Open Data Center Alliance Usage:
Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0
sm
Table of Contents
Legal Notice ... 3
Executive Summary ... 4
Related Usage Models ... 5
Reference Framework ... 5
Applicability ... 6
Taxonomy ... 6
Usage Scenarios ... 7
Privileged User Access ... 7
Industry Call to Action ...10
References...10
© 2012 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.
Legal Notice
© 2012 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.
This “Open Data Center Alliance
SMUsage Model: Infrastructure as a Service (IaaS) Privileged User Access” is proprietary to the Open Data Center Alliance, Inc.
NOTICE TO USERS WHO ARE NOT OPEN DATA CENTER ALLIANCE PARTICIPANTS: Non-Open Data Center Alliance Participants only have the right to review, and make reference or cite, this document. Any such references or citations to this document must give the Open Data Center Alliance, Inc. full attribution and must acknowledge the Open Data Center Alliance, Inc.’s copyright in this document. Such users are not permitted to revise, alter, modify, make any derivatives of, or otherwise amend this document in any way.
NOTICE TO USERS WHO ARE OPEN DATA CENTER ALLIANCE PARTICIPANTS: Use of this document by Open Data Center Alliance Participants is subject to the Open Data Center Alliance’s bylaws and its other policies and procedures.
OPEN CENTER DATA ALLIANCE
SM, ODCA
SM, and the OPEN DATA CENTER ALLIANCE logo
SMare service marks owned by Open Data Center Alliance, Inc. and all rights are reserved therein. Unauthorized use is strictly prohibited.
This document and its contents are provided “AS IS” and are to be used subject to all of the limitation set forth herein.
Users of this document should not reference any initial or recommended methodology, metric, requirements, or other criteria that may be contained in this document or in any other document distributed by the Alliance (“Initial Models”) in any way that implies the user and/or its products or services are in compliance with, or have undergone any testing or certification to demonstrate compliance with, any of these Initial Models.
Any proposals or recommendations contained in this document including, without limitation, the scope and content of any proposed methodology, metric, requirements, or other criteria does not mean the Alliance will necessarily be required in the future to develop any certification or compliance or testing programs to verify any future implementation or compliance with such proposals or recommendations.
This document does not grant any user of this document any rights to use any of the Alliance’s trademarks.
All other service marks, trademarks and trade names referenced herein are those of their respective owners.
Published April, 2012
3
Open Data Center Alliance Usage: IaaS Privileged User Access Rev. 1.0
Infrastructure as a Service (IaaS) Privileged User Access rev. 1.0
Executive Summary
When an administrator manages a cloud resource on behalf of multiple users or when an administrator accesses resources in the cloud, this role becomes significant in terms of security. The level of access granted to administrators is enhanced in the administrator role and, therefore, the potential risk to the organization is increased.
Access breaches that use administrative accounts can lead to significant problems for an enterprise. It is therefore desirable to provide enhanced security controls for these accounts.
Many organizations that are considering purchasing cloud-based resources will already have solved this internally by using multi factor authentication (MFA) techniques and seek to use the existing systems to provide initial username/password logon and further factors of authentication to enhance security .
This usage model defines a mechanism for extending existing strong authentication methods used in the enterprise to cloud-based resources.
It provides cloud providers and subscribers clear guidelines for development of identity management and administrative systems for cloud- based resources. Following these guidelines will promote a single, consistent approach for administrative logon to these resources.
It is assumed throughout this usage model that existing Organization for the Advancement of Structured Information Standards (OASIS) Security Assertion Markup Language (SAML) standards, using an agreed upon profile, will be used for communication between subscriber and provider systems.
This document serves a variety of audiences. Solution providers and technology vendors will benefit from its content to better understand
customer needs and tailor service and product offerings. Standards organizations will find the information helpful in defining end-user
relevant and open standards.
© 2012 Open Data Center Alliance, Inc. ALL RIGHTS RESERVED.
Related Usage Models
This usage model should be read in conjunction with the ODCA Identity Management Interoperability Guide
1and the ODCA Provider Assurance Usage Model
2. The Interoperability Guide defines the interaction between the different technical usage models in the identity management area. The “Provider Assurance Usage Model” defines the overall requirements for security in the cloud and defines where identity
management should be used.
Reference Framework
The following diagram shows a framework of the functional areas of identity management. This framework provides a reference model for the usage models described below.
This usage model covers one of the potential cases in strong authentication.
Authorization and Permission Management
Access Control Services Policy Enforcement
Point (PEP) Policy Decision Point
(PDP)
Identity Governance
Confirm Validation
Auditing and Reporting
Monitoring Identity and Access
Management Identity and Access Management Framework
Authorization and Permission Lifecycle Management
Reporting for Audit / Compliance Checks Role Mining and
Discovery Entitlement Externalization
Mover / Leaver Process Entitlement Provisioning
Single Sign On Reduced Sign On
(web, desktop) Multiple Sign On
Sign On
Policy Enforcement Point (PEP) Credential Management
Weak Authentication Strong Authentication Identity Federation
Authentication Directory Services /
User Repositories Identity and Authentication
Management Identity Lifecycle
Management Identity Creation/
Validation Identity Provisioning
(add/modify/delete) Mover / Leaver Process
1
www.opendatacenteralliance.org/docs/ODCA_IdM_ InteropGuide_Rev1.0_final.pdf
2