IDaaS = Identity as a Service ------ AND --- Authorization Security (OAuth,etc)
-
As we move to Cloud there is a need to Identify both Users and Applicaitons to systems.
-
This is refered to as the problems of IDaas and Authorization respectively
-
We need to identify users so they can have access to their data in the cloud (possibly though an App)
-
We need to identify apps so they can have access to 3rd Party in the Cloud APIs and serivces
-
Frankly this is not different than what you might need for traditional non-cloud web applications (though people interested in cloud might thing they invented the problem and solutions ---both defined prior to "cloud" taking off)
<<<Security Issues at different Cloud Layers
IDaaS = Identity as a Service
http://cloudbestpractices.net/product-roadmap/idaas/
-
implementing Identity Management capabilities as a hosted service
-
supported by various could platforms like Google App Engine
Authoroization Security
-
implementing Authorization capabilities between a "web app" and a SaaS using (usually) REST based services (older SOAP based)
-
OAuth is most common open standard
What existing standards and Protocols might you consider implementing for IDaaS
- OpenID (open standard that describes how users can be authenticated in a decentralized manner)
- infoCards (Information Cards are personal digital identities that people can use online, and the key component of Identity metasystems.)
- XACML (XACML stands for eXtensible Access Control Markup Language. Open Standard defines a declarative access control policy language implemented in XML )
- OAuth (open standard for APPLICATION authentication NOT User Authentication, protecting access to APIs.)
- The OAuth 2.0 upside is the ability for applications to securely share data programmatically via REST-based Web services or SOAP-based APIs.
- Is this important....well: As of 2011 ---Google and Facebook handle five billion API calls per day. Twitter handles three billion, which is 75% of all its traffic. And more than 50% of SalesForce.com’s traffic is via API.
- Google, Salesforce.com, Facebook, Microsoft all use OAuth 2.0
|