Each Use Case Is Presented in the Following Normative Template for Ease of Comparison

Each Use Case Is Presented in the Following Normative Template for Ease of Comparison

1.Use Case Template

Each use case is presented in the following normative template for ease of comparison:

  • Description / User Story
  • Goal or Desired Outcome
  • Categories Covered
  • Applicable Deployment Models
  • Actors
  • Systems
  • Notable Services
  • Dependencies
  • Assumptions
  • Process Flow

1.1Description / User Story

A general description of the use case in consumer language that highlights the compelling need for one or more aspects of Identity Management while interacting with a cloud deployment model.

1.2Goal or Desired Outcome

A general description of the intended outcome of the use case including any artifacts created.

1.3Categories Covered

A listing of the Identity Management categories covered by the use case (as identified in section XXX)

1.4Applicable Deployment and Service Models

A listing of the cloud deployment and service models covered by the use case (as identified in section XXX)

These categories include:

  • Cloud Deployment Models

○Private

○Public

○Community

○Hybrid

  • Service Models

○Software-as-a-Service (SaaS)

○Platform-as-a-Service (PaaS)

○Infrastructure-as-a-Service (IaaS)

○Other (i.e. other “as-a-Service” Models)

1.5Actors

A listing of the actors or roles that take part in the use case.

1.6Systems

TBD

1.7Notable Services

A listing of services (security or otherwise) that contribute to the identity management aspects of the use case.

1.8Dependencies

A listing of any dependencies the use case has as a precondition.

1.9Assumptions

A listing of any assumptions made about the use case including its actors, services, environment, etc.

1.10Process Flow

A detailed stepwise flow of actions that comprise the use case.

2.Use Cases

2.1Use Case 1: Application and Virtualization Security in the Cloud

2.1.1Description / User Story

Cloud Computing environments have one or more virtual machines/images running on a Host Operating system on a server. Applications run inside these virtual machines (Guest Operating systems). Applications can run directly on the host operating system. Identities can be associated with each of these virtual machines. Identities can be associated with the applications running on that server (including the virtual machines).

Virtual Machines can be owned by different owners. We have identities that administer the virtual machines. We have identities that use the applications. The Virtual Machine identities may not be the same as the application identities. Authentication and validation of Identities by the cloud infrastructure may not be sufficient for the owners of virtual machines.

2.1.2Goal or Desired Outcome

We have separation of identities and ownership is not just cloud provider.

Could be one or more identity services (e.g. Amazon owns one, Customer owns another)

Since a cloud server can have multiple virtual machines and applications run on these guest operating systems, it is important to manage the identities that exist in the host operating system, virtual machines as well as applications. Additionally, it should be possible for VM owners to do their own proofing of identities.

2.1.3Notable Categorizations and Aspects

Categories Covered:
  • Primary
  • Infrastructure IdM
  • General Identity Management (IM)
  • Secondary:
  • Acct and Attr Mgmt.
  • FIM
/ Applicable Deployment and Service Models:
  • Cloud Deployment Models
○Private (F)
○Public (F)
○Community
○Hybrid
  • Service Models
○Software-as-a-Service (SaaS) (S)
○Platform-as-a-Service (PaaS) (F)
○Infrastructure-as-a-Service (IaaS) (F)
Actors:
  • Server Administrator.
  • Virtual Machine Owner
  • Virtual Machine Administrator
  • Application Deployer
  • Application User
/ Systems:
  • None

Notable Services:
  • Virtual Machines
  • Hypervisors
  • Host Operating System
  • Cloud Identity Stores (transformation of identities)

Dependencies:
  • None

Assumptions:
  • Multiple virtual machines run on a single host operating system.
  • Not all virtual machines running on a single host operating system is owned by a single entity.

2.1.4Process Flow

1A Server Administrator (One type of identity) administers a server in the cloud. He has privileges to administer the host operating system and its services.

2A Virtual Machine Owner (an identity) or a virtual machine administrator (an identity) commissions a virtual machine to run on this server.

3An Application Deployer (an identity) then deploys an application on a virtual machine.

4An Application User (an identity) then makes use of this application.

5The Server Administrator, Virtual Machine Owner, Application Owner and Application User identities are authenticated/validated/transformed against an identity store/service that exists in the cloud.

6The cloud identity system can transform a federated identity to a local identity if needed.

Top View