1) WG NAME
Cloud Identity and Security Best Practices (CloudIDSec)
The core purpose of the CloudIDSec WG is to identify the overlap between the field of Cloud Computing and the Kantara federated identity programs, with a view to defining:
- How Cloud Computing can be leveraged to implement Kantara specifications (e.g. Identity Assurance Framework components) – This will define specifications for 'IDaaS' – Identity as a Service. What configurations of software can Cloud Service Providers implement; How can they be audited to verify compliance, etc.,
- How Kantara can help advance Cloud Security best practices - Define how Kantara Assurance and Interop Programs can be applied to enhance security of Cloud environments, particularly in line with achieving compliance with Government standards and linked to Government Privacy Audit policies.
The scope for the group is the intersection between the NIST Cloud Computing models, Cloud Security best practices (Cloud Security Alliance et al) and the Kantara assurance and Interoperability programs, and will focus on how this program area can be made more implementable via Cloud services.
In particular the group will develop a common model for cloud based managed Identity services by utilizing the NIST Cloud Computing models as baseline references to develop Request for Proposal (RFP) procurement templates combined with a service provider standardization initiative. A common model for managed Identity services will enable service providers to more confidently invest in the technologies and make Cloud outsourcing safer for public sector clients.
For example the 'Hybrid Cloud' NIST model will be combined with Kantara Assurance and Interop Programs to define how a resulting IDaaS can be implemented and also defined in RFP requirement terms.
(4) DRAFT TECHNICAL SPECIFICATIONS:
The group will output the following deliverables:
- IDaaS design models - Technical blueprints for IDaaS based on Kantara Assurance and Interop recommendations, criteria and other related Kantara working group outputs. .
- RFP templates – Enable government issues to issue tenders for IDaaS approved to their national ID requirements.
(5) OTHER DRAFT RECOMMENDATIONS:
- Marketing white paper – A joint Kantara / CBPN white paper on CloudIDSec best practices.
- Convener: Neil McEvoy, Founder, Cloud Best Practices Network
- Cloud Service Providers – Telcos and web hosting firms who want to offer managed IDaaS.
- Governments – Who want to procure managed IDaaS.
- 24 months from date of launch with extension proposed if appropriate.
(9) IPR POLICY:
- Kantara IPR Option: Patent Copyright RAND
(10) RELATED WORK AND LIAISONS:
The group will seek out and implement the following group partnerships for the deliverables:
The NIST 'Business Use Cases' stipulate the terms of the IDaaS requirements for US Government adoption of Cloud Services, described as “authentication and identity management interoperability”. The CloudIDSec group will map these to the Kantara Assurance and Interoperability program requirements to produce a 'profile' of the NIST requirements applicable for the Kantara certification programs.
IDaaS Cloud Services will be defined through a range of best practice documents, including existing Kantara materials. In particular the E-Gov group and work of the Canadian Federal Government, based on their Deployment Profile document. Also the group will reach out to other government ID initiatives, like British Columbia BceID, with a view to sharing these best practices via Cloud Providers.
The Government Cloud Identity solution will be tailored for more specific use case scenarios. For a liaison with the E-Health group this will include a focus on the E-Health Ontario program, to offer 'ONE ID as a Service'.
Specification of 'Cloud Gateway Services', the role of telcos as data brokers in the ecosystem, hosted and delivered as part of their Cloud services portfolio.
Definition of how UMA can be implemented by Cloud Providers.
Define deployment of XDI software into Cloud deployments to facilitate Cloud Gateway Services.
In addition, liaison with the following SDOs includes (but is not limited to):
- OASIS: TOSCA, PACR, IDCloud, Trust Elevation
- OMG: Cloud Standards Customer Council
- CSA: Trusted Cloud Initiative
- ODCA: Regularity Compliance Program
- ITU-T: Focus Group on cloud computing, Study Group 17
The Group will appoint at least one (and more as required) dedicated liaison to cloud community SDOs and others to promote the work, and establish its relevance to the particular community participant.
(11) CONTRIBUTIONS (optional):
- none at this time
(12) MEETING PROCEDURE:
Meetings will be conducted under The Chatham House Rule as the default (seehttp://www.chathamhouse.org.uk/about/chathamhouserule/). However, any individual making a statement retains the right to opt out of the rule and direct the minutes to record that same individual's attribution to the statement.
- Neil McEvoy
- Rainer Hoerbe
- Colin Wallis – GTS, Dept of Internal Affairs, New Zealand