Cloud Authorization Use Cases Version 0 Committee Note 01 19 November 2014



Download 225.11 Kb.
Page9/11
Date conversion29.11.2017
Size225.11 Kb.
1   2   3   4   5   6   7   8   9   10   11

1.18Use case 11: Delegate privileges

1.18.1Description/User Story

In some Cloud scenarios it is common that a Cloud User that holds certain privileges wants to temporary delegate some of them to another Cloud User, without directly involving the policies Administrator. For instance, a Cloud User may want to transfer their role to other Cloud User to perform a specific action, such as a PhD advisor wanting to delegate their privileges to access a digital library to one of their PhD student.

The Cloud Authorization Service may provide administration capabilities to the Cloud Users so they could define certain delegation policies, ideally in a user-friendly way.


1.18.2Goal or Desired Outcome


Cloud users are able to temporary delegate part of their privileges to other Cloud users dynamically by making use a special policy administration service.

1.18.3Categories Covered


  • Authorization

  • Account and Attribute Management

1.18.4Applicable Deployment and Service Models


  • All Cloud Deployment Models (Private, Public, Community and Hybrid).

  • All Service Models (SaaS, PaaS and IaaS).

1.18.5Actors


  • Cloud User

  • Policy Decision Point

1.18.6Systems


N/A

1.18.7Notable Services


  • Cloud Policy Administration Service

  • Cloud Authorization Service

1.18.8Dependencies


N/A

1.18.9Assumptions

N/A

1.18.10Process Flow


A Cloud User has certain privileges to access a given Cloud Resource. The Cloud User accesses a Cloud Policy Administration Service to define its own delegation policies. These policies specify the conditions of the delegation, such as targeted subjects, time of applicability, environments circumstances, etc. Another Cloud User tries to access the Cloud Resource. The Policy Decision Point evaluates their policies together with the delegation policies to determine whether the Cloud User has access to the Cloud Resource. The Cloud User will have access to the resource if it has the appropriate privileges required for accessing to that resource, or if such privileges have been delegated from other Cloud User.

1.19Use case 12: Enforce government access control decisions

1.19.1Description/User Story


Cloud service providers tend to manage their authorization services by defining their own policies and rules according to their business requirements. However, regional and national governments have their own requirements.

Cloud service providers should be able to assure that tenants’ compliance and security policies are consistently managed and enforced. The authorization decisions may need to be governed or managed by geographical locations to enforce regional compliance policies.

An issue we should not neglect as well is how enterprises or organizations offering services on the Cloud can ensure compliance with the laws and regulations that they are subject to.

1.19.2Goal or Desired Outcome


Authorization decisions comply with applicable laws and regulations.

1.19.3Categories Covered

  • Authorization


  • Audit and Compliance

  • Governance

1.19.4Applicable Deployment and Service Models


  • All Cloud Deployment Models (Private, Public, Community and Hybrid).

  • All Service Models (SaaS, PaaS and IaaS).

1.19.5Actors


  • Policy Decision Point

  • Government Authority

1.19.6Systems


N/A

1.19.7Notable Services


  • Cloud Policy Administration Service

  • Cloud Authorization Service

1.19.8Dependencies


N/A

1.19.9Assumptions


N/A

1.19.10Process Flow


A Cloud User wants to access a Cloud Resource. The Policy Decision Point that evaluates the access control policies related to that Cloud Resource has to take into account applicable regulations to decide whether the Cloud User has access.
  1. Acknowledgments


The following individuals have participated in the creation of this specification and are gratefully acknowledged:

Chairs

Anil Saldhana, Red Hat

Radu Marian, Bank Of America

Editors

Anil Saldhana, Red Hat

Radu Marian, Bank Of America

Chris Kappler, Pricewaterhousecoopers

Dr.Felix Gomez Marmol, NEC Corporation

Document Contributors:

Abbie Barbir, Individual

Anil Saldhana, Red Hat

Darran Rolls, SailPoint

Gines Dolera Tormo, NEC Corporation

Technical Committee Member Participants:

Abbie Barbir (Bank of America)

Radu Marian (Bank of America)

Anil Saldhana (Red Hat)

Shaheen Abdul Jabbar, (JP Morgan Chase)

Darran Rolls (Sailpoint)

Chris Kappler (Pricewaterhousecoopers)

Dale Moberg (Axway)

Danny Thorpe (Dell)

Mohammad Jafari (Veterans Health Administration)

Mark Lambiase (SecureAuth)

Gene Myers (Certivox)

Andrew Innes (Citrix)

  1. Definitions

    1. Cloud Computing


Cloud computing

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. [NIST-SP800-145]


      1. Deployment Models


Private cloud

The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. [NIST-SP800-145]



Community cloud

The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. [NIST-SP800-145]



Public cloud

The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. [NIST-SP800-145]


Hybrid cloud

The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). [NIST-SP800-145]

      1. Cloud Essential Characteristics


On-demand self-service

A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider. [NIST-SP800-145]



Broad network access

Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs). [NIST-SP800-145]



Resource pooling

The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. [NIST-SP800-145]



Rapid elasticity

Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. [NIST-SP800-145]


Measured Service

Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service. [NIST-SP800-145]

      1. Service Models


Cloud Software as a Service (SaaS)

The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. [NIST-SP800-145]



Cloud Platform as a Service (PaaS)

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. [NIST-SP800-145]



Cloud Infrastructure as a Service (IaaS)

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). [NIST-SP800-145]


Identity-as-a-Service

Identity-as-a-Service is an approach to digital identity management in which an entity (organization or individual) relies on a (cloud) service provider to make use of a specific functionality that allows the entity to perform an electronic transaction that requires identity data managed by the service provider. In this context, functionality includes but is not limited to registration, identity verification, authentication, attributes and their lifecycle management, federation, risk and activity monitoring, roles and entitlement management, provisioning and reporting. [Source: Wikipedia.]




1   2   3   4   5   6   7   8   9   10   11


The database is protected by copyright ©hestories.info 2017
send message

    Main page