Identity Provisions for Cloud Services: Applying OASIS SOA Reference Model

Transcription

1 Identity Provisions for Cloud Services: Applying OASIS SOA Reference Model Presented by: Dr Michael Poulin Member & Co editor at SOA RM TC Member of AASCIT (American Association for Science and Technology) OASIS RM for SOA & RAF for SOA Head of EA, Clingstone Ltd.

2 Unexpected and Hidden Problem What is the difference between a File in your company s File Server and the same File, but located in the Cloud File Server? Assumption: your company does not own this Cloud Answer 1: no differences Answer 3: it is not 100% my file any more Answer 2: do not know A treatment of Consumer Identity for in house Applications or Services A treatment of Consumer Identity for Cloud Services A procurement of this problem from the perspective of SOA-RAF - the Reference Architecture Foundation for SOA, the OASIS Specification [Version 1.0 Committee Specification 01, 04 December 2012 ] has led to interesting results 2

3 OASIS RAF for SOA SO Ecosystem <viewpoint> Captures what is meant to realize a SOA-based system in a SOA ecosystem. Stakeholders - involved in the design, development and deployment of SOA-based systems Effective construction of SOA-based systems. <model> Understanding Governance A Generic Model for Governance Governance Applied to SOA Architectural Implications of SOA Governance <viewpoint> <viewpoint> Captures what is meant for people to participate in a SOA ecosystem Stakeholders - all participants in the SOA ecosystem Understanding ecosystem constraints and contexts in which business can be conducted predictably and effectively. OASIS Reference Architecture Foundation for SOA Captures what is meant to own a SOA-based system in a SOA ecosystem Stakeholders - involved in governing, managing, securing, and testing SOA-based systems Processes to ensure governance, management, security, and testing of SOA-based systems feedback direction <position> <model> Landscape Around Architecture," Joint Paper, The Open Group, OASIS, and OMG, July 2009 Management Management Means & Relationships Management & Governance Management & Contracts Management for Monitoring & Reporting Management for Infrastructure Architectural Implications on the Management Model 3

4 SO Ecosystem about Business Aspects of Services SO Ecosystem (OASIS RAF) o is a space in which people, processes and machines act together to deliver business capabilities as services in order to further both their own objectives and the objectives of the larger community o there may not be any single person or organization that is really "in control" or"in charge" ofthe whole ecosystem The OASIS SOA Reference Model defines : Service Oriented Architecture SOA (OASIS RAF) is a paradigm for organizing and utilizing distributed capabilities that may be under the control of different ownership domains. It provides a uniform means to offer, discover, interact with and use capabilities to produce desired effects consistent with measurable preconditions and expectations. The central focus of SOA is the task or business function getting something done, and Services as the mechanism by which needs and capabilities are brought together. Together, these ideas describe an environment in which business functions (realized in the form of services) address business needs. Service body utilizes capabilities or represents a capability implementation to produce specific (real world) effects that fulfil business needs. Both the services and the capabilities may be distributed across ownership domains, with different policies and conditions of use Applications do not need Trust, services do Trust is the private assessment or internal perception of one actor that another actor will perform actions in accordance with an assertion regarding a desired real world effect. Ownership A set of claims, expressed as rights and responsibilities that a stakeholder has in relation to a resource; it may include the right to transfer that ownership, or some subset of rights and responsibilities, to another entity. Service Contract is a derivative from Service Description: An implicit or explicit documented agreement between the service consumer and service provider about the use of the service based on the commitment by a service provider to provide service functionality and results consistent with identified real world effects and the commitment by a service consumer to interact with the service per specific means and per specified policies, where both consumer and provider actions are in the manner described in the service description. 4

5 A Cloud Service is a SOA Service As for a regular SOA Business Service: o A Cloud Service is provided by independent business entity o A Cloud consumers reaches a Cloud Service based on a Service Contract o A Cloud consumers selects a Cloud Service based on an off-line Service Description o A Cloud Provider engages other Cloud Services on demand o A Cloud Provider offers different interfaces of the Cloud consumers depending on the agreement with them o A Cloud Provider competes with other Cloud Providers for the Cloud consumers. o A Cloud Provider charges Cloud consumers for the provided Cloud Services A Cloud Service is not your IT service; it requires a business, rather than technology, management 5

6 A Power of Knowledge SO Ecosystem mimics & models a real world Business. Since we know how SO Ecosystem operates, we can predict with a high level of accuracy the behavioural patterns of Service Providers and Service Consumers 6

7 Back to the Problem: Competing Security Realms I do not want to pay You, or I do not want to pay You more than your competitor charges Security Authority Security Authority Security Realm A Cloud Consumer Security Realm B 7

8 If You are not my Consumer, Why would I Care about your ID? XYZ MNQ ID ABC A propagation of an end-user identity among independent Cloud Services requires special considerations that may be commercially infeasible 8

9 Knight Rules of Service Ownership When work in SO Ecosystem, do as Services do A Service of my Service is not my Service A Supplier of my Supplier is not my Supplier A Partner of my Partner is not my Partner A Consumer of my Consumer is not my Consumer 9

10 What to Do? From Provider World to Consumer World We need to cross the boundaries of Cloud Security Realms Bridging 3 rd party Security Authority Security Gateway Service for the Realm A Security Authority ID 2 Security Authority Security Realm A ID 1 A Cloud Consumer Security Realm B 10

11 Clouds Service Security: how SOA Handles Commercialisation To Take Away: Every Cloud Provider is an independent business. Cloud includes security services of authentication, authorisation, encryption and so forth. Security services are for a cost to Cloud consumers Every Cloud Provider is free to chose a Security Authority and its protected realm Providers of Security Realms are not obliged to agree on any security cooperation, collaboration or federation No Cloud Provider can enforce a consumer to share the same Security Authority & realm A Provider of the Cloud services cannot and is not obliged to deal with any identity information that belongs to a consumer of its consumer. Nonetheless, this identity may be verified if they all consumers and providers are in the same Security Realm A Security Gateway Service can be created in any Security Realm and, being an independent business entity, participate in another Security Realm at the same time A Security Gateway Service can play a role of an intermediary across boundaries of the Security Realms Business Services establish trust regardless Security Authorities and Security Realms A propagation of the end-user s Identity in the chain of Cloud services makes sense only if both end-user and all chained Cloud services belong to the same Cloud Security Realm 11

12 Thank You! 12