Identity in the Cloud Gap Analysis Version 1.0
Committee Note 01
03 February 2014
Specification URIs
This version:
http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cn01/IDCloud-gap-v1.0-cn01.doc (Authoritative)
http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cn01/IDCloud-gap-v1.0-cn01.html
http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cn01/IDCloud-gap-v1.0-cn01.pdf
Previous version:
http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cnprd01/IDCloud-gap-v1.0-cnprd01.doc (Authoritative)
http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cnprd01/IDCloud-gap-v1.0-cnprd01.html
http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cnprd01/IDCloud-gap-v1.0-cnprd01.pdf
Latest version:
http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/IDCloud-gap-v1.0.doc (Authoritative)
http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/IDCloud-gap-v1.0.html
http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/IDCloud-gap-v1.0.pdf
Technical Committee:
OASIS Identity in the Cloud TC
Chairs:
Anil Saldhana (anil.saldhana@redhat.com), Red Hat, Inc.
Anthony Nadalin (tonynad@microsoft.com), Microsoft
Editors:
Gershon Janssen (gershon@qroot.com), Individual
Matt Rutkowski (mrutkows@us.ibm.com), IBM
Roger Bass (roger@traxian.com), Traxian
Dominique Nguyen (dominique.v.nguyen@bankofamerica.com), Bank of America
Related work:
Abstract:
This document provides an analysis of gaps or requirements that may exist in current identity management standards. The basis for the gap analysis is the normative use cases from Identity in the Cloud Use Cases Version 1.0.
Status:
This document was last revised or approved by the OASIS Identity in the Cloud TC on the above date. The level of approval is also listed above. Check the “Latest version” location noted above for possible later revisions of this document.
Technical Committee members should send comments on this document to the Technical Committee’s email list. Others should send comments to the Technical Committee by using the “Send A Comment” button on the Technical Committee’s web page at http://www.oasis-open.org/committees/id-cloud/.
Citation format:
When referencing this document the following citation format should be used:
[IDCloud-Gap-v1.0]
Identity in the Cloud Gap Analysis Version 1.0. Edited by Gershon Janssen, Matt Rutkowski, Roger Bass, and Dominique Nguyen. 03 February 2014. OASIS Committee Note 01. http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/cn01/IDCloud-gap-v1.0-cn01.html. Latest version: http://docs.oasis-open.org/id-cloud/IDCloud-gap/v1.0/IDCloud-gap-v1.0.html.
Copyright © OASIS Open 2014. All Rights Reserved.
All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.
This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Table of Contents
1.2.2 GAP analysis structure outline
1.3 List of relevant standards
2.2 List of relevant standards
2.2.1 Categorized standards and versions
2.2.2 Standards, versions, status and managing Organization
3.1 Use Case 1: Application and Virtualization Security in the Cloud
3.1.2 Covered Identity Management Categories
3.1.3 Featured Cloud Deployment or Service Models
3.1.4 Relevant applicable standards
3.2 Use Case 2: Identity Provisioning
3.2.2 Covered Identity Management Categories
3.2.3 Featured Cloud Deployment or Service Models
3.2.4 Relevant applicable standards
3.3 Use Case 3: Identity Audit
3.3.2 Covered Identity Management Categories
3.3.3 Featured Cloud Deployment or Service Models
3.3.4 Relevant applicable standards
3.3.6 Possible GAPs identified
3.4 Use Case 4: Identity Configuration
3.4.2 Covered Identity Management Categories
3.4.3 Featured Cloud Deployment or Service Models
3.4.4 Relevant applicable standards
3.4.6 Possible GAPs identified
3.5 Use Case 5: Middleware Container in a Public Cloud
3.5.2 Covered Identity Management Categories
3.5.3 Featured Cloud Deployment or Service Models
3.5.4 Relevant applicable standards
3.5.6 Possible GAPs identified
3.6 Use Case 6: Federated SSO and Attribute Sharing
3.6.2 Covered Identity Management Categories
3.6.3 Featured Cloud Deployment or Service Models
3.6.4 Relevant applicable standards
3.6.6 Possible GAPs identified
3.7 Use Case 7: Identity Silos in the Cloud
3.7.2 Covered Identity Management Categories
3.7.3 Featured Cloud Deployment or Service Models
3.7.4 Relevant applicable standards
3.7.6 Possible GAPs identified
3.8 Use Case 8: Identity Privacy in a Shared Cloud Environment
3.8.2 Covered Identity Management Categories
3.8.3 Featured Cloud Deployment or Service Models
3.8.4 Relevant applicable standards
3.8.6 Possible GAPs identified
3.9 Use Case 9: Cloud Signature Services
3.9.2 Covered Identity Management Categories
3.9.3 Featured Cloud Deployment or Service Models
3.9.4 Relevant applicable standards
3.9.6 Possible GAPs identified
3.10 Use Case 10: Cloud Tenant Administration
3.10.2 Covered Identity Management Categories
3.10.3 Featured Cloud Deployment or Service Models
3.10.4 Relevant applicable standards
3.10.6 Possible GAPs identified
3.11 Use Case 11: Enterprise to Cloud SSO
3.11.2 Covered Identity Management Categories
3.11.3 Featured Cloud Deployment or Service Models
3.11.4 Relevant applicable standards
3.11.6 Possible GAPs identified
3.12 Use Case 12: Consumer Cloud Identity Management, Single Sign-On (SSO) and Authentication
3.12.2 Covered Identity Management Categories
3.12.3 Featured Cloud Deployment or Service Models
3.12.4 Relevant applicable standards
3.12.6 Possible GAPs identified
3.13 Use Case 13: Transaction Validation and Signing in the Cloud
3.13.2 Covered Identity Management Categories
3.13.3 Featured Cloud Deployment or Service Models
3.13.4 Relevant applicable standards
3.13.6 Possible GAPs identified
3.14 Use Case 14: Enterprise Purchasing from a Public Cloud
3.14.2 Covered Identity Management Categories
3.14.3 Featured Cloud Deployment or Service Models
3.14.4 Relevant applicable standards
3.14.6 Possible GAPs identified
3.15 Use Case 15: Access to Enterprise’s Workforce Applications Hosted in Cloud
3.15.2 Covered Identity Management Categories
3.15.3 Featured Cloud Deployment or Service Models
3.15.4 Relevant applicable standards
3.15.6 Possible GAPs identified
3.16 Use Case 16: Offload Identity Management to External Business Entity.
3.16.2 Covered Identity Management Categories
3.16.3 Featured Cloud Deployment or Service Models
3.16.4 Relevant applicable standards
3.16.6 Possible GAPs identified
3.17 Use Case 17: Per Tenant Identity Provider Configuration
3.17.2 Covered Identity Management Categories
3.17.3 Featured Cloud Deployment or Service Models
3.17.4 Relevant applicable standards
3.17.6 Possible GAPs identified
3.18 Use Case 18: Delegated Identity Provider Configuration
3.18.2 Covered Identity Management Categories
3.18.3 Featured Cloud Deployment or Service Models
3.18.4 Relevant applicable standards
3.18.6 Possible GAPs identified
3.19 Use Case 19: Auditing Access to Company Confidential Videos in Public Cloud
3.19.2 Covered Identity Management Categories
3.19.3 Featured Cloud Deployment or Service Models
3.19.4 Relevant applicable standards
3.19.6 Possible GAPs identified
3.20 Use Case 20: Government Provisioning of Cloud Services
3.20.2 Covered Identity Management Categories
3.20.3 Featured Cloud Deployment or Service Models
3.20.4 Relevant applicable standards
3.20.6 Possible GAPs identified
3.21 Use Case 21: Mobile Customers’ Identity Authentication Using a Cloud provider
3.21.2 Covered Identity Management Categories
3.21.3 Featured Cloud Deployment or Service Models
3.21.4 Relevant applicable standards
3.21.6 Possible GAPs identified
3.22 Use Case 22: Cloud-based Two-Factor Authentication Service
3.22.2 Covered Identity Management Categories
3.22.3 Featured Cloud Deployment or Service Models
3.22.4 Relevant applicable standards
3.22.6 Possible GAPs identified
3.23 Use Case 23: Cloud Application Identification using Extended Validation Certificates
3.23.2 Covered Identity Management Categories
3.23.3 Featured Cloud Deployment or Service Models
3.23.4 Relevant applicable standards
3.23.6 Possible GAPs identified
3.24 Use Case 24: Cloud Platform Audit and Asset Management using Hardware-based Identities
3.24.2 Covered Identity Management Categories
3.24.3 Featured Cloud Deployment or Service Models
3.24.4 Relevant applicable standards
3.24.6 Possible GAPs identified
3.25 Use Case 25: Inter-cloud Document Exchange and Collaboration
3.25.2 Covered Identity Management Categories
3.25.3 Featured Cloud Deployment or Service Models
3.25.4 Relevant applicable standards
3.25.6 Possible GAPs identified
3.26 Use Case 26: Identity Impersonation / Delegation
3.26.2 Covered Identity Management Categories
3.26.3 Featured Cloud Deployment or Service Models
3.26.4 Relevant applicable standards
3.26.6 Possible GAPs identified
3.27.2 Covered Identity Management Categories
3.27.3 Featured Cloud Deployment or Service Models
3.27.4 Relevant applicable standards
3.27.6 Possible GAPs identified
3.28 Use Case 28: Cloud Governance and Entitlement Management
3.28.2 Covered Identity Management Categories
3.28.3 Featured Cloud Deployment or Service Models
3.28.4 Relevant applicable standards
3.28.6 Possible GAPs identified
3.29 Use Case 29: User Delegation of Access to Personal Data in a Public Cloud
3.29.2 Covered Identity Management Categories
3.29.3 Featured Cloud Deployment or Service Models
3.29.4 Relevant applicable standards
3.29.6 Possible GAPs identified
Cloud Computing is turning into an important IT service delivery paradigm. Many enterprises are experimenting with cloud computing, using clouds in their own data centers or hosted by third parties, and increasingly they deploy business applications on such private and public clouds. Cloud Computing raises many challenges that have serious security implications. Identity Management in the cloud is such a challenge.
Many enterprises avail themselves of a combination of private and public Cloud Computing infrastructures to handle their workloads. In a phenomenon known as "Cloud Bursting", the peak loads are offloaded to public Cloud Computing infrastructures that offer billing based on usage. This is a use case of a Hybrid Cloud infrastructure. Additionally, governments around the world are evaluating the use of Cloud Computing for government applications. For instance, the US Government has started apps.gov to foster the adoption of Cloud Computing. Other governments have started or announced similar efforts.
The purpose of the OASIS Identity in the Cloud TC is to:
The GAP analysis comprised of a detailed analysis of each Use Case from the Identity in the Cloud Use Cases document [IDCloud-Usecases]. Through this analysis the TC validated if all needs are addressed with current available standards, in such a fashion that the stated goal and outcomes are achieved.
In order to analyze each Use Case to determine how it might be implemented, what is required or find what current standards fall short or we perceive as missing, the TC followed the following step-by-step GAP analysis process:
The outcomes of each of those steps are documented in this GAP analysis document.
All outcomes of the gap analysis are documented using the following sections:
As a result of the GAP analysis, a list of relevant applicable standards has been composed from all individual Use Cases. Chapter 2 outlines the full categorized list of current standards, versions, statuses and their maintaining organizations.
The following references are used to provide definitions of and information on terms used throughout this document:
[IDCloud-Usecases]
Identity in the Cloud Use Cases Version 1.0. 08 May 2012. OASIS Committee Note 01. http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html
Standards included in this GAP analysis are standards, specifications, recommendations, notes and ‘work in progress’ from both SDO’s as well as non-SDO’s.
Applicability of the various standards work is considered in the following order:
The tables below list the relevant standards.
Table 1 - Column details:
Tier |
Category |
Identifier |
Full name |
1 |
Authentication |
Digital Signature Services |
|
1 |
Authentication |
Security Assertion Markup Language |
|
1 |
Authorization |
eXtensible Access Control Markup Language |
|
1 |
Fed. Identity Mgmt. |
Web Services Federation Language |
|
1 |
Fed. Identity Mgmt. |
Identity Metasystem Interoperability |
|
1 |
Governance |
ebXML Collaborative Partner Profile Agreement |
|
1 |
Infra. Identity Mgmt. |
Web Services Reliable Messaging |
|
1 |
Infra. Identity Mgmt. |
Web Services Secure Conversation |
|
1 |
Infra. Identity Mgmt. |
Key Management Interoperability Protocol Specification |
|
1 |
Infra. Identity Mgmt. |
WS-Transaction-1.2 |
Web Services Transaction |
1 |
Infra. Identity Mgmt. |
Web Service Secure Exchange |
|
1 |
Provisioning |
Service Provisioning Markup Language |
|
1 |
Authentication |
XML Signature Syntax and Processing |
|
2 |
Audit & Compliance |
Cloud Auditing Data Federation |
|
2 |
Provisioning |
Cloud Infrastructure Management Interface |
|
2 |
Provisioning |
Configuration Management Database Federation |
|
2 |
Virtual Machines |
Open Virtualization Format |
|
2 |
Authentication |
The Kerberos Network Authentication Service |
|
2 |
Authentication |
Remote Authentication Dial In User Service |
|
2 |
Authentication |
XML Advanced Electronic Signatures |
|
2 |
Authorization |
The OAuth 1.0 Protocol |
|
2 |
Authorization |
The OAuth 2.0 Authorization Framework |
|
2 |
Infra. Identity Mgmt. |
Security Architecture for the Internet Protocol |
|
2 |
Infra. Identity Mgmt. |
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List Profile |
|
2 |
Infra. Identity Mgmt. |
Universally Unique IDentifier |
|
2 |
Infra. Identity Mgmt. |
Time-Based One-Time Password Algorithm |
|
2 |
Infra. Identity Mgmt. |
HMAC-Based One-Time Password Algorithm |
|
2 |
Infra. Identity Mgmt. |
Lightweight Directory Access Protocol |
|
2 |
Infra. Identity Mgmt. |
The LDAP Data Interchange Format |
|
2 |
Assurance |
Entity authentication assurance framework |
|
2 |
Governance |
Code of practice for data protection controls for public cloud computing services |
|
2 |
Privacy |
Privacy framework |
|
2 |
Privacy |
Privacy architecture framework |
|
2 |
Privacy |
Requirements for partially anonymous, partially unlinkable authentication |
|
2 |
Account / Attribute Mgmt. |
Identity Governance Framework Client Attribute Requirements Markup Language |
|
2 |
Account / Attribute Mgmt. |
OpenID Attribute Exchange |
|
2 |
Account / Attribute Mgmt. |
OpenID Simple Registration Extension |
|
2 |
Authentication |
OpenID Authentication |
|
2 |
Authentication |
OpenID Authentication |
|
2 |
Authentication |
OpenID Provider Authentication Policy Extension |
|
2 |
Infra. Identity Mgmt. |
Backplane Protocol |
|
2 |
Infra. Identity Mgmt. |
Backplane Protocol |
|
2 |
Infra. Identity Mgmt. |
Backplane Protocol |
|
2 |
Infra. Identity Mgmt. |
Backplane Protocol |
|
2 |
Infra. Identity Mgmt. |
Account Chooser |
|
2 |
Infra. Identity Mgmt. |
Java Platform Enterprise Edition |
|
2 |
Infra. Identity Mgmt. |
Java Transaction Service |
|
2 |
Infra. Identity Mgmt. |
Cloud Data Management Interface |
|
2 |
Infra. Identity Mgmt. |
Trusted Platform Module |
|
2 |
Privacy |
Platform for Privacy Preferences |
|
3 |
Assurance |
EV SSL Certificates |
|
3 |
Provisioning |
SCIM-2.0 |
System for Cross-domain Identity Management |
3 |
Provisioning |
System for Cross-domain Identity Management Core Schema |
|
3 |
Provisioning |
System for Cross-domain Identity Management REST API |
|
3 |
Provisioning |
System for Cross-domain Identity Management Targeting |
|
3 |
Privacy |
Privacy Management Reference Model |
|
3 |
Authentication |
OpenID Connect |
|
3 |
Authentication |
OpenID Connect Basic Client Profile |
|
3 |
Authentication |
OpenID Connect Implicit Client Profile |
|
3 |
Authentication |
OpenID Connect Discovery |
|
3 |
Authentication |
OpenID Connect Dynamic Client Registration |
|
3 |
Authentication |
OpenID Connect Standard |
|
3 |
Authentication |
OpenID Connect Messages |
|
3 |
Authentication |
OpenID Connect Session Management |
|
3 |
Authorization |
OpenID Connect OAuth 2.0 Multiple Response Type Encoding Practices-1.0 |
OpenID Connect OAuth 2.0 Multiple Response Type Encoding Practices |
3 |
Lifecycle |
OSLC |
Open Services for Lifecycle Collaboration |
3 |
Lifecycle |
Open Services for Lifecycle Collaboration - Common and Core |
|
3 |
Lifecycle |
Open Services for Lifecycle Collaboration - Common and Core |
|
3 |
Lifecycle |
Open Services for Lifecycle Collaboration - Configuration Management |
|
3 |
Provisioning |
System for Cross-domain Identity Management |
|
3 |
Provisioning |
System for Cross-domain Identity Management Core Schema |
|
3 |
Provisioning |
System for Cross-domain Identity Management REST API |
|
3 |
Privacy |
Platform for Privacy Preferences |
|
4 |
Audit & Compliance |
CloudAudit - Automated Audit, Assertion, Assessment, and Assurance API |
|
4 |
Authentication |
JSON Web Signature |
|
4 |
Authentication |
JSON Web Token |
|
4 |
Authentication |
D5.8.3b Interface Specification |
|
4 |
Audit & Compliance |
ISO27017-1.0.0 |
Guidelines on information security controls for the use of cloud computing services |
4 |
Authorization |
User-Managed Access Profile of OAuth 2.0 |
|
4 |
Assurance |
Electronic Identity Credential Trust Elevation Methods |
|
4 |
Lifecycle |
Topology and Orchestration Specification for Cloud Applications |
Table 2 - Column details:
Identifier |
Version |
Organization |
|
Status |
DSS-1.0 |
1.0 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Standard |
SAML-2.0 |
2.0 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Standard |
XACML-3.0 |
3.0 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Standard |
WS-Federation-1.2 |
1.2 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Standard |
IMI-1.0 |
1.0 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Standard |
ebXML CPPA-2.0 |
2.0 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Standard |
WS-ReliableMessaging-1.2 |
1.2 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Standard |
WS-SecureConversation-1.4 |
1.4 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Standard |
KMIP-1.1 |
1.1 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Standard |
WS-Transaction-1.2 |
1.2 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Standard |
WS-Trust-1.4 |
1.4 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Standard |
SPML-2.0 |
2.0 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Standard |
XMLdsig-2008 |
2008 |
W3C |
The World Wide Web Consortium |
Recommendation |
CADF-1.0.0 |
1.0.0 |
DMTF |
Distributed Management Task Force |
Draft Specification |
CIMI-1.0.0 |
1.0.0 |
DMTF |
Distributed Management Task Force |
Specification |
CMDBf-1.0.1 |
1.0.1 |
DMTF |
Distributed Management Task Force |
Specification |
OVF-2.0 |
2.0 |
DMTF |
Distributed Management Task Force |
Standard |
1.1.1 |
ETSI |
The European Telecommunications Standards Institute |
Standard |
|
Kerberos-5 |
5 |
IETF |
Internet Engineering Task Force |
Standard |
RADIUS |
IETF |
Internet Engineering Task Force |
Standard |
|
OAuth-1.0 |
1.0 |
IETF |
Internet Engineering Task Force |
Standard |
OAuth-2.0 |
2.0 |
IETF |
Internet Engineering Task Force |
Standard |
IPsec |
IETF |
Internet Engineering Task Force |
Standard |
|
X.509-3.0 |
3.0 |
IETF |
Internet Engineering Task Force |
Standard |
UUID |
IETF |
Internet Engineering Task Force |
Standard |
|
TOTP |
IETF |
Internet Engineering Task Force |
Standard |
|
HOTP |
IETF |
Internet Engineering Task Force |
Standard |
|
LDAP-3 |
3 |
IETF |
Internet Engineering Task Force |
Standard |
LDIF-1 |
1 |
IETF |
Internet Engineering Task Force |
Standard |
ISO29115-2013 |
2013 |
ISO |
International Organization for Standardization |
Standard |
ISO27018 |
ISO |
International Organization for Standardization |
Work in progress |
|
ISO29100-2011 |
2011 |
ISO |
International Organization for Standardization |
Standard |
ISO29101 |
ISO |
International Organization for Standardization |
Work in progress |
|
ISO29191-2012 |
2012 |
ISO |
International Organization for Standardization |
Standard |
IGF-CARML-1.0 |
1.0 |
Liberty Alliance |
Liberty Alliance |
Specification |
OpenID Attribute Exchange-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Specification |
OpenID Simple Registration Extension-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Specification |
OpenID Authentication-2.0 |
2.0 |
OIDF |
OpenID Foundation |
Specification |
OpenID Authentication-1.1 |
1.1 |
OIDF |
OpenID Foundation |
Specification |
OpenID Provider Authentication Policy Extension-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Specification |
Backplane Protocol-2.0 |
2.0 |
OIDF |
OpenID Foundation |
Draft Specification |
Backplane Protocol-1.2 |
1.2 |
OIDF |
OpenID Foundation |
Specification |
Backplane Protocol-1.1 |
1.1 |
OIDF |
OpenID Foundation |
Specification |
Backplane Protocol-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Specification |
Account Chooser-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Specification |
JavaEE-6 |
6 |
Oracle |
Oracle Corporation |
Specification |
JTS-6 |
6 |
Oracle |
Oracle Corporation |
Specification |
CDMI-1.0.2 |
1.0.2 |
SNIA |
The Storage Networking Industry Association |
Standard |
TPM-1.2 |
1.2 |
TCG |
Trusted Computing Group |
Standard |
P3P-1.1 |
1.1 |
W3C |
The World Wide Web Consortium |
Draft Specification |
EV certificates-1.4 |
1.4 |
CABForum |
CA/Browser Forum |
Specification |
SCIM-2.0 |
2.0 |
IETF |
Internet Engineering Task Force |
Draft Specification |
SCIM Core Schema-2.0 |
2.0 |
IETF |
Internet Engineering Task Force |
Draft Specification |
SCIM REST API-2.0 |
2.0 |
IETF |
Internet Engineering Task Force |
Draft Specification |
SCIM Targeting-2.0 |
2.0 |
IETF |
Internet Engineering Task Force |
Draft Specification |
PMRM-1.0 |
1.0 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Draft Specification |
OpenID Connect-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Draft Specification |
OpenID Connect Basic Client Profile-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Draft Specification |
OpenID Connect Implicit Client Profile-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Draft Specification |
OpenID Connect Discovery-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Draft Specification |
OpenID Connect Dynamic Client Registration-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Draft Specification |
OpenID Connect Standard-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Draft Specification |
OpenID Connect Messages-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Draft Specification |
OpenID Connect Session Management-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Draft Specification |
OpenID Connect OAuth 2.0 Multiple Response Type Encoding Practices-1.0 |
1.0 |
OIDF |
OpenID Foundation |
Draft Specification |
OSLC |
OSLC |
Open Services for Lifecycle Collaboration |
||
OSLC Core-3.0 |
3.0 |
OSLC |
Open Services for Lifecycle Collaboration |
Draft Specification |
OSLC Core-2.0 |
2.0 |
OSLC |
Open Services for Lifecycle Collaboration |
Specification |
OSLC Configuration Management-1.0 |
1.0 |
OSLC |
Open Services for Lifecycle Collaboration |
Draft Specification |
SCIM-1.1 |
1.1 |
OWF |
Open Web Foundation |
Specification |
SCIM Core Schema-1.1 |
1.1 |
OWF |
Open Web Foundation |
Specification |
SCIM REST API-1.1 |
1.1 |
OWF |
Open Web Foundation |
Specification |
P3P-1.0 |
1.0 |
W3C |
The World Wide Web Consortium |
Specification |
CloudAudit-1.0 |
1.0 |
CSA |
Cloud Security Alliance |
Draft Specification |
JWS-0.8 |
0.8 |
IETF |
Internet Engineering Task Force |
Draft |
JWT-0.6 |
0.6 |
IETF |
Internet Engineering Task Force |
Draft |
ISO27017-1.0.0 |
1.0.0 |
ISO |
International Organization for Standardization |
Work in progress |
UMA-0.7 |
0.7 |
Kantara Initiative |
Kantara Initiative |
Draft Specification |
Trust Elevation |
OASIS |
Organization for the Advancement of Structured Information Standards |
Work in progress |
|
TOSCA-1.0 |
1.0 |
OASIS |
Organization for the Advancement of Structured Information Standards |
Specification |
1.0 |
STORK |
STORK EU co-funded project |
Work in progress |
Feature the importance of managing identities that exist in cloud at all levels, including the host operating system, virtual machines as well as applications. Ownership and management of identities may vary at each level and also be external to the cloud provider.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
P |
S |
|
|
|
|
S |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
|
X |
X |
|
|
|
|
X |
X |
|
· The diagram is a pictorial representation of the use case
· The Cloud Provider’s Identity Mgmt. System is able to handle identity management for multiple tenants on various infrastructure levels.
· Multiple administrator roles exist: for servers, host OS, virtual machines, guest OS and applications.
· Each administrative role has its own scope: what it can do, or should not be able to do. E.g. a Virtual Machine administrator can provision and decommission / destroy Virtual Machines, but cannot access the actual runtime.
· A user becomes an administrative user (in any role) by group membership(s) or special attribute(s) being set. Typically attributes map to LDAP / X.500 group memberships.
· Authentication for administrative users requires being strong and / or multi-factor.
· The identity store plays an important role in this use case. Administrative users may be required to exist in different stores, e.g. at the server level in password files or in network based directory services such as yellow pages.
· In an ideal world one could create this by using one single directory service.
· There is a requirement for the uniqueness of identities and devices. Virtual machines, appliances, switches, etc. should be uniquely identified.
Feature the need support and manage customer policies for identity decommissioning including transitioning of affected resources to new identities.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Feature the importance of auditing/logging of sensitive operations performed by users and administrators in the cloud.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
|
|
|
|
|
|
|
P |
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
X |
|
|
The following possible GAPs have been identified:
Feature the need for portable standards to configure identities in cloud applications and infrastructure (virtual machines, servers, etc.).
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
The following possible GAPs have been identified:
Show how cloud identities need to be administered and accounted for in order to manage middleware containers and their applications.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Feature the need for Federated Single Sign-On (F-SSO) across multiple cloud environments.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
The following possible GAPs have been identified:
Exhibit how identity attributes can be aggregated based on multiple silos within a cloud, a group of clouds or from outside the cloud.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Show the need for controls to exist to maintain privacy of identities while operating in a cloud if desired.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
There is a business need in many applications to create digital signatures on documents and transactions. When applications, and users, move into the cloud so should also the signing services. Both users and applications have a need to sign documents.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Feature the ability for enterprises to securely manage their use of the cloud provider’s services (whether IaaS, PaaS or SaaS), and further meet their compliance requirements.
Administrator users are authenticated at the appropriate assurance level (preferably using multi-factor credentials).
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
A user is able to access resource within their enterprise environment or within a cloud deployment using a single identity.
With enterprises expanding their application deployments using private and public clouds, the identity management and authentication of users to the services need to be decoupled from the cloud service in a similar fashion to the decoupling of identity from application in the enterprise. Users expect and need to have their enterprise identity extend to the cloud and used to obtain different services from different providers rather than multitude of user IDs and passwords.
By accessing services via a federated enterprise identity, not only the user experience of SSO is to gain, but also Enterprise compliance and for control of user access, ensuring only valid identities may access cloud services.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
A user (or cloud consumer) is able to access multiple SaaS applications using a single identity.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Users are able to perform transaction and document signing in the cloud using a trusted signing service that manages their signing keys.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Reduce the number of passwords that are stored and used in the cloud and eliminate the need for cloud “directory synchronization” while advocating a “claims based” architecture.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Exhibit the need for seamless authentication and access privileges conveyance from an enterprise that is wishes to host their workforce applications on a public cloud.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Show the need for federated identity management which enables an enterprise to make available cloud-hosted applications to either the employees of its customers & business partners or its own institutional consumers and avoid directly managing identities (accounts) for those users.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Show the need for cloud tenants to securely manage cloud services using automated tools rather than navigating and manually configuring each service individually.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Show the need for cloud tenant administrators need to delegate access to their identity services configuration within a multi-tenant cloud service to their chosen identity provider service.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Features the need to audit various role-based accesses of a confidential data objects stored in a public cloud against the owning company’s security policy
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Show how authorized government personnel could be granted access and assigned appropriate privileges to configure and provision a cloud service.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Show how a financial company is able to use a cloud service provider to authenticate its globally-based mobile clients and to connect them to the closest (cloud) physical location for fast response.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Exhibits the value of a Two-Factor Authentication (2FA) cloud-based service that can be used with an Identity Provider, deployed either at the enterprise, at the cloud service provider, or as a separate cloud service.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Shows the value of providing validatable identification of the Cloud Provider/SaaS application to the user or consumer using Extended Validation (EV) certificates.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Describes the value of ``proof of execution'' using persistent hardware-based identities that are traceable and logged as part of the audit trail for the Enterprise customer.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Businesses trading with one another should be able to seamlessly establish new electronic trading relationships via their existing cloud application and commerce systems. In particular, the identities, attributes and relationships required on the various systems should be able to be set up with zero or minimal user intervention.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Customers of the cloud provider may require a cloud provider to supply support that permits one identity to impersonate the identity of another customer without sacrificing security.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Show the need for provisioning, administration and governance of user identities and their attributes for organizations that have a distributed structure which includes many central, branch offices and business partners where each may utilize cloud deployment models.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Provide a means for external identity governance by cloud consumers so that they can inspect and manage assignable entitlements for cloud provider SaaS or PaaS applications, as well as for cloud hosted consumer accounts. That there is a need to do this in a standard way so that entitlements can be modeled and understood for audit and provisioning purposes.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
Users are able to dynamically delegate (grant and revoke) and constrain access to files or data stored with a cloud service provider to users whose identities are managed by external identity providers.
Infra. Identity Est. |
Identity Mgmt. |
Authentication |
Authorization |
Account / Attribute Mgmt. |
Security Tokens |
Governance |
Audit & Compliance |
|||||
|
Gen. |
IIM |
FIM |
Gen. |
SSO |
Multi-Factor |
|
Gen. |
Provisioning |
|
|
|
|
P |
|
|
|
|
P |
|
|
|
|
Featured Cloud Deployment Models |
Featured Cloud Service Models |
||||||||
None |
Private |
Public |
Community |
Hybrid |
None |
SaaS |
PaaS |
IaaS |
Other |
X |
|
|
|
X |
|
The following individuals have participated in the creation of this specification and are gratefully acknowledged:
Participants:
Abbie Barbir, Bank of America
Jeffrey Broberg, CA Technologies
Carl Bunje, The Boeing Company
Milan Calina, First Point Global Pty Ltd.
Brian Campbell, Ping Identity Corporation
David Chadwick, Individual Member
Aradhna Chetal, The Boeing Company
Doron Cohen, SafeNet, Inc.
Sastry Dhara, Individual Member
Gines Dolera Tormo, NEC Corporation
Michele Drgon, Individual Member
Felix Gomez Marmol, NEC Corporation
Bob Gupta, Viometric, LLC
Tomas Gustavsson, PrimeKey Solutions AB
Patrick Harding, Ping Identity Corporation
Thomas Hardjono, M.I.T.
Hadass Harel, eBay, Inc.
Masum Hasan, Cisco Systems
ChengDong He, Huawei Technologies Co., Ltd.
Heather Hinton, IBM
Rainer Hoerbe, Individual Member
Gershon Janssen, Individual Member
Chris Kappler, PricewaterhouseCoopers LLP
David Kern, IBM
Kelvin Lawrence, IBM
Paul Lipton, CA Technologies
Paul Madsen, Ping Identity Corporation
Dimitar Mihaylov, SAP AG
Dale Moberg, Axway Software
Anthony Nadalin, Microsoft
John Newton, Alfresco Software
Dominique Nguyen, Bank of America
Guillaume Noe, Deloitte Consulting LLP
li peng, Huawei Technologies Co., Ltd.
Darren Platt, Symplified
Nick Pope, Thales e-Security
Donald Provencher, Bank of America
Martin Raepple, SAP AG
Christopher Ramstrom, CA Technologies
Darran Rolls, SailPoint Technologies
Matthew Rutkowski, IBM
Anil Saldhana, Red Hat
Richard Sand, Individual Member
Joe Savak, Rackspace Hosting, Inc.
Ziad Sawalha, Rackspace Hosting, Inc.
Mark Schertler, Axway Software
Suneet Shah, OpenIAM, LLC
Sean Shen, China Internet Network Information Center(CNNIC)
Jerry Smith, US Department of Defense (DoD)
Xiaonan Song, Primeton Technologies, Inc.
Scott Stark, Red Hat
Don Thibeau, Open Identity Exchange
Cathy Tilton, Daon
John Tolbert, The Boeing Company
David Turner, Microsoft
Steve VanTill, Security Industry Association
Colin Wallis, New Zealand Government
YanJiong WANG, Primeton Technologies, Inc.
Jeffrey Wheeler, Huawei Technologies Co., Ltd.
Frank Wray, Bank of America
Frank Wray, PricewaterhouseCoopers LLP:
Kevin Yu, Verizon Business
Aaron Zhang, Huawei Technologies Co., Ltd.
Revision |
Date |
Editor |
Changes Made |
01a |
February 03, 2012 |
Gershon Janssen |
Initial draft version. |
01b |
February 19, 2012 |
Gershon Janssen |
Added output of first pass on applicable standards for all use cases to the document. |
01c |
May 14, 2012 |
Gershon Janssen |
Added output of gap analysis discussions. |
01d |
May 18, 2012 |
Gershon Janssen |
Added draft output of F2F gap analysis discussions. No editorial clean-up and rewording. |
02 |
April 1, 2013 |
Gershon Janssen |
Updated document with all gap analysis discussions output. |
03 |
April 27, 2013 |
Gershon Janssen |
Added Acknowledgements section. |
04 |
November 12, 2013 |
Gershon Janssen |
Updated with comments received from PR01. |