IDaaS = Identity as a Service ------ AND --- Authorization Security (OAuth,etc)

• As we move to Cloud there is a need to Identify both Users and Applicaitons to systems.

• This is refered to as the problems of IDaas and Authorization respectively

• We need to identify users so they can have access to their data in the cloud (possibly though an App)

• We need to identify apps so they can have access to 3rd Party in the Cloud APIs and serivces

• Frankly this is not different than what you might need for traditional non-cloud web applications (though people interested in cloud might thing they invented the problem and solutions ---both defined prior to "cloud" taking off)

<<<Security Issues at different Cloud Layers

IDaaS = Identity as a Service

http://cloudbestpractices.net/product-roadmap/idaas/

• implementing Identity Management capabilities as a hosted service

• supported by various could platforms like Google App Engine

  • As this NASA press release explains their Identity security technologies enabled their move to Google apps, providing staff with new collaboration apps while also ensuring compliance with the USA Govt ID Management standards.

Authoroization Security

• implementing Authorization capabilities between a "web app" and a SaaS using (usually) REST based services (older SOAP based)

• OAuth is most common open standard

What existing standards and Protocols might you consider implementing for IDaaS

• OpenID (open standard that describes how users can be authenticated in a decentralized manner)
• infoCards (Information Cards are personal digital identities that people can use online, and the key component of Identity metasystems.)
• XACML (XACML stands for eXtensible Access Control Markup Language. Open Standard defines a declarative access control policy language implemented in XML )         
• OAuth (open standard for APPLICATION authentication NOT User Authentication, protecting access to APIs.)
  • The OAuth 2.0 upside is the ability for applications to securely share data programmatically via REST-based Web services or SOAP-based APIs.
  • Is this important....well: As of 2011 ---Google and Facebook handle five billion API calls per day. Twitter handles three billion, which is 75% of all its traffic. And more than 50% of SalesForce.com’s traffic is via API. 
  • Google, Salesforce.com, Facebook, Microsoft all use OAuth 2.0