Identity Provisions for Cloud Services:
Applying OASIS SOA Reference Model
Presented by: Dr Michael Poulin
Member & Co‐editor at SOA‐RM TC
Member of AASCIT
(American Association for Science and Technology)
Head of EA, Clingstone Ltd. [email protected] OASIS RM for SOA &Unexpected and Hidden Problem
A treatment of
Consumer Identity for
in‐house
Applications or
Services
2A treatment of
Consumer Identity
for Cloud Services
A procurement of this problem from the perspective of SOARAF
-the Reference Architecture Foundation for SOA, -the OASIS
Specification [Version 1.0
Committee Specification 01, 04
December 2012 ] has led to interesting results…
What is the difference between a File in your company’s File Server and the
same File, but located in the Cloud File Server?
Assumption:
– your company does not own this Cloud
Answer 1: no differences Answer 2: do not know Answer 3: it is not 100% my file any more… Copyright©2015 Michael Poulin
OASIS RAF for SOA
<viewpoint>
Captures what is meant to realize a SOA-based system in a SOA ecosystem.
Stakeholders - involved in the design, development and deployment of SOA-based systems
Effective construction of SOA-based systems.
<viewpoint>
Captures what is meant to own a SOA-based system in a SOA ecosystem
Stakeholders - involved in governing, managing, securing, and testing SOA-based systems Processes to ensure governance, management, security, and testing of SOA-based systems
<position>
Landscape Around
Architecture," Joint Paper, The Open Group, OASIS, and OMG, July 2009
<viewpoint>
Captures what is meant for people to participate in a SOA ecosystem
Stakeholders - all participants in the SOA ecosystem Understanding ecosystem constraints and contexts in which business can be conducted predictably and effectively. OASIS Reference Architecture Foundation for SOA <model> Understanding Governance A Generic Model for Governance
Governance Applied to SOA Architectural Implications of SOA Governance
<model>
Management Management Means & Relationships
Management & Governance Management & Contracts Management for Monitoring & Reporting
Management for Infrastructure Architectural Implications on the Management Model
direction feedback
SO Ecosystem about Business Aspects of Services
4
Ownership
• A set of claims, expressed as rights and responsibilities that a stakeholder has in relation to a resource; it may include the right to transfer that ownership, or some subset of rights and responsibilities, to another entity.
SO Ecosystem (OASIS RAF)
o is a space in which people, processes and machines act together to deliver business capabilities as
services in order to further both their own objectives and the objectives of the larger community
o there may not be any single person or organization that is really "in control" or "in charge" of the
whole ecosystem
The OASIS SOA Reference Model defines :
• Service‐Oriented Architecture ‐ SOA (OASIS RAF) – is a paradigm for organizing and utilizing distributed capabilities that may
be under the control of different ownership domains. It provides a uniform means to offer, discover, interact with and use capabilities to produce desired effects consistent with measurable preconditions and expectations. The central focus of SOA is the task or business function – getting something done, and
• Services as “the mechanism by which needs and capabilities are brought together”.
• Together, these ideas describe an environment in which business functions (realized in the form of services) address business needs. Service body utilizes capabilities or represents a capability implementation to produce specific (real world) effects that fulfil business needs. Both the services and the capabilities may be distributed across ownership domains, with different policies and conditions of use
Applications do not need Trust, services do
• Trust is the private assessment or internal perception of one actor that another actor will perform actions in accordance with an assertion regarding a desired real world effect.
Copyright©2015 Michael Poulin
Service Contract is a derivative from Service Description:
• An implicit or explicit documented agreement between the service consumer and service provider about the use of the service based on the commitment by a service provider to provide service functionality and results consistent with identified real world effects and the commitment by a service consumer to interact with the service per specific means and per specified policies, where both consumer and provider actions are in the manner described in the service description.
A Cloud Service is a SOA Service
As for a regular SOA Business Service:
o
A Cloud Service is provided by independent business entity
o
A Cloud consumers reaches a Cloud Service based on a Service
Contract
o
A Cloud consumers selects a Cloud Service based on an off-line
Service Description
o
A Cloud Provider engages other Cloud Services on demand
o
A Cloud Provider offers different interfaces of the Cloud
consumers depending on the agreement with them
o
A Cloud Provider competes with other Cloud Providers for the
Cloud consumers.
o
A Cloud Provider charges Cloud consumers for the provided Cloud
Services
A Cloud Service is not your IT service; it requires a
A Power of Knowledge
6
SO Ecosystem mimics & models a real world Business.
Since we know how SO Ecosystem operates,
we can predict
with a high level of accuracy
the behavioural patterns of
Back to the Problem:
Competing Security Realms
I do not want to pay You, or
I do not want to pay You more than your competitor charges
Security Authority
Security Authority
Security Realm A
Security Realm B
If You are not my Consumer
8
ID
Copyright©2015 Michael Poulin
A propagation of an end-user identity among
independent Cloud Services requires special
considerations that may be commercially
infeasible
Why would I Care about your ID?
,
MNQ
ABC
Knight Rules of Service Ownership
A Consumer of my Consumer is not my Consumer A Service of my Service is not my Service A Supplier of my Supplier is not my Supplier A Partner of my Partner is not my Partner When work in SO Ecosystem, do as Services do
What to Do?
We need to cross the boundaries of Cloud Security Realms
10
From Provider World to Consumer World
Security Authority
Security Authority
A Cloud
Consumer
Security Realm A
Security Realm B
Security Gateway Service for the Realm A Copyright©2015 Michael PoulinID‐1
ID‐2
‘Bridging’ 3rd party Security AuthorityClouds Service Security: how SOA Handles
Commercialisation
Every Cloud Provider is an independent business.
Cloud includes security services of authentication, authorisation, encryption and so forth.
Security services are for a cost to Cloud consumers
Every Cloud Provider is free to chose a Security Authority and its protected realm Providers of Security Realms are not obliged to agree on any security cooperation,
collaboration or federation
No Cloud Provider can enforce a consumer to share the same Security Authority & realm A Provider of the Cloud services cannot and is not obliged to deal with any identity
information that belongs to a consumer of its consumer. Nonetheless, this identity may be verified if they all consumers and providers are in the same Security Realm
A Security Gateway Service can be created in any Security Realm and, being an
independent business entity, participate in another Security Realm at the same time
A Security Gateway Service can play a role of an intermediary across boundaries of the
Security Realms
Business Services establish trust regardless Security Authorities and Security Realms
A propagation of the end-user’s Identity in the chain of Cloud services makes sense only
if both end-user and all chained Cloud services belong to the same Cloud Security Realm
To Take Away:
Thank You!
12
