Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0



Similar documents
Open Data Center Alliance Usage: Single Sign On Authentication REv. 1.0

Open Data Center Alliance Usage: Cloud Based Identity Provisioning Rev. 1.0

Open Data Center Alliance Usage: Cloud Based Identity Governance and Auditing REV. 1.0

Open Data Center Alliance Usage: Identity Management Interoperability Guide rev. 1.0

OPEN DATA CENTER ALLIANCE SM USAGE MODEL: E-DISCOVERY AND FORENSICS

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

OPEN DATA CENTER ALLIANCE Usage Model: Guide to Interoperability Across Clouds

Open Data Center Alliance Usage: VIRTUAL MACHINE (VM) INTEROPERABILITY IN A HYBRID CLOUD ENVIRONMENT REV. 1.1

OPEN DATA CENTER ALLIANCE USAGE Model: Software as a Service (SaaS) Interoperability Rev 1.0

OPEN DATA CENTER ALLIANCE SM CLOUD ADOPTION SURVEY

Open Data Center Alliance Usage: VIRTUAL MACHINE (VM) INTEROPERABILITY

OPEN DATA CENTER ALLIANCE USAGE: Data Security Rev. 1.0

CLOUD TECH SOLUTION AT INTEL INFORMATION TECHNOLOGY ICApp Platform as a Service

Cloud Tech Solution at T-Systems International Cloud Integration Center

Open Data Center Alliance Usage: SERVICE CATALOG

OPEN DATA CENTER ALLIANCE USAGE MODEL: Provider Assurance Rev. 2.0

OPEN DATA CENTER ALLIANCE Sm Master Usage Model: Commercial framework REV 1.0

identity as the new perimeter: securely embracing cloud, mobile and social media agility made possible

How To Manage A Plethora Of Identities In A Cloud System (Saas)

CA SiteMinder SSO Agents for ERP Systems

The Gale Group Subscription and License Agreement

Identity in the Cloud Use Cases Version 1.0

Canadian Pharmaceutical Distribution Network Certificate Authority Services Agreement. In this document:

Self Help Guides. Create a New User in a Domain

Guideline on Implementing Cloud Identity and Access Management

Oracle Enterprise Manager

Open Data Center Alliance - Sustain andustain

Rethinking Schools Limited Institutional Site License

Compute Infrastructure as a Service: Recommendations from the Open Data Center Alliance SM and TM Forum A joint perspective on the requirements of

SafeNet Authentication Service

CA Business Service Insight

OPEN DATA CENTER ALLIANCE USAGE MODEL: Cloud Maturity Model Rev. 2.0

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

1 Novell Use Cases. 1.1 Use Case: Per Tenant Identity Provider Configuration Description/User Story Goal or Desired Outcome

Service Description: Cisco Prime Home Hosted Services. This document describes the Cisco Prime Home Hosted Services.

IBM WebSphere Application Server

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal

EMC ViPR Controller. Version 2.4. User Interface Virtual Data Center Configuration Guide REV 01 DRAFT

ZIMPERIUM, INC. END USER LICENSE TERMS

TERMS AND CONDITIONS

Security Issues in Cloud Computing

Oracle Enterprise Manager. Description. Versions Supported

Bringing Cloud Security Down to Earth. Andreas M Antonopoulos Senior Vice President & Founding Partner

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Improving Security and Productivity through Federation and Single Sign-on

Software License Monitoring

BIMASS and You - A Copyright Infringement Conclusions

FME SOFTWARE LICENSE AGREEMENT

New Security Features

Terms Of Service. "The Company" means CIT Broadband, P.O. Box , Fort Worth, TX

Self Help Guides. Setup Exchange with Outlook

Mobile Banking Service Agreement (Addendum to your Primary Online Banking Service Agreement)

Azure Multi-Factor Authentication. KEMP LoadMaster and Azure Multi- Factor Authentication. Technical Note

DLNA Guidelines March 2014

HIPAA: The Role of PatientTrak in Supporting Compliance

HP Software as a Service

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

ADP Ambassador /Referral Rewards Program. Terms and Conditions of Use

Oracle Enterprise Manager

QUADRO POWER GUIDELINES

Safeguarding the cloud with IBM Dynamic Cloud Security

Provider secure web portal & Member Care Information portal Registration Form

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

Introduction to Virtual Datacenter

CITRIX SYSTEMS, INC. SOFTWARE LICENSE AGREEMENT

Simplify and Secure Cloud Access to Critical Business Data

Addressing Security for Hybrid Cloud

goberlin a Trusted Cloud Marketplace for Governmental and Commercial Services

McAfee Cloud Single Sign On

Work Space Manager for BES _449

Privacy Policy and Terms of Use

SAML:The Cross-Domain SSO Use Case

"Certification Authority" means an entity which issues Certificates and performs all of the functions associated with issuing such Certificates.

White paper December Addressing single sign-on inside, outside, and between organizations

Oracle Enterprise Manager. Description. Versions Supported. Prerequisites

This research note is restricted to the personal use of

StatusScope Remote Monitoring Service. Mobile User Guide

WE RECOMMEND THAT YOU PRINT OUT AND KEEP A COPY OF THIS AGREEMENT FOR YOUR FUTURE REFERENCE.

ADP Ambassador / Referral Rewards Program Terms and Conditions of Use

CA Spectrum and CA Embedded Entitlements Manager

Entitlements Access Management for Software Developers

BES10 Self-Service. Version: User Guide

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Terms & Conditions MYJOB Website

MAGNAVIEW SOFTWARE SUPPORT & MAINTENANCE. TERMS & CONDITIONS September 3, 2015 version

DUAL MONITOR DRIVER AND VBIOS UPDATE

An Oracle White Paper August Oracle OpenSSO Fedlet

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

OPEN DATA CENTER ALLIANCE USAGE MODEL: Cloud Infrastructure Rev. 1.0

PointCentral Subscription Agreement v.9.2

Adopted as of February _18_, 2014

WI-FI ALLIANCE INTELLECTUAL PROPERTY RIGHTS POLICY

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

OPEN DATA CENTER ALLIANCE SM EXECUTIVE OVERVIEW Cloud Maturity Model Rev. 3.0

SUBSCRIPTION SERVICES.

LOGIX Fax to Service

CA Nimsoft Monitor. Probe Guide for Cloud Monitoring Gateway. cuegtw v1.0 series

ADDENDUM TO THE BLACKBERRY SOLUTION LICENSE AGREEMENT FOR BLACKBERRY BUSINESS CLOUD SERVICES FOR MICROSOFT OFFICE 365 ( the ADDENDUM )

Closing the Biggest Security Hole in Web Application Delivery

Transcription:

sm Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0

Table of Contents Legal Notice... 3 Executive Summary... 4 Related Usage Models... 5 Reference Framework... 5 Applicability... 6 Taxonomy... 6 Usage Scenarios... 7 Privileged User Access... 7 Industry Call to Action...10 References...10 2

Legal Notice This Open Data Center Alliance SM Usage Model: Infrastructure as a Service (IaaS) Privileged User Access is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS WHO ARE NOT OPEN DATA CENTER ALLIANCE PARTICIPANTS: Non-Open Data Center Alliance Participants only have the right to review, and make reference or cite, this document. Any such references or citations to this document must give the Open Data Center Alliance, Inc. full attribution and must acknowledge the Open Data Center Alliance, Inc. s copyright in this document. Such users are not permitted to revise, alter, modify, make any derivatives of, or otherwise amend this document in any way. NOTICE TO USERS WHO ARE OPEN DATA CENTER ALLIANCE PARTICIPANTS: Use of this document by Open Data Center Alliance Participants is subject to the Open Data Center Alliance s bylaws and its other policies and procedures. OPEN CENTER DATA ALLIANCE SM, ODCA SM, and the OPEN DATA CENTER ALLIANCE logo SM are service marks owned by Open Data Center Alliance, Inc. and all rights are reserved therein. Unauthorized use is strictly prohibited. This document and its contents are provided AS IS and are to be used subject to all of the limitation set forth herein. Users of this document should not reference any initial or recommended methodology, metric, requirements, or other criteria that may be contained in this document or in any other document distributed by the Alliance ( Initial Models ) in any way that implies the user and/or its products or services are in compliance with, or have undergone any testing or certification to demonstrate compliance with, any of these Initial Models. Any proposals or recommendations contained in this document including, without limitation, the scope and content of any proposed methodology, metric, requirements, or other criteria does not mean the Alliance will necessarily be required in the future to develop any certification or compliance or testing programs to verify any future implementation or compliance with such proposals or recommendations. This document does not grant any user of this document any rights to use any of the Alliance s trademarks. All other service marks, trademarks and trade names referenced herein are those of their respective owners. Published April, 2012 3

sm Open Data Center Alliance Usage: Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0 Executive Summary When an administrator manages a cloud resource on behalf of multiple users or when an administrator accesses resources in the cloud, this role becomes significant in terms of security. The level of access granted to administrators is enhanced in the administrator role and, therefore, the potential risk to the organization is increased. Access breaches that use administrative accounts can lead to significant problems for an enterprise. It is therefore desirable to provide enhanced security controls for these accounts. Many organizations that are considering purchasing cloud-based resources will already have solved this internally by using multi factor authentication (MFA) techniques and seek to use the existing systems to provide initial username/password logon and further factors of authentication to enhance security. This usage model defines a mechanism for extending existing strong authentication methods used in the enterprise to cloud-based resources. It provides cloud providers and subscribers clear guidelines for development of identity management and administrative systems for cloudbased resources. Following these guidelines will promote a single, consistent approach for administrative logon to these resources. It is assumed throughout this usage model that existing Organization for the Advancement of Structured Information Standards (OASIS) Security Assertion Markup Language (SAML) standards, using an agreed upon profile, will be used for communication between subscriber and provider systems. This document serves a variety of audiences. Solution providers and technology vendors will benefit from its content to better understand customer needs and tailor service and product offerings. Standards organizations will find the information helpful in defining end-user relevant and open standards. 4

Related Usage Models This usage model should be read in conjunction with the ODCA Identity Management Interoperability Guide 1 and the ODCA Provider Assurance Usage Model 2. The Interoperability Guide defines the interaction between the different technical usage models in the identity management area. The Provider Assurance Usage Model defines the overall requirements for security in the cloud and defines where identity management should be used. Reference Framework The following diagram shows a framework of the functional areas of identity management. This framework provides a reference model for the usage models described below. This usage model covers one of the potential cases in strong authentication. Identity and Access Management Framework Identity and Access Management Identity Lifecycle Management Identity and Authentication Management Authorization and Permission Lifecycle Management Authorization and Permission Management Identity Governance Identity Creation/ Validation Identity Federation Entitlement Externalization Access Control Services Confirm Validation Identity Provisioning (add/modify/delete) Directory Services / User Repositories Entitlement Provisioning Policy Enforcement Point (PEP) Auditing and Reporting Mover / Leaver Process Authentication Mover / Leaver Process Policy Decision Point (PDP) Monitoring Strong Authentication Role Mining and Discovery Weak Authentication Reporting for Audit / Compliance Checks Sign On Multiple Sign On Reduced Sign On (web, desktop) Single Sign On Credential Management Policy Enforcement Point (PEP) 1 www.opendatacenteralliance.org/docs/odca_idm_ InteropGuide_Rev1.0_final.pdf 2 www.opendatacenteralliance.org/docs/odca_providerassurance_rev.%201.1_final.pdf 5

Applicability This usage model is applicable to all types of cloud service including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). The usage model should be applied in cases where Bronze, Silver, Gold or Platinum levels of security, as defined in the ODCA Cloud Provider Assurance Usage Model 2, are required. Correlation of applicability to other use cases can be found in the ODCA Identity Management Interoperability Guide 1 Taxonomy Actor Cloud Subscriber Cloud Subscriber User Cloud Subscriber Administrator Cloud Provider Administrator Cloud Administrator Cloud Provider Identity Provider Description A person or organization that has been authenticated to a cloud and maintains a business relationship with a cloud. An organization providing network services and charging cloud subscribers. A (public) cloud provider provides services over the Internet. An administrator type of user of a cloud subscriber organization that performs (cloud) system related administration tasks for the cloud subscriber organization. An administrator type of user of a cloud provider organization that performs system related administration tasks on systems that host services for the cloud subscriber organization. An administrator type user that performs administration tasks on a system providing services to a cloud subscriber organization. This is independent of whether the administrator is part of the cloud subscriber organization or whether he/she is part of a cloud provider organization working on resources supplied to the cloud subscriber. An organization providing network services and charging cloud subscribers. A (public) cloud provider provides services over the Internet. An entity that is responsible for establishing and maintaining the digital identity associated with a person, organization, or (in some cases) a software program. [e.g., National Strategy for Trusted Identities in Cyberspace NSTIC] 6

Usage Scenarios Privileged User Access This usage model is to be adopted where an administrator of a cloud-based resource requires strong authentication due to the enhanced privileges and higher risk associated with the account. Actors: cloud subscriber, cloud administrator, cloud provider Goal: The cloud subscriber requires the cloud administrator to authenticate by using a further factor of authentication before access is granted to the administrative area of a cloud provider s system. Assumptions: The following assumptions are made regarding authentication: Assumption 1: The cloud subscriber and cloud provider both operate (or have operated for them) identity management systems that are capable of SAML transactions and have provisioned further factor systems that are also SAML capable. The relevant systems that are within the cloud subscriber organization must be accessible by the cloud provider. Assumption 2: Where possible, the identity management systems of the cloud subscriber can generate a SAML message identifying that the cloud subscriber administrator has already completed both authentication steps. Assumption 3: The OASIS SAML standard will be used during all transactions between cloud provider and cloud subscriber. Assumption 4: All transactions between cloud provider and cloud subscriber will only be made using secure protocols. Assumption 5: The interactions defined below are to be carried out in a timely manner. The maximum delay in transaction time should be defined in the contract. Success Scenario 1: A cloud subscriber administrator is only able to authenticate to the administrative areas of a cloud provider s system or application following a multiple factor authentication at the start of, or during, the session. Steps: 1. The cloud subscriber administrator accesses the administrative area of a cloud-based resource. 2. The cloud provider s system makes a SAML request to the cloud subscriber to confirm the authorization level of the cloud subscriber administrator. 3. If the cloud subscriber administrator is already authenticated using both factors then, a. The identity management system of the cloud subscriber returns a SAML response indicating that access may be granted. b. The cloud provider then allows access to the administrative area of a cloud-based resource. 4. If the cloud subscriber administrator is already authenticated using only a single method of authentication then, a. The cloud provider s system identifies the requirement for a further factor of authentication and passes the cloud subscriber administrator to a web page controlled by the cloud subscriber which allows authentication using a further authentication factor. b. Once successfully authenticated the identity management system of the cloud subscriber returns a SAML message indicating that access may be granted. c. The cloud provider then allows access to the administrative area of a cloud-based resource. 7

5. If the cloud subscriber administrator is not authenticated then, Failure Condition 1: a. The cloud provider s system identifies the requirement for authentication and passes the cloud subscriber administrator to a web page controlled by the cloud subscriber which allows authentication. b. Once successfully authenticated, using both factors, the identity management system of the cloud subscriber returns a SAML message indicating that access may be granted. c. The cloud provider then allows access to the administrative area of a cloud-based resource. A cloud provider does not receive all required confirmations from the cloud subscriber s identity management systems. Failure Handling 1: Access to the administration area of the cloud provider s system is denied. In this model, the cloud provider s system should also provide appropriate error and audit messages back to the cloud subscriber administrator and the identity management system of the cloud subscriber. Success Scenario 2: A cloud provider administrator is only able to authenticate to the administrative areas of a cloud provider s system or application, on which services of the cloud subscriber are hosted, following a multiple factor authentication at the start of, or during, the session. Steps: 1. The cloud provider administrator accesses the administrative area of a cloud-based resource. 2. The cloud provider s system makes a SAML request to the internal identity management system to confirm the authorization level of the cloud provider administrator. 3. If the cloud provider administrator is already authenticated using both factors then, a. The identity management system of the cloud provider returns a SAML response indicating that access may be granted. b. The cloud provider then allows access to the administrative area of a cloud-based resource. 4. If the cloud provider administrator is already authenticated using only a single method of authentication then, a. The cloud provider s system identifies the requirement for a further factor of authentication and passes the cloud provider administrator to a system to provide a further factor of authentication. b. Once successfully authenticated, the identity management system of the cloud provider returns a SAML message indicating that access may be granted. c. The cloud provider then allows access to the administrative area of a cloud-based resource. 5. If the cloud provider administrator is not authenticated then, a. The cloud provider s system identifies the requirement for authentication and passes the cloud provider administrator to the systems controlled by the cloud provider which allow authentication. b. Once successfully authenticated using both factors the identity management system of the cloud provider returns a SAML message indicating that access may be granted. c. The cloud provider then allows access to the administrative area of a cloud-based resource. 8

Failure Condition 2: A cloud provider does not receive all required confirmations from the internal identity management systems. Failure Handling 2: Access to the administration area of the cloud provider s system is denied. In this model the cloud provider s system should also provide appropriate error and audit messages back to the cloud provider administrator and the event logging systems within the cloud provider organization. Success Scenario 3: A Cloud administrator is only able to complete a specific administrative task on a cloud provider s system or application following further authentication by using a multi factor authentication system. Steps: 1. The cloud administrator requires the completing of a task that requires confirmation of administrative status. 2. The cloud provider s system makes a SAML request to the same system that provided the further factor of authentication at the start of the session. 3. Once authenticated the relevant system will return a SAML response indicating that access may be granted. Failure Condition 3: A cloud provider does not receive all required confirmations from the internal identity management systems. Failure Handling 3: The complete administrative session is terminated, requiring the privileged user to restart the logon process. In this model the cloud provider s system should also provide appropriate error and audit messages back to the cloud provider administrator and the event logging systems within the cloud provider organization. 9

Industry Call to Action The following further actions are required: The ODCA requires providers of identity management systems for the enterprise and cloud providers to produce reference models and proofof-concept implementations that will show compliance to this requirement. References OASIS Service Provisioning Markup Language (SPML) Version 2 3 OASIS Security Assertion Markup Language (SAML) Version 2 4 Any use or other implementation of the above cited OASIS markup language specifications / protocols ( OASIS Language ) are subject to any and all intellectual property rights and other rights held by, and any other limitations or restrictions which may be asserted by, OASIS and/or its members as the owner or owners of said OASIS Language ( Proprietary Rights ). ODCA takes no position regarding the validity or scope of any such Proprietary Rights that might be claimed or asserted by OASIS and/ or its members which may pertain to the use or other implementation of said OASIS Language or the extent to which any license of any such Proprietary Rights might or might not be available; nor does it represent that it has made any independent effort to identify any such Proprietary Rights. Each user and implementer of the OASIS Language is solely responsible for obtaining any and all licenses which may be needed in order to use or otherwise implement said OASIS Language. Requests for information regarding the Proprietary Rights and any applicable licenses should only be directed to OASIS and should not be made to the ODCA. Copies of any Proprietary Rights disclosures that may have been made, or potential licenses to be made available, or the result of an attempt made to obtain a license or other permission for the use or implementation of such Proprietary Rights by any implementer or user of the OASIS Language should only be directed to OASIS. This reference to, or citation of, the OASIS Language is provided on an AS IS basis and THE OPEN DATA CENTER ALLIANCE AND ITS PARTICIPANTS AND MEMBERS HEREBY DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY WARRANTY THAT THE USE OR OTHER IMPLEMENTATON OF THE OASIS LANGUAGE (AS DEFINED ABOVE) WILL NOT INFRINGE ANY PROPRIETARY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 3 www.opendatacenteralliance.org/docs/odca_securitymonitoring_rev1.1_final.pdf 4 www.opendatacenteralliance.org/docs/odca_identity_provisioning_rev1.0_final.pdf 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information