What would the journey to cloud computing be without an effort to refresh security standards now that the physical security perimeter is completely gone? For a refresh – or maybe relook - identity management may be the place to start, particularly since identity is the basis by which all cloud-based resources are accessed.
It appears the industry sees an opportunity, as two standardization efforts, with significant vendor backing, have emerged in the wake of the RSA 2010 conference and its focus on cloud. These intend either to fill in identity management standards gaps or develop new services that create more interoperability across existing identity standards.
CA, IBM, Microsoft, Symplified, Novell, Ping Identity, Rackspace, Red Hat, Safe-Net
The premise of the OASIS IDCloud group is that cloud computing raises many challenges that have serious security implications. Identity management in the cloud is such a challenge. Businesses involved with OASIS understand by now that virtualization and cloud computing represent the single most important re-architecting of the information infrastructure in the history of computing. So do we need to "re-architect" identity management standards?
The purpose of this new committee is to collect and harmonize the existing definitions, terminologies, and vocabulary of cloud computing and develop profiles of open standards for identity deployment, provisioning, and management. Use cases, risk assessments, and threat analysis will identify gaps in existing identity standards determine if there is a need for profiles to achieve interoperability within current standards.
Google, PayPal, Equifax, VeriSign, Verizon, CA, and Booz Allen Hamilton
The Open Identity Exchange (OIX) is a non-profit corporation proposing to serve as an independent, “neutral provider of certification trust frameworks for open identity technologies” and positions itself as the “open market solution for online identity assurance”. Although not billed as a standards organization, if successful, OIX will drive standardization in the way digital identities are trusted and relied upon.
Trust frameworks, and the certification of these as business standards, are the center post of the OIX operating model. In identity systems, digital or not, a trust framework enables a party who accepts a identity credential (called the relying party) to trust the identity, security, and privacy policies of the party who issues the credential (called the service provider).
This terminology and operating model has been existence for many years, developed and commercialized by the payments industry. There:
- Banks issues checks and act as checking account service providers.
- Merchants accept checks because they rely on the services of the banks and the trust frameworks built in payment rules and regulation.
- There are clearing houses (the mouse traps) in the middle that maintain the rules and the infrastructure to settle the payments and any claims between the entity holding the checking account, the banks, and the merchants.
The same model holds true generally for the Automated Clearing House network, payment cards, and other forms of retail and wholesale payments.
Assessment for Business Value, Costs, and Risks
In light of these developments, practitioner should gauge their interest based on answers to a few initial questions focused on the business value, costs, and risks associated with the deliverables of these initiatives, including:
- What metrics can I use to determine the value to my organization of user profiles and a clearing house for identity trust frameworks?
- Are these initiatives inter-related under the surface? For example, OIX suggests that multiple trust frameworks will exist to support the needs of multiple "trust communities." Is a trust community analogous or contrary to a “profile” as envisioned by OASIS?
- What is the potential impact on my existing identity infrastructure, currently composed of things like X509 certificates, certificate authorities and PKIs, LPAP directories, AD, physical tokens, RADIUS userIDs and passwords, internal and external database identity stores, etc.?
- What will the eventual identity service model, which clearly is under development given who is at the OIX table, look like? What will it cost to use the service from the perspective of fixed and variable expenses for the enterprise?
- What is the value to the user experience? How will the user experience be the same or different when considering the different identities that the enterprise manages today – employees, customers, partners, and prospects?
Action Item: CISOs should start now to determine the value of the planned deliverables and capabilities of these initiatives from the perspective of business value, risk, cost to implement/support, usability and the impact on the user experience. In addition, the relevance of identity profiles and trust framework services should be considered as part of the CISOs strategy of establishing and embedding security and identity services in the organizations plan to either consume or provide cloud-based services.