioning Markup Language

1

Authentication

XMLdsig-2008

XML Signature Syntax and Processing

2

Audit & Compliance

CADF-1.0.0

Cloud Auditing Data Federation

2

Provisioning

CIMI-1.0.0

Cloud Infrastructure Management Interface

2

Provisioning

CMDBf-1.0.1

Configuration Management Database Federation

2

Virtual Machines

OVF-2.0

Open Virtualization Format

2

Authentication

Kerberos-5

The Kerberos Network Authentication Service

2

Authentication

RADIUS

Remote Authentication Dial In User Service

2

Authentication

XAdES-1.1.1

XML Advanced Electronic Signatures

2

Authorization

OAuth-1.0

The OAuth 1.0 Protocol

2

Authorization

OAuth-2.0

The OAuth 2.0 Authorization Framework

2

Infra. Identity Mgmt.

IPsec

Security Architecture for the Internet Protocol

2

Infra. Identity Mgmt.

X.509-3.0

Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List Profile

2

Infra. Identity Mgmt.

UUID

Universally Unique IDentifier

2

Infra. Identity Mgmt.

TOTP

Time-Based One-Time Password Algorithm

2

Infra. Identity Mgmt.

HOTP

HMAC-Based One-Time Password Algorithm

2

Infra. Identity Mgmt.

LDAP-3

Lightweight Directory Access Protocol

2

Infra. Identity Mgmt.

LDIF-1

The LDAP Data Interchange Format

2

Assurance

ISO29115-2013

Entity authentication assurance framework

2

Governance

ISO27018

Code of practice for data protection controls for public cloud computing services

2

Privacy

ISO29100-2011

Privacy framework

2

Privacy

ISO29101

Privacy architecture framework

2

Privacy

ISO29191-2012

Requirements for partially anonymous, partially unlinkable authentication

2

Account / Attribute Mgmt.

IGF-CARML-1.0

Identity Governance Framework Client Attribute Requirements Markup Language

2

Account / Attribute Mgmt.

OpenID Attribute Exchange-1.0

OpenID Attribute Exchange

2

Account / Attribute Mgmt.

OpenID Simple Registration Extension-1.0

OpenID Simple Registration Extension

2

Authentication

OpenID Authentication-2.0

OpenID Authentication

2

Authentication

OpenID Authentication-1.1

OpenID Authentication

2

Authentication

OpenID Provider Authentication Policy Extension-1.0

OpenID Provider Authentication Policy Extension

2

Infra. Identity Mgmt.

Backplane Protocol-2.0

Backplane Protocol

2

Infra. Identity Mgmt.

Backplane Protocol-1.2

Backplane Protocol

2

Infra. Identity Mgmt.

Backplane Protocol-1.1

Backplane Protocol

2

Infra. Identity Mgmt.

Backplane Protocol-1.0

Backplane Protocol

2

Infra. Identity Mgmt.

Account Chooser-1.0

Account Chooser

2

Infra. Identity Mgmt.

JavaEE-6

Java Platform Enterprise Edition

2

Infra. Identity Mgmt.

JTS-6

Java Transaction Service

2

Infra. Identity Mgmt.

CDMI-1.0.2

Cloud Data Management Interface

2

Infra. Identity Mgmt.

TPM-1.2

Trusted Platform Module

2

Privacy

P3P-1.1

Platform for Privacy Preferences

3

Assurance

EV certificates-1.4

EV SSL Certificates

3

Provisioning

SCIM-2.0

System for Cross-domain Identity Management

3

Provisioning

SCIM Core Schema-2.0

System for Cross-domain Identity Management Core Schema

3

Provisioning

SCIM REST API-2.0

System for Cross-domain Identity Management REST API

3

Provisioning

SCIM Targeting-2.0

System for Cross-domain Identity Management Targeting

3

Privacy

PMRM-1.0

Privacy Management Reference Model

3

Authentication

OpenID Connect-1.0

OpenID Connect

3

Authentication

OpenID Connect Basic Client Profile-1.0

OpenID Connect Basic Client Profile

3

Authentication

OpenID Connect Implicit Client Profile-1.0

OpenID Connect Implicit Client Profile

3

Authentication

OpenID Connect Discovery-1.0

OpenID Connect Discovery

3

Authentication

OpenID Connect Dynamic Client Registration-1.0

OpenID Connect Dynamic Client Registration

3

Authentication

OpenID Connect Standard-1.0

OpenID Connect Standard

3

Authentication

OpenID Connect Messages-1.0

OpenID Connect Messages

3

Authentication

OpenID Connect Session Management-1.0

OpenID Connect Session Management

3

Authorization

OpenID Connect OAuth 2.0 Multiple Response Type Encoding Practices-1.0

OpenID Connect OAuth 2.0 Multiple Response Type Encoding Practices

3

Lifecycle

OSLC

Open Services for Lifecycle Collaboration

3

Lifecycle

OSLC Core-3.0

Open Services for Lifecycle Collaboration - Common and Core

3

Lifecycle

OSLC Core-2.0

Open Services for Lifecycle Collaboration - Common and Core

3

Lifecycle

OSLC Configuration Management-1.0

Open Services for Lifecycle Collaboration - Configuration Management

3

Provisioning

SCIM-1.1

System for Cross-domain Identity Management

3

Provisioning

SCIM Core Schema-1.1

System for Cross-domain Identity Management Core Schema

3

Provisioning

SCIM REST API-1.1

System for Cross-domain Identity Management REST API

3

Privacy

P3P-1.0

Platform for Privacy Preferences

4

Audit & Compliance

CloudAudit-1.0

CloudAudit - Automated Audit, Assertion, Assessment, and Assurance API

4

Authentication

JWS-0.8

JSON Web Signature

4

Authentication

JWT-0.6

JSON Web Token

4

Authentication

STORK-1.0

D5.8.3b Interface Specification

4

Audit & Compliance

ISO27017-1.0.0

Guidelines on information security controls for the use of cloud computing services

4

Authorization

UMA-0.7

User-Managed Access Profile of OAuth 2.0

4

Assurance

Trust Elevation

Electronic Identity Credential Trust Elevation Methods

4

Lifecycle

TOSCA-1.0

Topology and Orchestration Specification for Cloud Applications

2.2.2 Standards, versions, status and managing Organization

Table 2 - Column details:

Identifier

Version

Organization

 

Status

DSS-1.0

1.0

OASIS

Organization for the Advancement of Structured Information Standards

Standard

SAML-2.0

2.0

OASIS

Organization for the Advancement of Structured Information Standards

Standard

XACML-3.0

3.0

OASIS

Organization for the Advancement of Structured Information Standards

Standard

WS-Federation-1.2

1.2

OASIS

Organization for the Advancement of Structured Information Standards

Standard

IMI-1.0

1.0

OASIS

Organization for the Advancement of Structured Information Standards

Standard

ebXML CPPA-2.0

2.0

OASIS

Organization for the Advancement of Structured Information Standards

Standard

WS-ReliableMessaging-1.2

1.2

OASIS

Organization for the Advancement of Structured Information Standards

Standard

WS-SecureConversation-1.4

1.4

OASIS

Organization for the Advancement of Structured Information Standards

Standard

KMIP-1.1

1.1

OASIS

Organization for the Advancement of Structured Information Standards

Standard

WS-Transaction-1.2

1.2

OASIS

Organization for the Advancement of Structured Information Standards

Standard

WS-Trust-1.4

1.4

OASIS

Organization for the Advancement of Structured Information Standards

Standard

SPML-2.0

2.0

OASIS

Organization for the Advancement of Structured Information Standards

Standard

XMLdsig-2008

2008

W3C

The World Wide Web Consortium

Recommendation

CADF-1.0.0

1.0.0

DMTF

Distributed Management Task Force

Draft Specification

CIMI-1.0.0

1.0.0

DMTF

Distributed Management Task Force

Specification

CMDBf-1.0.1

1.0.1

DMTF

Distributed Management Task Force

Specification

OVF-2.0

2.0

DMTF

Distributed Management Task Force

Standard

XAdES-1.1.1

1.1.1

ETSI

The European Telecommunications Standards Institute

Standard

Kerberos-5

5

IETF

Internet Engineering Task Force

Standard

RADIUS

IETF

Internet Engineering Task Force

Standard

OAuth-1.0

1.0

IETF

Internet Engineering Task Force

Standard

OAuth-2.0

2.0

IETF

Internet Engineering Task Force

Standard

IPsec

IETF

Internet Engineering Task Force

Standard

X.509-3.0

3.0

IETF

Internet Engineering Task Force

Standard

UUID

IETF

Internet Engineering Task Force

Standard

TOTP

IETF

Internet Engineering Task Force

Standard

HOTP

IETF

Internet Engineering Task Force

Standard

LDAP-3

3

IETF

Internet Engineering Task Force

Standard

LDIF-1

1

IETF

Internet Engineering Task Force

Standard

ISO29115-2013

2013

ISO

International Organization for Standardization

Standard

ISO27018

ISO

International Organization for Standardization

Work in progress

ISO29100-2011

2011

ISO

International Organization for Standardization

Standard

ISO29101

ISO

International Organization for Standardization

Work in progress

ISO29191-2012

2012

ISO

International Organization for Standardization

Standard

IGF-CARML-1.0

1.0

Liberty Alliance

Liberty Alliance

Specification

OpenID Attribute Exchange-1.0

1.0

OIDF

OpenID Foundation

Specification

OpenID Simple Registration Extension-1.0

1.0

OIDF

OpenID Foundation

Specification

OpenID Authentication-2.0

2.0

OIDF

OpenID Foundation

Specification

OpenID Authentication-1.1

1.1

OIDF

OpenID Foundation

Specification

OpenID Provider Authentication Policy Extension-1.0

1.0

OIDF

OpenID Foundation

Specification

Backplane Protocol-2.0

2.0

OIDF

OpenID Foundation

Draft Specification

Backplane Protocol-1.2

1.2

OIDF

OpenID Foundation

Specification

Backplane Protocol-1.1

1.1

OIDF

OpenID Foundation

Specification

Backplane Protocol-1.0

1.0

OIDF

OpenID Foundation

Specification

Account Chooser-1.0

1.0

OIDF

OpenID Foundation

Specification

JavaEE-6

6

Oracle

Oracle Corporation

Specification

JTS-6

6

Oracle

Oracle Corporation

Specification

CDMI-1.0.2

1.0.2

SNIA

The Storage Networking Industry Association

Standard

TPM-1.2

1.2

TCG

Trusted Computing Group

Standard

P3P-1.1

1.1

W3C

The World Wide Web Consortium

Draft Specification

EV certificates-1.4

1.4

CABForum

CA/Browser Forum

Specification

SCIM-2.0

2.0

IETF

Internet Engineering Task Force

Draft Specification

SCIM Core Schema-2.0

2.0

IETF

Internet Engineering Task Force

Draft Specification

SCIM REST API-2.0

2.0

IETF

Internet Engineering Task Force

Draft Specification

SCIM Targeting-2.0

2.0

IETF

Internet Engineering Task Force

Draft Specification

PMRM-1.0

1.0

OASIS

Organization for the Advancement of Structured Information Standards

Draft Specification

OpenID Connect-1.0

1.0

OIDF

OpenID Foundation

Draft Specification

OpenID Connect Basic Client Profile-1.0

1.0

OIDF

OpenID Foundation

Draft Specification

OpenID Connect Implicit Client Profile-1.0

1.0

OIDF

OpenID Foundation

Draft Specification

OpenID Connect Discovery-1.0

1.0

OIDF

OpenID Foundation

Draft Specification

OpenID Connect Dynamic Client Registration-1.0

1.0

OIDF

OpenID Foundation

Draft Specification

OpenID Connect Standard-1.0

1.0

OIDF

OpenID Foundation

Draft Specification

OpenID Connect Messages-1.0

1.0

OIDF

OpenID Foundation

Draft Specification

OpenID Connect Session Management-1.0

1.0

OIDF

OpenID Foundation

Draft Specification

OpenID Connect OAuth 2.0 Multiple Response Type Encoding Practices-1.0

1.0

OIDF

OpenID Foundation

Draft Specification

OSLC

OSLC

Open Services for Lifecycle Collaboration

OSLC Core-3.0

3.0

OSLC

Open Services for Lifecycle Collaboration

Draft Specification

OSLC Core-2.0

2.0

OSLC

Open Services for Lifecycle Collaboration

Specification

OSLC Configuration Management-1.0

1.0

OSLC

Open Services for Lifecycle Collaboration

Draft Specification

SCIM-1.1

1.1

OWF

Open Web Foundation

Specification

SCIM Core Schema-1.1

1.1

OWF

Open Web Foundation

Specification

SCIM REST API-1.1

1.1

OWF

Open Web Foundation

Specification

P3P-1.0

1.0

W3C

The World Wide Web Consortium

Specification

CloudAudit-1.0

1.0

CSA

Cloud Security Alliance

Draft Specification

JWS-0.8

0.8

IETF

Internet Engineering Task Force

Draft

JWT-0.6

0.6

IETF

Internet Engineering Task Force

Draft

ISO27017-1.0.0

1.0.0

ISO

International Organization for Standardization

Work in progress

UMA-0.7

0.7

Kantara Initiative

Kantara Initiative

Draft Specification

Trust Elevation

OASIS

Organization for the Advancement of Structured Information Standards

Work in progress

TOSCA-1.0

1.0

OASIS

Organization for the Advancement of Structured Information Standards

Specification

STORK-1.0

1.0

STORK

STORK EU co-funded project

Work in progress

 

 

 

3        Gap Analysis per Use Case

 

3.1 Use Case 1: Application and Virtualization Security in the Cloud

3.1.1 Short description

Feature the importance of managing identities that exist in cloud at all levels, including the host operating system, virtual machines as well as applications. Ownership and management of identities may vary at each level and also be external to the cloud provider.

3.1.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

P

S

 

 

 

 

S

 

 

 

 

3.1.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

 

X

X

 

 

 

 

X

X

 

 

3.1.4 Relevant applicable standards

 

3.1.5 Analysis notes

·         The diagram is a pictorial representation of the use case

 

·         The Cloud Provider’s Identity Mgmt. System is able to handle identity management for multiple tenants on various infrastructure levels.

·         Multiple administrator roles exist: for servers, host OS, virtual machines, guest OS and applications.

·         Each administrative role has its own scope: what it can do, or should not be able to do. E.g. a Virtual Machine administrator can provision and decommission / destroy Virtual Machines, but cannot access the actual runtime.

·         A user becomes an administrative user (in any role) by group membership(s) or special attribute(s) being set. Typically attributes map to LDAP / X.500 group memberships.

·         Authentication for administrative users requires being strong and / or multi-factor.

·         The identity store plays an important role in this use case. Administrative users may be required to exist in different stores, e.g. at the server level in password files or in network based directory services such as yellow pages.

·         In an ideal world one could create this by using one single directory service.

·         There is a requirement for the uniqueness of identities and devices. Virtual machines, appliances, switches, etc. should be uniquely identified.

3.1.6 GAPs identified

 


 

3.2 Use Case 2: Identity Provisioning

3.2.1 Short description

Feature the need support and manage customer policies for identity decommissioning including transitioning of affected resources to new identities.

3.2.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.2.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

3.2.4 Relevant applicable standards

 

3.2.5 Analysis notes

3.2.6 GAPs identified

 


3.3 Use Case 3: Identity Audit

 

3.3.1 Short description

Feature the importance of auditing/logging of sensitive operations performed by users and administrators in the cloud.

3.3.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

 

 

 

 

 

 

 

P

3.3.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

X

 

 

 

 

3.3.4 Relevant applicable standards

 

3.3.5 Analysis notes

3.3.6 Possible GAPs identified

The following possible GAPs have been identified:

 


3.4 Use Case 4: Identity Configuration

 

3.4.1 Short description

Feature the need for portable standards to configure identities in cloud applications and infrastructure (virtual machines, servers, etc.).

3.4.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.4.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.4.4 Relevant applicable standards

 

3.4.5 Analysis notes

3.4.6 Possible GAPs identified

The following possible GAPs have been identified:


3.5 Use Case 5: Middleware Container in a Public Cloud

 

3.5.1 Short description

Show how cloud identities need to be administered and accounted for in order to manage middleware containers and their applications.

3.5.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.5.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.5.4 Relevant applicable standards

 

3.5.5 Analysis notes

3.5.6 Possible GAPs identified

 


3.6 Use Case 6: Federated SSO and Attribute Sharing

 

3.6.1 Short description

Feature the need for Federated Single Sign-On (F-SSO) across multiple cloud environments.

3.6.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.6.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.6.4 Relevant applicable standards

 

3.6.5 Analysis notes

3.6.6 Possible GAPs identified

The following possible GAPs have been identified:


3.7 Use Case 7: Identity Silos in the Cloud

 

3.7.1 Short description

Exhibit how identity attributes can be aggregated based on multiple silos within a cloud, a group of clouds or from outside the cloud.

3.7.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.7.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.7.4 Relevant applicable standards

 

 

3.7.5 Analysis notes

3.7.6 Possible GAPs identified


3.8 Use Case 8: Identity Privacy in a Shared Cloud Environment

3.8.1 Short description

Show the need for controls to exist to maintain privacy of identities while operating in a cloud if desired.

3.8.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.8.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.8.4 Relevant applicable standards

 

3.8.5 Analysis notes

3.8.6 Possible GAPs identified


3.9 Use Case 9: Cloud Signature Services

 

3.9.1 Short description

There is a business need in many applications to create digital signatures on documents and transactions. When applications, and users, move into the cloud so should also the signing services. Both users and applications have a need to sign documents.

3.9.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.9.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.9.4 Relevant applicable standards

3.9.5 Analysis notes

3.9.6 Possible GAPs identified


3.10 Use Case 10: Cloud Tenant Administration

 

3.10.1 Short description

Feature the ability for enterprises to securely manage their use of the cloud provider’s services (whether IaaS, PaaS or SaaS), and further meet their compliance requirements.

Administrator users are authenticated at the appropriate assurance level (preferably using multi-factor credentials).

3.10.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.10.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.10.4 Relevant applicable standards

 

3.10.5 Analysis notes

3.10.6 Possible GAPs identified

 


3.11 Use Case 11: Enterprise to Cloud SSO

 

3.11.1 Short description

A user is able to access resource within their enterprise environment or within a cloud deployment using a single identity.

With enterprises expanding their application deployments using private and public clouds, the identity management and authentication of users to the services need to be decoupled from the cloud service in a similar fashion to the decoupling of identity from application in the enterprise. Users expect and need to have their enterprise identity extend to the cloud and used to obtain different services from different providers rather than multitude of user IDs and passwords.

By accessing services via a federated enterprise identity, not only the user experience of SSO is to gain, but also Enterprise compliance and for control of user access, ensuring only valid identities may access cloud services.

3.11.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.11.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.11.4 Relevant applicable standards

 

3.11.5 Analysis notes

3.11.6 Possible GAPs identified

 


3.12 Use Case 12: Consumer Cloud Identity Management, Single Sign-On (SSO) and Authentication

 

3.12.1 Short description

A user (or cloud consumer) is able to access multiple SaaS applications using a single identity. 

3.12.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.12.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.12.4 Relevant applicable standards

 

3.12.5 Analysis notes

3.12.6 Possible GAPs identified

 


3.13 Use Case 13: Transaction Validation and Signing in the Cloud

 

3.13.1 Short description

Users are able to perform transaction and document signing in the cloud using a trusted signing service that manages their signing keys.  

3.13.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.13.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.13.4 Relevant applicable standards

 

3.13.5 Analysis notes

3.13.6 Possible GAPs identified

 


3.14 Use Case 14: Enterprise Purchasing from a Public Cloud

 

3.14.1 Short description

Reduce the number of passwords that are stored and used in the cloud and eliminate the need for cloud “directory synchronization” while advocating a “claims based” architecture.

3.14.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.14.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.14.4 Relevant applicable standards

 

3.14.5 Analysis notes

 

3.14.6 Possible GAPs identified

 


3.15 Use Case 15: Access to Enterprise’s Workforce Applications Hosted in Cloud

 

3.15.1 Short description

Exhibit the need for seamless authentication and access privileges conveyance from an enterprise that is wishes to host their workforce applications on a public cloud.

3.15.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.15.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.15.4 Relevant applicable standards

 

3.15.5 Analysis notes

3.15.6 Possible GAPs identified

 


3.16 Use Case 16: Offload Identity Management to External Business Entity

 

3.16.1 Short description

Show the need for federated identity management which enables an enterprise to make available cloud-hosted applications to either the employees of its customers & business partners or its own institutional consumers and avoid directly managing identities (accounts) for those users.

3.16.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.16.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.16.4 Relevant applicable standards

 

3.16.5 Analysis notes

3.16.6 Possible GAPs identified

 


3.17 Use Case 17: Per Tenant Identity Provider Configuration

 

3.17.1 Short description

Show the need for cloud tenants to securely manage cloud services using automated tools rather than navigating and manually configuring each service individually.

3.17.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.17.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.17.4 Relevant applicable standards

3.17.5 Analysis notes

 

3.17.6 Possible GAPs identified

 


3.18 Use Case 18: Delegated Identity Provider Configuration

 

3.18.1 Short description

Show the need for cloud tenant administrators need to delegate access to their identity services configuration within a multi-tenant cloud service to their chosen identity provider service.

3.18.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.18.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.18.4 Relevant applicable standards

3.18.5 Analysis notes

3.18.6 Possible GAPs identified

 


3.19 Use Case 19: Auditing Access to Company Confidential Videos in Public Cloud

 

3.19.1 Short description

Features the need to audit various role-based accesses of a confidential data objects stored in a public cloud against the owning company’s security policy

3.19.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.19.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.19.4 Relevant applicable standards

 

3.19.5 Analysis notes

3.19.6 Possible GAPs identified


3.20 Use Case 20: Government Provisioning of Cloud Services

 

3.20.1 Short description

Show how authorized government personnel could be granted access and assigned appropriate privileges to configure and provision a cloud service.

3.20.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.20.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.20.4 Relevant applicable standards

3.20.5 Analysis notes

3.20.6 Possible GAPs identified

 


3.21 Use Case 21: Mobile Customers’ Identity Authentication Using a Cloud provider

 

3.21.1 Short description

Show how a financial company is able to use a cloud service provider to authenticate its globally-based mobile clients and to connect them to the closest (cloud) physical location for fast response.

3.21.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.21.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.21.4 Relevant applicable standards

 

3.21.5 Analysis notes

3.21.6 Possible GAPs identified

 

 


3.22 Use Case 22: Cloud-based Two-Factor Authentication Service

 

3.22.1 Short description

Exhibits the value of a Two-Factor Authentication (2FA) cloud-based service that can be used with an Identity Provider, deployed either at the enterprise, at the cloud service provider, or as a separate cloud service.

3.22.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.22.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.22.4 Relevant applicable standards

 

3.22.5 Analysis notes

3.22.6 Possible GAPs identified

 


3.23 Use Case 23: Cloud Application Identification using Extended Validation Certificates

 

3.23.1 Short description

Shows the value of providing validatable identification of the Cloud Provider/SaaS application to the user or consumer using Extended Validation (EV) certificates.

3.23.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.23.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.23.4 Relevant applicable standards

 

3.23.5 Analysis notes

3.23.6 Possible GAPs identified

 


3.24 Use Case 24: Cloud Platform Audit and Asset Management using Hardware-based Identities

 

3.24.1 Short description

Describes the value of ``proof of execution'' using persistent hardware-based identities that are traceable and logged as part of the audit trail for the Enterprise customer.

3.24.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.24.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.24.4 Relevant applicable standards

3.24.5 Analysis notes

3.24.6 Possible GAPs identified

 


3.25 Use Case 25: Inter-cloud Document Exchange and Collaboration

 

3.25.1 Short description

Businesses trading with one another should be able to seamlessly establish new electronic trading relationships via their existing cloud application and commerce systems.  In particular, the identities, attributes and relationships required on the various systems should be able to be set up with zero or minimal user intervention.

3.25.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.25.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.25.4 Relevant applicable standards

 

3.25.5 Analysis notes

3.25.6 Possible GAPs identified


3.26 Use Case 26: Identity Impersonation / Delegation

 

3.26.1 Short description

Customers of the cloud provider may require a cloud provider to supply support that permits one identity to impersonate the identity of another customer without sacrificing security.

3.26.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.26.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.26.4 Relevant applicable standards

 

3.26.5 Analysis notes

3.26.6 Possible GAPs identified

 

 


3.27 Use Case 27: Federated User Account Provisioning and Management for a Community of Interest (CoI)

 

3.27.1 Short description

Show the need for provisioning, administration and governance of user identities and their attributes for organizations that have a distributed structure which includes many central, branch offices and business partners where each may utilize cloud deployment models.

3.27.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.27.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.27.4 Relevant applicable standards

 

3.27.5 Analysis notes

3.27.6 Possible GAPs identified

 

 


3.28 Use Case 28: Cloud Governance and Entitlement Management

 

3.28.1 Short description

Provide a means for external identity governance by cloud consumers so that they can inspect and manage assignable entitlements for cloud provider SaaS or PaaS applications, as well as for cloud hosted consumer accounts. That there is a need to do this in a standard way so that entitlements can be modeled and understood for audit and provisioning purposes.

3.28.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.28.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.28.4 Relevant applicable standards

 

3.28.5 Analysis notes

 

3.28.6 Possible GAPs identified

 

 


3.29 Use Case 29: User Delegation of Access to Personal Data in a Public Cloud

 

3.29.1 Short description

Users are able to dynamically delegate (grant and revoke) and constrain access to files or data stored with a cloud service provider to users whose identities are managed by external identity providers.

3.29.2 Covered Identity Management Categories

Infra. Identity Est.

Identity Mgmt.

Authentication

Authorization

Account / Attribute Mgmt.

Security Tokens

Governance

Audit & Compliance

 

Gen.

IIM

FIM

Gen.

SSO

Multi-Factor

 

Gen.

Provisioning

 

 

 

 

P

 

 

 

 

P

 

 

 

 

3.29.3 Featured Cloud Deployment or Service Models

Featured Cloud Deployment Models

Featured Cloud Service Models

None

Private

Public

Community

Hybrid

None

SaaS

PaaS

IaaS

Other

X

 

 

 

X

 

 

 

3.29.4 Relevant applicable standards

3.29.5 Analysis notes

3.29.6 Possible GAPs identified

 

 

 

Appendix A.           Acknowledgments

The following individuals have participated in the creation of this specification and are gratefully acknowledged:

Participants:

Abbie Barbir, Bank of America

Jeffrey Broberg, CA Technologies

Carl Bunje, The Boeing Company

Milan Calina, First Point Global Pty Ltd.

Brian Campbell, Ping Identity Corporation

David Chadwick, Individual Member

Aradhna Chetal, The Boeing Company

Doron Cohen, SafeNet, Inc.

Sastry Dhara, Individual Member

Gines Dolera Tormo, NEC Corporation

Michele Drgon, Individual Member

Felix Gomez Marmol, NEC Corporation

Bob Gupta, Viometric, LLC

Tomas Gustavsson, PrimeKey Solutions AB

Patrick Harding, Ping Identity Corporation

Thomas Hardjono, M.I.T.

Hadass Harel, eBay, Inc.

Masum Hasan, Cisco Systems

ChengDong He, Huawei Technologies Co., Ltd.

Heather Hinton, IBM

Rainer Hoerbe, Individual Member

Gershon Janssen, Individual Member

Chris Kappler, PricewaterhouseCoopers LLP

David Kern, IBM

Kelvin Lawrence, IBM

Paul Lipton, CA Technologies

Paul Madsen, Ping Identity Corporation

Dimitar Mihaylov, SAP AG

Dale Moberg, Axway Software

Anthony Nadalin, Microsoft

John Newton, Alfresco Software

Dominique Nguyen, Bank of America

Guillaume Noe, Deloitte Consulting LLP

li peng, Huawei Technologies Co., Ltd.

Darren Platt, Symplified

Nick Pope, Thales e-Security

Donald Provencher, Bank of America

Martin Raepple, SAP AG

Christopher Ramstrom, CA Technologies

Darran Rolls, SailPoint Technologies

Matthew Rutkowski, IBM

Anil Saldhana, Red Hat

Richard Sand, Individual Member

Joe Savak, Rackspace Hosting, Inc.

Ziad Sawalha, Rackspace Hosting, Inc.

Mark Schertler, Axway Software

Suneet Shah, OpenIAM, LLC

Sean Shen, China Internet Network Information Center(CNNIC)

Jerry Smith, US Department of Defense (DoD)

Xiaonan Song, Primeton Technologies, Inc.

Scott Stark, Red Hat

Don Thibeau, Open Identity Exchange

Cathy Tilton, Daon

John Tolbert, The Boeing Company

David Turner, Microsoft

Steve VanTill, Security Industry Association

Colin Wallis, New Zealand Government

YanJiong WANG, Primeton Technologies, Inc.

Jeffrey Wheeler, Huawei Technologies Co., Ltd.

Frank Wray, Bank of America

Frank Wray, PricewaterhouseCoopers LLP:

Kevin Yu, Verizon Business

Aaron Zhang, Huawei Technologies Co., Ltd.

Appendix B.           Revision History

Revision

Date

Editor

Changes Made

01a

February 03, 2012

Gershon Janssen

Initial draft version.

01b

February 19, 2012

Gershon Janssen

Added output of first pass on applicable standards for all use cases to the document.

01c

May 14, 2012

Gershon Janssen

Added output of gap analysis discussions.

01d

May 18, 2012

Gershon Janssen

Added draft output of F2F gap analysis discussions. No editorial clean-up and rewording.

02

April 1, 2013

Gershon Janssen

Updated document with all gap analysis discussions output.

03

April 27, 2013

Gershon Janssen

Added Acknowledgements section.

04

November 12, 2013

Gershon Janssen

Updated with comments received from PR01.