Open Data Center Alliance Usage: Identity Management Interoperability Guide rev. 1.0
|
|
- Erick Atkins
- 8 years ago
- Views:
Transcription
1 sm Open Data Center Alliance Usage: Identity Interoperability Guide rev. 1.0
2 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 Table of Contents Legal Notice... 3 Executive Summary... 4 Purpose... 5 Audience... 5 Assumptions... 5 General Principles... 6 Overview... 6 Reference Framework... 8 Applicability... 9 Reference Model...11 Usage Models...12 Infrastructure as a Service (IaaS) Privileged User Access...12 Single Sign On...12 Identity Provisioning (add/modify/delete)...12 Access Control Services...13 Identity Federation...13 References...14 Industry Call to Action...14 Summary of Acronyms
3 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 Legal Notice This Open Data Center Alliance SM Usage Model: Identity Interoperability Guide is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS WHO ARE NOT OPEN DATA CENTER ALLIANCE PARTICIPANTS: Non-Open Data Center Alliance Participants only have the right to review, and make reference or cite, this document. Any such references or citations to this document must give the Open Data Center Alliance, Inc. full attribution and must acknowledge the Open Data Center Alliance, Inc. s copyright in this document. Such users are not permitted to revise, alter, modify, make any derivatives of, or otherwise amend this document in any way. NOTICE TO USERS WHO ARE OPEN DATA CENTER ALLIANCE PARTICIPANTS: Use of this document by Open Data Center Alliance Participants is subject to the Open Data Center Alliance s bylaws and its other policies and procedures. OPEN CENTER DATA ALLIANCE SM, ODCA SM, and the OPEN DATA CENTER ALLIANCE logo SM are service marks owned by Open Data Center Alliance, Inc. and all rights are reserved therein. Unauthorized use is strictly prohibited. This document and its contents are provided AS IS and are to be used subject to all of the limitation set forth herein. Users of this document should not reference any initial or recommended methodology, metric, requirements, or other criteria that may be contained in this document or in any other document distributed by the Alliance ( Initial Models ) in any way that implies the user and/or its products or services are in compliance with, or have undergone any testing or certification to demonstrate compliance with, any of these Initial Models. Any proposals or recommendations contained in this document including, without limitation, the scope and content of any proposed methodology, metric, requirements, or other criteria does not mean the Alliance will necessarily be required in the future to develop any certification or compliance or testing programs to verify any future implementation or compliance with such proposals or recommendations. This document does not grant any user of this document any rights to use any of the Alliance s trademarks. All other service marks, trademarks and trade names referenced herein are those of their respective owners. Published April,
4 sm Open Data Center Alliance Usage: Identity Interoperability Guide rev. 1.0 Executive Summary Many organizations that are considering purchasing cloud-based services already have fully integrated identity and access management systems. These systems are normally widely connected throughout the internal systems of an organization and allow automated procedures for provisioning, enabling, and disabling user s entitlements, as well as entitlement analysis and reporting. As the resources in the cloud become more prevalent in the enterprise, the user and systems administrators will expect this functionality to be maintained. This Identity Interoperability Guide provides the structure and guidelines that will promote interoperability between identity management and access management systems that will allow users within organizations to utilize resources in the cloud as if they were located within the organization. 4
5 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 Purpose The purpose of this guide is as follows: to describe the requirements for a cloud specific runtime which will allow companies adopting the cloud to promote interoperability between providers, to define the interface between the Identity management software and the runtime, to define the interface between the runtime and the application software, to support as much automation in the identity management processes as possible. The cloud provider and identity management software communities will first need to propose sample implementations for review within the ODCA. In addition suitable standards should be proposed that will enable standardized communication between the respective elements of the described model. If suitable standards do not exist, proposals should include the appropriate base standard and how it should be further developed. Audience The targeted audience for the ODCA identity management documents is architects and security practitioners in charge of implementing the herein described principles and requirements as cloud providers and as cloud subscribers. Assumptions The assumption for this work is that a cloud subscriber, having identity management (IdM) in place within its own premises, expects to expand its usage into the cloud. It is assumed that cloud subscribers are striving for as much automation in the cloud as in their own premises. Central management of identities and authorizations, as well as cyclic authorization review processes, will include the cloud. Cloud infrastructure must support the cloud subscriber s security standards and procedures, in order to integrate seamlessly with existing systems and applications on premises. The cloud subscriber expects interfaces provided by the cloud provider to support automated management processes and administration procedures. It is assumed that a cloud subscriber adheres (at least) to the same level of maturity as the one expected by the cloud to which it subscribes. 5
6 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 General Principles All assumptions made in the usage models follow the following principles: 1. Standards required are minimal requirements; it is left open for a cloud provider to provide other standards additionally, especially when a standard gets widely adopted (e.g. Service Provisioning Markup Language (SPML) for provisioning vs. some other provisioning standard). Important standards which might be supported by the cloud provider are as follows: a. SPML for identity lifecycle management b. Security Assertion Markup Language (SAML) and OpenID for identity and authentication management c. EXtensible Access Control Markup Language (XACML) and OAuth for authorization and permission management d. Open Group s Distributed Auditing System (OpenXDAS) for auditing and monitoring. 2. Both cloud provider and cloud subscriber are responsible to check their common agreements and contracts to be compliant with the laws and regulations of their local jurisdictions and any other applicable jurisdiction. Rationale: Beside contractual agreements and/or policy statements, external factors (like local jurisdiction) might lead to force a cloud provider to perform actions not foreseen in his contract with a cloud subscriber, due to contradictory laws between the countries of the could provider and the cloud subscriber. 3. A cloud subscriber and the cloud provider have to ensure compliance to the minimal security requirements of the cloud level of assurance (i.e. bronze/silver/gold/platinum). This minimal compliance is required in order to avoid impacting other subscribers of the same cloud. 4. Following principle 3, users have to provide a trustable identity by being authenticated according to the security requirements of the cloud. If a high level of trust is required, this is also valid for identities. Strong authentication is then required (typically two-factor authentication) to fulfill this requirement. Weak authentication (i.e. user-id and password) is sufficient where high level of trust is not required (e.g. bronze level cloud). Typically, high privileged users are always required to perform strong authentication, in order to provide a trustable audit trail of their activities in the cloud. Overview The overall identity management system envisaged in this document is split into three primary sections as shown below. Identity Software The first of these is the Software. The function of this block is to provide a user interface, password reset, password ageing, Authorization functionality, etc. The management software will typically be located inside the organizational network. The second element is the runtime, the component of the system that directly handles the requests for authentication from an application. Cloud-based runtimes must be capable of communicating, via the standard management interface, with the management software. Typical runtimes that exist within an organization are Active Directory, RACF (z/os mainframe), LDAP, Tivoli Access Manager (TAM), SiteMinder, etc. 6
7 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 The location of the runtime will depend on the application requirements and will often be decided based on the performance issues and application requirements. The third element is the application. This will hold or will communicate with the runtime component in order to have the access rights of an individual using the application. All identity or entitlement data stored in cloud-based runtimes and communication between system components (between the IdM software and the runtimes) must be encrypted. All communication between system identity and access management components must be encrypted and trusted (i.e., mutual authentication of the components is mandatory). Previously defined standards (such as those developed by the Organization for the Advancement of Structured Information Standards (OASIS) Group) will be utilized throughout the Identity and Access usage models. It is envisaged that a cloud-specific runtime will exist that provides the interface between the identity management software and the cloudbased applications. This runtime component will communicate to the management software and the applications through standard interfaces, thereby ensuring compatibility. This runtime must be capable of running in a fully encrypted mode (which may result in some performance degradation) or unencrypted (faster response times). The instance of the runtime allocated to a single cloud subscriber will only contain information relevant to this cloud subscriber. Identity and access management data must be protected by the cloud provider against any access except from the cloud subscriber. Bronze level: segregation of data through access rights (database privileges) within shared resources (e.g. applications, databases) Silver level: additional segregation through multi-tenancy of resource structures (e.g. own database plan/schema on database server) on a shared virtual machine (VM). Gold level: separate runtime instances and virtual machines (e.g. own Operating System (OS), databases, applications) on shared hardware Platinum level: physically separated instances of hardware, VMs, OS, databases and applications per cloud subscriber. s must accept authentication information from multiple or different runtimes (for example with collaboration projects). Non Cloud Identity Software Cloud Accessible Cloud Encrypted Cloud Accessible Cloud Accessible Component The cloud accessible runtime component is referred to throughout this document and is envisioned to be a standard component that is used for the authorization of all cloud-based resources. It may be stored in the cloud (typically at the same location as the cloud resources) but, in this case must be encrypted. 7
8 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 Reference Framework The following diagram shows a framework of the functional areas of identity management. This framework provides a reference model for the usage models described below. Identity and Access Framework Identity and Access Identity Lifecycle Identity and Authentication Authorization and Permission Lifecycle Authorization and Permission Identity Governance Identity Creation/ Validation Identity Federation Entitlement Externalization Access Control Services Confirm Validation Identity Provisioning (add/modify/delete) Directory Services / User Repositories Entitlement Provisioning Policy Enforcement Point (PEP) Auditing and Reporting Mover / Leaver Process Authentication Mover / Leaver Process Policy Decision Point (PDP) Monitoring Strong Authentication Role Mining and Discovery Weak Authentication Reporting for Audit / Compliance Checks Sign On Multiple Sign On Reduced Sign On (web, desktop) Single Sign On Credential Policy Enforcement Point (PEP) Note: The yellow boxes represent functional areas; they are not IdM functions by themselves. The green boxes represent IdM services or service groups. The blue boxes represent IdM services. 8
9 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 Applicability The following diagram details the applicability of each of the usage models to the relevant hosting scenarios available in the cloud model. Frontend (PaaS / SaaS) Backend (PaaS / SaaS) Hosted Infrastructure (IaaS) Identity Lifecycle Identity Creation / Validation ü ü ü Identity Provisioning (Add / Modify / Delete) ü ü ü Identity Governance (Audit / Confirm Validation) ü ü ü Mover / Leaver Process ü ü ü Identity and Authentication Identity Federation ü ü ð Directory Services / User Repositories Authentication ü ü ü Strong Authentication Weak Authentication Sign On ü ü ü Multiple Sign On Reduced Sign On (web / desktop) Single Sign On Credential ü ü ü Policy Enforcement Point (PEP) Authorization and Permission Lifecycle Entitlement Externalization ü ü ð Entitlement Provisioning ü ü ð Mover / Leaver Process Role Mining and Discovery ü ü ð Authorization and Permission Access Control Services ü ü ð Policy Enforcement Point (PEP) Policy Decision Point (PDP) Legend: ü= mandatory, = optional, ð= not applicable, Ï= not available Optional means optional for the cloud subscriber, but mandatory for the cloud provider to provide! 9
10 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 The following diagram details the applicability of each of the usage models to the cloud provider. Assurance levels bronze, silver, gold, and platinum are defined in the ODCA Provider Assurance Usage Model 1. Bronze Silver Gold Platinum Identity Lifecycle Identity and Authentication Authorization and Permission Lifecycle Authorization and Permission Identity Creation / Validation ü ü ü ü Identity Provisioning (Add / Modify / Delete) Identity Governance (Audit / Confirm Validation) ü ü ü ü ü ü ü Mover / Leaver Process ü ü Identity Federation ü ü Directory Services / User Repositories ü ü ü Authentication Strong Authentication ü ü ü Weak Authentication ü ü Ï Ï Sign On Multiple Sign On ü Ï Ï Reduced Sign On (web / desktop) ü Single Sign On ü ü ü Credential Policy Enforcement Point (PEP) ü ü ü Entitlement Externalization ü ü Entitlement Provisioning ü ü ü ü Mover / Leaver Process ü ü Role Mining and Discovery ü ü Access Control Services Policy Enforcement Point (PEP) ü ü ü ü Policy Decision Point (PDP) ü Legend: ü= mandatory, = optional, ð= not applicable, Ï= not available Optional means optional for the cloud subscriber, but mandatory for the cloud provider to provide!
11 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 Reference Model The following picture illustrates the relation between the services of identity and access management. This picture should be used for indicative purposes only and is not intended to be definitive. Data Sources Extract / Synchronize Identity Mng Systems Resources Identity Information HR Processes / System Data is fed into system / HR processes trigger event Provision (RBAC + Request) Compliance / Reporting Identity Creation / Validation Data Sync / Password Sync / Auto Provision s Infrastructure References Data Workflow Identity Provisioning New Starter Transfer Terminations Provisioning Request Identity Data Distribution Self Service Password Sync Identity Governance Entitlement Provisioning Role Mining and Discovery Provides Access to User Directory / Store Entitlement Store Policy Decision Point Entitlement Internalization Access Control Services Directory Services / User Repositories Federation System Token Generation Identity Federation Authentication System Policy Enforcement Point References to make authentication and authorization decisions Service Facilitation Authentication Requirements Authentication Identity Mapping Trust Level Sign On Session Policy Session Policy Credential Resides on enterprise network Resides in cloud May reside onsite or in cloud 11
12 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 Usage MOdels The following usage models have been created in order to clarify the requirements of the ODCA in the area of identity management. For further details refer to the specific documents concerned. Usage Model 1: ODCA IaaS Privileged User Access 2 This usage model details the requirements for privileged users accessing IaaS. Typically privileged users will have the ability to undertake high level administrative tasks when managing the IaaS services from the cloud provider. In this respect it will be necessary to promote a higher level of security during the authentication process. Usage Model 2: ODCA Single Sign On 3 This usage model details a standard mechanism for ensuring Single Sign On (SSO) capability across cloud services. Typically major organizations will have in place a single sign on capability for services provided inside the organization. When services are extended to the cloud, particularly in the area of Software as a Service (SaaS) the user will expect this to be maintained. This usage model will detail a mechanism that may be used by cloud subscribers to promote that common SSO capabilities are provided by different cloud providers. Usage Model 3: ODCA Identity Provisioning (add/modify/delete) 4 When a cloud service has been purchased from a provider it becomes necessary to provision the users of this service. This usage model covers the process of transferring user information from the subscriber to the provider to support both usage and billing requirements and other agreed requirements. It does not cover the situation where a user is identified by the provider and then access granted based on the trust relationship between the provider and subscriber (i.e., identity federation). Cloud Subscriber Site Cloud Provider Site Identity System Identity Provisioning Identities PEP Reverse Proxy Identities and Entitlements Authentication Service (PDP) PEP Web PEP Enterprise Access Control Engine (PDP) PEP Database SingleSign_Rev1.0_final.pdf
13 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 Access Control Services The basic behaviour of (any) access control is illustrated in the following picture: Interaction Tier Business Logic Tier Data Tier C-FAC 1 F-FAC 2 C-DAC 3 DB 1. C-FAC = Coarse grained Functional Access Control (granularity = web application) 2. F-FAC = Fine grained Functional Access Control (granularity = business function/service) 3. C-DAC = Coarse grained Data Access Control (granularity = database table/column) 4. F-DAC = Fine grained Data Access Control (granularity = database row /tupel) Following the request path, access control decisions will become more and more granular: each additional decision reduces the visibility to data on only the data set the user is authorized to access. Simple applications may skip the finest levels of access control, but still follow this approach. The places in the request path of enforcement of an access control decision are called Policy Enforcement Points (PEP). The access control evaluation and decision is made by the Policy Decision Point (PDP); this might be located at the same place as the PEP (typical programmatic access control) or externalized to a dedicated access control runtime. Whichever the approach, the distinction between PEP and PDP allows for a large variety of implementations without being contradictory (e.g., the access control runtime of the interaction tier may look completely different from the access control of the business logic tier or of the data tier). Nevertheless, there is always a well-defined place where an access control decision is enforced and there is always a dedicated piece of code evaluating the access control decision. Identity Federation Identity federation is the technique of passing a user s identity in a trustable form to further connected systems, as external partner s application. Identity federation allows an organization to keep the user s credentials within the premises of the enterprise the user belongs to, rather than to publish its credentials to external partners. Identity federation is basically a simple thing; think of you being introduced to someone by a common friend. The person you were introduced to trusts the person who introduced you, and therefore does not ask for your own credentials to believe who you are. That s identity federation it s just not technical. In IT terms, identity federation is a mechanism which allows the promoting of a user identity in a trustable way. This is typically done by transporting a commonly accepted data container (a.k.a. token) and signing it in order to protect it against tampering. The signer of the token must be known (and accepted) by the peer receiving the token. The combination of these steps provides the expected level of trust to make the federated identity similarly trustable to an identity verified within one s own premises. F-DAC 4 13
14 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 References OASIS Service Provisioning Markup Language (SPML) Version 2 5 OASIS Security Assertion Markup Language (SAML) Version 2 6 Any use or other implementation of the above cited OASIS markup language specifications / protocols ( OASIS Language ) are subject to any and all intellectual property rights and other rights held by, and any other limitations or restrictions which may be asserted by, OASIS and/or its members as the owner or owners of said OASIS Language ( Proprietary Rights ). ODCA takes no position regarding the validity or scope of any such Proprietary Rights that might be claimed or asserted by OASIS and/ or its members which may pertain to the use or other implementation of said OASIS Language or the extent to which any license of any such Proprietary Rights might or might not be available; nor does it represent that it has made any independent effort to identify any such Proprietary Rights. Each user and implementer of the OASIS Language is solely responsible for obtaining any and all licenses which may be needed in order to use or otherwise implement said OASIS Language. Requests for information regarding the Proprietary Rights and any applicable licenses should only be directed to OASIS and should not be made to the ODCA. Copies of any Proprietary Rights disclosures that may have been made, or potential licenses to be made available, or the result of an attempt made to obtain a license or other permission for the use or implementation of such Proprietary Rights by any implementer or user of the OASIS Language should only be directed to OASIS. This reference to, or citation of, the OASIS Language is provided on an AS IS basis and THE OPEN DATA CENTER ALLIANCE AND ITS PARTICIPANTS AND MEMBERS HEREBY DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY WARRANTY THAT THE USE OR OTHER IMPLEMENTATON OF THE OASIS LANGUAGE (AS DEFINED ABOVE) WILL NOT INFRINGE ANY PROPRIETARY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Industry Call to Action The following further actions are required: Reconciliation/cooperation between ODCA and Cloud Security Alliance (CSA), OASIS, and National Institute of Standards and Technology (NIST) on Identity Usage Models. Usage Model should be presented to NIST and CSA to explain customer view. Usage Model should be forwarded to OASIS to determine if any further development of SAML v2.0 and SPML v2.0 is required
15 Open Data Center Alliance Usage: Identity Interoperability Guide Rev. 1.0 Summary of Acronyms ACL Access Control List CSA Cloud Security Alliance DAC Data Access Control FAC Functional (function based) Access Control IaaS Infrastructure as a Service IdM Identity IdMaaS Identity as a Service NIST National Institute of Standards and Technology OASIS Organization for the Advancement of Structured Information Standards ODCA OpenXDAS PaaS PEP* PDP* RBAC SaaS SAML SPML UM XACML Open Data Center Alliance Open Group's Distributed Auditing System Platform as a Service Policy Enforcement Point (where the process flow is interrupter to perform authentication or access control) Policy Deccision Point (where an authentication or an access control is evaluated) Role based Access Control Software as a Service Security Assertion Markup Language (v2.0 current during writing of this document) Service Provisioning Markup Language (v2.0 current during writing of this document) Usage Model exensible Access Control Markup Language * PEP and PDP can collapse to one single piece of logic; nevertheless, they will often be separated and will therefore have to be defined and documented as distinct architectural entities. 15
Open Data Center Alliance Usage: Single Sign On Authentication REv. 1.0
sm Open Data Center Alliance Usage: Single Sign On Authentication REv. 1.0 Table of Contents Legal Notice... 3 Executive Summary... 4 Reference Framework... 5 Applicability... 6 Related Usage Models...
More informationOpen Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0
sm Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0 Table of Contents Legal Notice... 3 Executive Summary... 4 Related Usage Models... 5 Reference Framework...
More informationOpen Data Center Alliance Usage: Cloud Based Identity Provisioning Rev. 1.0
sm Open Data Center Alliance Usage: Cloud Based Identity Provisioning Rev. 1.0 Table of Contents Legal Notice... 3 Executive Summary... 4 Purpose... 5 Reference Framework... 5 Applicability... 6 Related
More informationOpen Data Center Alliance Usage: Cloud Based Identity Governance and Auditing REV. 1.0
sm Open Data Center Alliance Usage: Cloud Based Identity Governance and Auditing REV. 1.0 Table of Contents Legal Notice... 3 Executive Summary... 4 Purpose... 5 Reference Framework... 5 Context... 6 Applicability...
More informationOpen Data Center Alliance Usage: Provider Assurance Rev. 1.1
sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS
More informationOPEN DATA CENTER ALLIANCE Usage Model: Guide to Interoperability Across Clouds
sm OPEN DATA CENTER ALLIANCE Usage Model: Guide to Interoperability Across Clouds SM Table of Contents Legal Notice... 3 Executive Summary... 4 Purpose... 5 Overview... 5 Interoperability... 6 Service
More informationCLOUD TECH SOLUTION AT INTEL INFORMATION TECHNOLOGY ICApp Platform as a Service
CLOUD TECH SOLUTION AT INTEL INFORMATION TECHNOLOGY ICApp Platform as a Service Open Data Center Alliance, Inc. 3855 SW 153 rd Dr. Beaverton, OR 97003 USA Phone +1 503-619-2368 Fax: +1 503-644-6708 Email:
More informationOPEN DATA CENTER ALLIANCE USAGE Model: Software as a Service (SaaS) Interoperability Rev 1.0
sm OPEN DATA CENTER ALLIANCE USAGE Model: Software as a Service (SaaS) Interoperability Rev 1.0 SM Table of Contents Legal Notice... 3 Executive Summary... 4 Purpose... 5 Assumptions... 5 SaaS Interoperability
More informationOpen Data Center Alliance Usage: VIRTUAL MACHINE (VM) INTEROPERABILITY IN A HYBRID CLOUD ENVIRONMENT REV. 1.1
sm Open Data Center Alliance Usage: VIRTUAL MACHINE (VM) INTEROPERABILITY IN A HYBRID CLOUD ENVIRONMENT REV. 1.1 Open Data Center Alliance Usage: Virtual Machine (VM) Interoperability in a Hybrid Cloud
More informationOPEN DATA CENTER ALLIANCE SM USAGE MODEL: E-DISCOVERY AND FORENSICS
OPEN DATA CENTER ALLIANCE SM USAGE MODEL: E-DISCOVERY AND FORENSICS Version Date Editor Description of Change 1.0 27 Aug 2014 Security WG Initial release Contributors Christophe Gévaudan UBS Tino Hirschmann
More informationOpen Data Center Alliance Usage: VIRTUAL MACHINE (VM) INTEROPERABILITY
sm Open Data Center Alliance Usage: VIRTUAL MACHINE (VM) INTEROPERABILITY 1 Legal Notice This Open Data Center Alliance SM Usage: VM Interoperability is proprietary to the Open Data Center Alliance, Inc.
More informationOPEN DATA CENTER ALLIANCE USAGE: Data Security Rev. 1.0
OPEN DATA CENTER ALLIANCE USAGE: Data Security Rev. 1.0 Table of Contents Legal Notice...3 Executive Summary...4 Purpose...5 Reference Framework...5 Taxonomy...5 Usage Scenarios...6 Usage Scenario Transfer
More informationCloud Tech Solution at T-Systems International Cloud Integration Center
Cloud Tech Solution at T-Systems International Cloud Integration Center Executive Overview In 2009 T-Systems identified that in order for the organizational processes/products/services incorporating use
More informationOPEN DATA CENTER ALLIANCE SM CLOUD ADOPTION SURVEY
OPEN DATA CENTER ALLIANCE SM CLOUD ADOPTION SURVEY 2014 TABLE OF CONTENTS 3 Legal Notice 5 Executive Summary 5 ODCA Members Respond to Survey on Data Center Practices and Plans 6 Methodology 6 Growth in
More informationOPEN DATA CENTER ALLIANCE USAGE MODEL: Provider Assurance Rev. 2.0
OPEN DATA CENTER ALLIANCE USAGE MODEL: Provider Assurance Rev. 2.0 Table of Contents Legal Notice...3 Executive Summary...4 Purpose...5 Taxonomy...6 Usage Model Diagram...6 Usage Model Details...6 Usage
More informationIdentity in the Cloud Use Cases Version 1.0
Identity in the Cloud Use Cases Version 1.0 Committee Note 01 08 May 2012 Specification URIs This version: http://docs.oasis-open.org/id-cloud/idcloud-usecases/v1.0/cn01/idcloudusecases-v1.0-cn01.pdf (Authoritative)
More informationIdentity Management Basics. OWASP May 9, 2007. The OWASP Foundation. Derek Browne, CISSP, ISSAP Derek.Browne@Emergis.com. http://www.owasp.
Identity Management Basics Derek Browne, CISSP, ISSAP Derek.Browne@Emergis.com May 9, 2007 Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms
More informationsolution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?
solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service? provides identity and access management capabilities as a hosted cloud service. This allows you to quickly
More informationOPENIAM ACCESS MANAGER. Web Access Management made Easy
OPENIAM ACCESS MANAGER Web Access Management made Easy TABLE OF CONTENTS Introduction... 3 OpenIAM Access Manager Overview... 4 Access Gateway... 4 Authentication... 5 Authorization... 5 Role Based Access
More informationIdentity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control
Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control agility made possible Enterprises Are Leveraging Both On-premise and Off-premise
More informationidentity as the new perimeter: securely embracing cloud, mobile and social media agility made possible
identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible IT transformation and evolving identities A number of technology trends, including cloud, mobility,
More informationGuideline on Implementing Cloud Identity and Access Management
CMSGu2013-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Implementing Cloud Identity and Access Management National
More informationSecure Identity in Cloud Computing
Secure Identity in Cloud Computing Michelle Carter The Aerospace Corporation March 20, 2013 The Aerospace Corporation 2013 All trademarks, service marks, and trade names are the property of their respective
More informationSecurity Issues in Cloud Computing
Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources
More informationOpen Data Center Alliance Usage: SERVICE CATALOG
sm Open Data Center Alliance Usage: SERVICE CATALOG Legal Notice This Open Data Center Alliance SM Usage: Service Catalog is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS WHO ARE NOT
More informationSoftware and Cloud Security
1 Lecture 12: Software and Cloud Security 2 Lecture 12 : Software and Cloud Security Subjects / Topics : 1. Standard ISO/OSI security services 2. Special problems, specific for software components and
More informationSPML (Service Provisioning Markup Language) and the Importance of it within the Security Infrastructure Framework for ebusiness
Interoperability Summit 2002 SPML (Service Provisioning Markup Language) and the Importance of it within the Security Infrastructure Framework for ebusiness Gavenraj Sodhi Senior Technology Analyst Provisioning
More informationTECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management
TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management Table of Contents Executive Summary 1 SECTION 1: CHALLENGE 2 The Need for
More informationHow To Build An Operating Software For The Enterprise
Intel Information Technology Cloud Computing October 2009 Architecting Software as a for the Enterprise Executive Overview The reference architecture provides a proven template solution that Intel SaaS
More informationDomain 12: Guidance for Identity & Access Management V2.1
Domain 12: Guidance for Identity & Access Management V2.1 Prepared by the Cloud Security Alliance April 2010 Introduction The permanent and official location for this Cloud Security Alliance Domain 12
More informationSecurity whitepaper. CloudAnywhere. http://www.cloudiway.com
Security whitepaper CloudAnywhere http://www.cloudiway.com @Copyright 2011 CLOUDIWAY. All right reserved. Use of any CLOUDIWAY solution is governed by the license agreement included in your original contract.
More informationCA SiteMinder SSO Agents for ERP Systems
PRODUCT SHEET: CA SITEMINDER SSO AGENTS FOR ERP SYSTEMS CA SiteMinder SSO Agents for ERP Systems CA SiteMinder SSO Agents for ERP Systems help organizations minimize sign-on requirements and increase security
More informationWhite Paper. Authentication and Access Control - The Cornerstone of Information Security. Vinay Purohit September 2007. Trianz 2008 White Paper Page 1
White Paper Authentication and Access Control - The Cornerstone of Information Security Vinay Purohit September 2007 Trianz 2008 White Paper Page 1 Table of Contents 1 Scope and Objective --------------------------------------------------------------------------------------------------------
More informationBusiness-Driven, Compliant Identity Management
Solution in Detail NetWeaver NetWeaver Identity Business-Driven, Compliant Identity Using NetWeaver Identity Managing users in heterogeneous IT landscapes presents many challenges for organizations. System
More informationInteroperate in Cloud with Federation
Interoperate in Cloud with Federation - Leveraging federation standards can accelerate Cloud computing adoption by resolving vendor lock-in issues and facilitate On Demand business requirements Neha Mehrotra
More informationUnderstanding Enterprise Cloud Governance
Understanding Enterprise Cloud Governance Maintaining control while delivering the agility of cloud computing Most large enterprises have a hybrid or multi-cloud environment comprised of a combination
More informationHow To Secure An Rsa Authentication Agent
RSA Authentication Agents Security Best Practices Guide Version 3 Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com. Trademarks RSA,
More informationIdentity and Access Management for the Cloud
Identity and Access Management for the Cloud What you need to know about managing access to your clouds Organizations need to control who has access to which systems and technology within the enterprise.
More informationCompute Infrastructure as a Service: Recommendations from the Open Data Center Alliance SM and TM Forum A joint perspective on the requirements of
Compute Infrastructure as a Service: Recommendations from the Open Data Center Alliance SM and TM Forum A joint perspective on the requirements of the enterprise consumer Legal Notice This CIaaS: Recommendations
More informationXACML and Access Management. A Business Case for Fine-Grained Authorization and Centralized Policy Management
A Business Case for Fine-Grained Authorization and Centralized Policy Management Dissolving Infrastructures A recent Roundtable with CIOs from a dozen multinational companies concurred that Identity &
More informationHow to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications
SOLUTION BRIEF: PROTECTING ACCESS TO THE CLOUD........................................ How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications Who should read this
More informationEntitlements Access Management for Software Developers
Entitlements Access Management for Software Developers Market Environment The use of fine grained entitlements and obligations control for access to sensitive information and services in software applications
More informationHP Software as a Service. Federated SSO Guide
HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying
More informationCA Spectrum and CA Embedded Entitlements Manager
CA Spectrum and CA Embedded Entitlements Manager Integration Guide CA Spectrum Release 9.4 - CA Embedded Entitlements Manager This Documentation, which includes embedded help systems and electronically
More informationCloud Computing Governance & Security. Security Risks in the Cloud
Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud
More informationCA Nimsoft Service Desk
CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationHow To Manage A Plethora Of Identities In A Cloud System (Saas)
TECHNICAL WHITE PAPER Intel Cloud SSO How Intel Cloud SSO Works Just as security professionals have done for ages, we must continue to evolve our processes, methods, and techniques in light of the opportunities
More informationCA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam
CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam (CAT-140) Version 1.4 - PROPRIETARY AND CONFIDENTIAL INFORMATION - These educational materials (hereinafter referred to as
More informationProduct overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities
PRODUCT SHEET: CA SiteMinder CA SiteMinder we can CA SiteMinder provides a centralized security management foundation that enables the secure use of the web to deliver applications and cloud services to
More informationjourney to a hybrid cloud
journey to a hybrid cloud Virtualization and Automation VI015SN journey to a hybrid cloud Jim Sweeney, CTO GTSI about the speaker Jim Sweeney GTSI, Chief Technology Officer 35 years of engineering experience
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationAPIs The Next Hacker Target Or a Business and Security Opportunity?
APIs The Next Hacker Target Or a Business and Security Opportunity? SESSION ID: SEC-T07 Tim Mather VP, CISO Cadence Design Systems @mather_tim Why Should You Care About APIs? Amazon Web Services EC2 alone
More informationIDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach
IDENTITY MANAGEMENT AND WEB SECURITY A Customer s Pragmatic Approach AGENDA What is Identity Management (IDM) or Identity and Access Management (IAM)? Benefits of IDM IDM Best Practices Challenges to Implement
More informationOPEN DATA CENTER ALLIANCE Sm Master Usage Model: Commercial framework REV 1.0
OPEN DATA CENTER ALLIANCE Sm Master Usage Model: Commercial framework REV 1.0 Table of Contents Proprietary Notice And Other Notifications... 5 Legal Notice... 6 Acknowledgments... 6 Terminology And Provenance...
More informationHP Software as a Service
HP Software as a Service Software Version: 6.1 Federated SSO Document Release Date: August 2013 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty
More informationSAML SSO Configuration
SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting
More informationSecurity solutions Executive brief. Understand the varieties and business value of single sign-on.
Security solutions Executive brief Understand the varieties and business value of single sign-on. August 2005 2 Contents 2 Executive overview 2 SSO delivers multiple business benefits 3 IBM helps companies
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationA Model for Access Control Management in Distributed Networks
A Model for Access Control Management in Distributed Networks Master of Science Thesis Azadeh Bararsani Supervisor/Examiner: Dr. Johan Montelius Royal Institute of Technology (KTH), Stockholm, Sweden,
More informationSafeNet Authentication Service
SafeNet Authentication Service Integration Guide All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep
More informationSecure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics
Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics B.Prasanalakshmi Assistant Professor Department of CSE Thirumalai Engineering College
More informationCliQr CloudCenter. Multi-Tenancy
CliQr CloudCenter Multi-Tenancy CliQr CloudCenter Multi-Tenancy and Multi-User Model Page 2 Table of Contents 1 Executive Summary...2 2 Introduction...3 3 Use Case: Application Onboarding...4 4 Use Case:
More informationCA Technologies Solutions for Criminal Justice Information Security Compliance
WHITE PAPER OCTOBER 2014 CA Technologies Solutions for Criminal Justice Information Security Compliance William Harrod Advisor, Public Sector Cyber-Security Strategy 2 WHITE PAPER: SOLUTIONS FOR CRIMINAL
More informationOpenHRE Security Architecture. (DRAFT v0.5)
OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2
More informationCloud Standards. Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102
Cloud Standards Arlindo Dias IT Architect IBM Global Technology Services CLOSER 2102 2011 IBM Corporation Agenda Overview on Cloud Standards Identity and Access Management Discussion 2 Overview on Cloud
More informationSecurely Outsourcing to the Cloud: Five Key Questions to Ask
WHITE PAPER JULY 2014 Securely Outsourcing to the Cloud: Five Key Questions to Ask Russell Miller Tyson Whitten CA Technologies, Security Management 2 WHITE PAPER: SECURELY OUTSOURCING TO THE CLOUD: FIVE
More informationOpen Source Identity Management
Open Source Management OpenAlt 2015 Radovan Semančík November 2015 Ing. Radovan Semančík, PhD. Software architect Co-owner of Evolveum (open source company) Architect of midpoint project Apache committer
More informationOracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007
Oracle Identity Management for SAP in Heterogeneous IT Environments An Oracle White Paper January 2007 Oracle Identity Management for SAP in Heterogeneous IT Environments Executive Overview... 3 Introduction...
More informationService-Oriented Cloud Automation. White Paper
Service-Oriented Cloud Automation Executive Summary A service-oriented experience starts with an intuitive selfservice IT storefront that enforces process standards while delivering ease and empowerment
More informationIdentity Governance Evolution
Identity Governance Evolution Paola Marino Principal Sales Consultant Agenda Oracle Identity Governance Innovation Cloud Scenarios enabled by Oracle Identity Platform Agenda Oracle
More informationSAML:The Cross-Domain SSO Use Case
SAML:The Cross-Domain SSO Use Case Chris Ceppi Oblix Corporate Engineer Ed Kaminski OBLIX Federal Business Manager 410-349-1828 ekaminski@oblix.com Mike Blackin Principal Systems Engineer Oblix, Inc. 202-588-7397
More informationNew Security Features
New Security Features BlackBerry 10 OS Version 10.3.1 Published: 2014-12-17 SWD-20141211141004210 Contents About this guide... 4 Advanced data at rest protection... 5 System requirements... 6 Managing
More informationDell One Identity Cloud Access Manager 8.0.1 - How to Develop OpenID Connect Apps
Dell One Identity Cloud Access Manager 8.0.1 - How to Develop OpenID Connect Apps May 2015 This guide includes: What is OAuth v2.0? What is OpenID Connect? Example: Providing OpenID Connect SSO to a Salesforce.com
More informationBusiness-Driven, Compliant Identity Management
SAP Solution in Detail SAP NetWeaver SAP Identity Management Business-Driven, Compliant Identity Management Table of Contents 3 Quick Facts 4 Business Challenges: Managing Costs, Process Change, and Compliance
More informationBringing Cloud Security Down to Earth. Andreas M Antonopoulos Senior Vice President & Founding Partner www.nemertes.com
Bringing Cloud Security Down to Earth Andreas M Antonopoulos Senior Vice President & Founding Partner www.nemertes.com Agenda About Nemertes Cloud Dynamics and Adoption Assessing Risk of Cloud Services
More informationPerceptive Experience Single Sign-On Solutions
Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark
More informationService Schedule for CLOUD SERVICES
Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this
More informationFederated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.
PingFederate We went with PingFederate because it s based on standards like SAML, which are important for a secure implementation. John Davidson Senior Product Manager, Opower PingFederate is the leading
More informationDifferent Patterns of Identity Management Implemented in Cloud Computing
2011 International Conference on Advancements in Information Technology With workshop of ICBMG 2011 IPCSIT vol.20 (2011) (2011) IACSIT Press, Singapore Different Patterns of Identity Management Implemented
More informationCA Technologies Strategy and Vision for Cloud Identity and Access Management
WHITE PAPER CLOUD IDENTITY AND ACCESS MANAGEMENT CA TECHNOLOGIES STRATEGY AND VISION FEBRUARY 2013 CA Technologies Strategy and Vision for Cloud Identity and Access Management Sumner Blount Merritt Maxim
More informationSingle Sign-on to Salesforce.com with CA Federation Manager
TECHNOLOGY BRIEF: SINGLE SIGN-ON TO SALESFORCE.COM WITH CA FEDERATION MANAGER Single Sign-on to Salesforce.com with CA Federation Manager TOMMY CHENG, PRINCIPAL ENGINEERING SERVICES ARCHITECT, CA PETER
More informationIBM Cognos TM1 on Cloud Solution scalability with rapid time to value
IBM Solution scalability with rapid time to value Cloud-based deployment for full performance management functionality Highlights Reduced IT overhead and increased utilization rates with less hardware.
More informationFederated Identity and Single Sign-On using CA API Gateway
WHITE PAPER DECEMBER 2014 Federated Identity and Single Sign-On using Federation for websites, Web services, APIs and the Cloud K. Scott Morrison VP Engineering and Chief Architect 2 WHITE PAPER: FEDERATED
More informationLecture 02b Cloud Computing II
Mobile Cloud Computing Lecture 02b Cloud Computing II 吳 秀 陽 Shiow-yang Wu T. Sridhar. Cloud Computing A Primer, Part 2: Infrastructure and Implementation Topics. The Internet Protocol Journal, Volume 12,
More informationITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS
ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information
More informationData Model s Role in DaaS...3. The SQL Azure Use Case...4. Best Practices and Guidelines...5
Introduction..... 3 Data Model s Role in DaaS....3 The SQL Azure Use Case.......4 Best Practices and Guidelines.......5 Conclusion...... 9 Glossary.....9 References.....10 About the Author.....10 PAGE
More informationOracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003
Oracle Identity Management Concepts and Architecture An Oracle White Paper December 2003 Oracle Identity Management Concepts and Architecture Introduction... 3 Identity management... 3 What is Identity
More informationcontent-aware identity & access management in a virtual environment
WHITE PAPER Content-Aware Identity & Access Management in a Virtual Environment June 2010 content-aware identity & access management in a virtual environment Chris Wraight CA Security Management we can
More informationCard Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006
Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates September 2006 Copyright 2006 Entrust. All rights reserved. www.entrust.com Entrust is a registered trademark
More informationGoodData Corporation Security White Paper
GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share
More informationConsolidated security management for mainframe clouds
Security Thought Leadership White Paper February 2012 Consolidated security management for mainframe clouds Leveraging the mainframe as a security hub for cloud-computing environments 2 Consolidated security
More informationIntegrated Identity and Access Management Architectural Patterns
Redpaper Axel Buecker Dwijen Bhatt Daniel Craun Dr. Jayashree Ramanathan Neil Readshaw Govindaraj Sampathkumar Integrated Identity and Access Management Architectural Patterns Customers implement an integrated
More informationC-DAC Medical Informatics Software Development Kit End User License Agreement
C-DAC Medical Informatics Software Development Kit End User License Agreement BY DOWNLOADING AND INSTALLING, COPYING OR OTHERWISE USING THE CENTRE FOR DEVELOPMENT OF ADVANCED COMPUTING ( C-DAC ) MEDICAL
More informationCloud computing White paper November 2009. IBM Point of View: Security and Cloud Computing
White paper November 2009 IBM Point of View: Security and Cloud Computing Page 2 Table of Contents Introduction... 3 Address cloud security the grand challenge... 4 Evaluate different models of cloud computing...
More informationOPEN DATA CENTER ALLIANCE USAGE MODEL: Cloud Infrastructure Rev. 1.0
OPEN DATA CENTER ALLIANCE USAGE MODEL: Cloud Infrastructure Rev. 1.0 Table of Contents Legal Notice...3 Executive Summary...4 Definitions...5 Purpose and Audience...5 Scope and Assumptions...5 Commonalities
More informationCloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper
Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper TABLE OF CONTENTS INTRODUCTION... 3 Where we came from... 3 The User s Dilemma with the Cloud... 4 The Administrator
More informationEnterprise Identity Management Reference Architecture
Enterprise Identity Management Reference Architecture Umut Ceyhan Principal Sales Consultant, IDM SEE Agenda Introduction Virtualization Access Management Provisioning Demo Architecture
More informationB2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value
B2C, B2B and B2E:! Leveraging IAM to Achieve Real Business Value IDM, 12 th November 2014 Colin Miles Chief Technology Officer, Pirean Copyright 2014 Pirean Limited. All rights reserved. Safe Harbor All
More informationexpanding web single sign-on to cloud and mobile environments agility made possible
expanding web single sign-on to cloud and mobile environments agility made possible the world of online business is rapidly evolving In years past, customers once tiptoed cautiously into the realm of online
More information