In some Cloud scenarios it is common that a Cloud User that holds certain privileges wants to temporary delegate some of them to another Cloud User, without directly involving the policies Administrator. For instance, a Cloud User may want to transfer their role to other Cloud User to perform a specific action, such as a PhD advisor wanting to delegate their privileges to access a digital library to one of their PhD student.
The Cloud Authorization Service may provide administration capabilities to the Cloud Users so they could define certain delegation policies, ideally in a user-friendly way.
A Cloud User has certain privileges to access a given Cloud Resource. The Cloud User accesses a Cloud Policy Administration Service to define its own delegation policies. These policies specify the conditions of the delegation, such as targeted subjects, time of applicability, environments circumstances, etc. Another Cloud User tries to access the Cloud Resource. The Policy Decision Point evaluates their policies together with the delegation policies to determine whether the Cloud User has access to the Cloud Resource. The Cloud User will have access to the resource if it has the appropriate privileges required for accessing to that resource, or if such privileges have been delegated from other Cloud User.
1.19Use case 12: Enforce government access control decisions
Cloud service providers tend to manage their authorization services by defining their own policies and rules according to their business requirements. However, regional and national governments have their own requirements.
Cloud service providers should be able to assure that tenants’ compliance and security policies are consistently managed and enforced. The authorization decisions may need to be governed or managed by geographical locations to enforce regional compliance policies.
An issue we should not neglect as well is how enterprises or organizations offering services on the Cloud can ensure compliance with the laws and regulations that they are subject to.
1.19.2Goal or Desired Outcome
Authorization decisions comply with applicable laws and regulations.
Audit and Compliance
1.19.4Applicable Deployment and Service Models
All Cloud Deployment Models (Private, Public, Community and Hybrid).
All Service Models (SaaS, PaaS and IaaS).
Policy Decision Point
Cloud Policy Administration Service
Cloud Authorization Service
A Cloud User wants to access a Cloud Resource. The Policy Decision Point that evaluates the access control policies related to that Cloud Resource has to take into account applicable regulations to decide whether the Cloud User has access.
The following individuals have participated in the creation of this specification and are gratefully acknowledged:
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models. [NIST-SP800-145]
The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. [NIST-SP800-145]
The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. [NIST-SP800-145]
The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. [NIST-SP800-145]
The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds). [NIST-SP800-145]
Cloud Essential Characteristics
A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider. [NIST-SP800-145]
Broad network access
Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs). [NIST-SP800-145]
The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. [NIST-SP800-145]
Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time. [NIST-SP800-145]
Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service. [NIST-SP800-145]
Cloud Software as a Service (SaaS)
The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. [NIST-SP800-145]
Cloud Platform as a Service (PaaS)
The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. [NIST-SP800-145]
Cloud Infrastructure as a Service (IaaS)
The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). [NIST-SP800-145]
Identity-as-a-Service is an approach to digital identity management in which an entity (organization or individual) relies on a (cloud) service provider to make use of a specific functionality that allows the entity to perform an electronic transaction that requires identity data managed by the service provider. In this context, functionality includes but is not limited to registration, identity verification, authentication, attributes and their lifecycle management, federation, risk and activity monitoring, roles and entitlement management, provisioning and reporting. [Source: Wikipedia.]