CS6320:  SW Engineering of Web Based Systems

 

IDaaS = Identity as a Service ------ AND --- Authorization Security (OAuth,etc)

  • As we move to Cloud there is a need to Identify both Users and Applicaitons to systems.

  • This is refered to as the problems of IDaas and Authorization respectively

  • We need to identify users so they can have access to their data in the cloud (possibly though an App)

  • We need to identify apps so they can have access to 3rd Party in the Cloud APIs and serivces

  • Frankly this is not different than what you might need for traditional non-cloud web applications (though people interested in cloud might thing they invented the problem and solutions ---both defined prior to "cloud" taking off)

security issues

 

 

<<<Security Issues at different Cloud Layers

 

 

 

 

 

 

 

 

IDaaS = Identity as a Service

 

http://cloudbestpractices.net/product-roadmap/idaas/

Authoroization Security

  • implementing Authorization capabilities between a "web app" and a SaaS using (usually) REST based services (older SOAP based)

  • OAuth is most common open standard

 

 

What existing standards and Protocols might you consider implementing for IDaaS

  • OpenID (open standard that describes how users can be authenticated in a decentralized manner)
  • infoCards (Information Cards are personal digital identities that people can use online, and the key component of Identity metasystems.)
  • XACML (XACML stands for eXtensible Access Control Markup Language. Open Standard defines a declarative access control policy language implemented in XML )         
  • OAuth (open standard for APPLICATION authentication NOT User Authentication, protecting access to APIs.)
    • The OAuth 2.0 upside is the ability for applications to securely share data programmatically via REST-based Web services or SOAP-based APIs.
    • Is this important....well: As of 2011 ---Google and Facebook handle five billion API calls per day. Twitter handles three billion, which is 75% of all its traffic. And more than 50% of SalesForce.com’s traffic is via API. 
    • Google, Salesforce.com, Facebook, Microsoft all use OAuth 2.0

 

 

 

© Lynne Grewe