Thursday, August 27, 2009

Identity as a Service (IDaaS)


Identity as a Service (IDaaS) is fundamentally the externalization to and management of identities in the cloud. This definition of IDaaS branches it’s meaning depending on the service being software, platform or infrastructure based for both public and private clouds. Identities can still be managed internally within an organization but externalized through a Service Oriented Architecture (SOA) creating a Platform as a Service (PaaS) layer (either public and/or private) to facilitate an I&AM cloud based solution. Identities can be externalized without having a SOA in place by having those identities managed in a cloud utilizing SaaS Machine images can also be created within an Infrastructure as a Service (IaaS)cloud environment so that pre-configured I&AM instances could be launched and used.

Cloud Security Challenges

The challenges for IDaaS are different not just from the perspective of the SPI (“SaaS, PaaS, IaaS”) but also in how security impacts specific stakeholders utilizing the cloud for an identity management solution. Corporate IT and R&D traditionally both manage users differently (internal to an organization and users within products/services respectively). The challenges of each inherently become different as a result and the challenges with IDaaS have to be applicable to each stakeholder. The challenges that consumers face having their identity serviced in a cloud environment also are very different and bring about issues of reputation that must start being considered (both from vendor & consumer).

Issues and Challenges


Corporate IT: When implementing IDaaS essentially outsourced to another provider the privacy of your internal employee information needs to be considered. This implementation is non-federated so the credentials of users and the ability for those users (if comprised) to gain access to internal systems becomes possible. How passwords are stored, personal information protected, and the Software Development Lifecycle (SDLC) of their product all need to be inline to your policy as if they were internalized. Consideration for non-physical access to authenticat now needs to be considered. Consideration also needs to be given for how administrative access is granted and if this over the Internet creating an attack vector.

Products/Services face different challenges when externalizing I&AM service to software managed by others. Depending on which of the specific parts of the solution being provided is coupled to your solution determines how what security to incorporate into your product development lifecycle.

There is of course a need to make sure that the privacy policy of the software you are using is acceptable to you on how they share your personal information but this alone is not enough. Your identity as a consumer in the cloud is becoming a commodity. Identity for consumers is more than just your personal information (i.e. social security number). For consumers identity is now about reputation across feedback for auction items, your social feed & following friends and professional recommendations all have impact to your identity in the cloud.


Transactional integrity across multiple SOA operations create audit issues. While providing interoperability an SOA is not transactional across disparate interfaces. Depending on the implementation of the interface it may not have transactions within it accross operations /methods even with a session existing.


Here the issues & challenges for Corporate IT and R&D are intrinsic to how and from whom the machine image was made. Open sourced solutions vs specific vendor products on these images also have different issues in trust and assurance (Quality & Vulnerability) to the code you are expecting to be running as service to have an I&AM instance available to launch.

Solutions and Recommendations

Identity as a Service should follow the same best practice that an I&AM implementation does along with added considerations for Privacy, Integrity and Audit ability.

Solution Options


Corporate IT has to review the options the cloud provider has to couple their network either through VPN or proprietary gateway device. The reduction of cost using the cloud needs to have the risk mitigated around the privacy considerations with having employee information stored remotely and how the cloud provider (e.g. encryption of data at rest) is managing that data.

teams need to bring into their SDLC the interactions with I&AM providers as part of their threat assessment. The specifics to this can be reviewed in the Application Security domain in regards to vulnerabilities.

need to review the privacy policies of where they have their information. This however is not sufficient security as your identity (not in your personal information i.e. social security number) is also about now about your reputation. Your use of the cloud systems tie directly back to who you are and this continue as more systems are mapping identities and providing federated interface as such. It is important that information that you have in the cloud is understood that it ties back to you. For information that would affect your reputation should have the level of protection that you feel would equate to what you give out in the real world. It is vital that cloud providers understand this being more about privacy of information (not necessarily about identifying characteristics of an identity but in fact the information related and known to an identity as a person).


Stay away from proprietary solutions in how any part of what you have broken out of your traditional I&AM enviornment. It is important to keep to standards for the components of I&AM that you are decoupling within your implementation and followed in practice by the cloud provider and used correctly. If standards are not yet adopted it is not a deterrent but should have more caution than if it has been generally available, adopted and has continued support e.g. XACML for authorization, XDAS for distributed auditing and SPML for provisioning.


Images created by others need to have some support & maintenance around it. When open sourced the integrity of an instances has to be reviewed and should have some caution as the build may not be what you expect unless coming from a reputable organization that is willing to support it.


· Use the cloud to bring and remove the redundancy in resources without sacrificing existing practices.

· Keep all existing practices to I&AM in place with additional focus when moving your data off-site and/or decoupling the pillars of the solution into an SOA.

Questions for your Provider and Assessment Checklist

· Please provide any documentation you have outlining the security architecture of this solution covering web services security, authentication, audit trails, user-id timestamps etc .

· Please describe what protocols / options are available for single sign on.

· Please provide security administration manual or security portions of the system administration manual.

· Please describe user account and password controls and options.

· Please describe security reports available from the system. Please provide sample reports.

· Please provide us a copy of your privacy policy.

· What standards do you support?

· Do we have the option to have parts of the cloud private?

Future Outlook

The cloud provides a number of benefits with IDaaS becoming a maturing part of this revolution yet this specific market is still very early in its development. Some organizations, at the time of this writing, have staked their claim to managing identities in the cloud and externalizing the identities through SOA. They often provide both options to clound and non-cloud (traditional) so a viable solution can be put in place that meets your requirements. Cloud providers need to keep offering options between traditional Identity Management and Identity as a Service while bolstering the on ramp towards maturatity and across the chasm.

For consumers the lines between clouds and the reputation of your identity will continue to blur. The time may never come where your auction
’s negative feedback affects your ability to get a loan but these are the security issues to understand and continue address.


Joe Stein

Sunday, August 23, 2009

NIST Updates Cloud Computing Definition (v15)

Computer scientists at NIST continue to develop their draft definition of cloud computing in collaboration with industry and government. They have been been posting their working definition of cloud computing that serves as a foundation for their upcoming publication on the topic. NIST’s role in cloud computing is to promote the effective and secure use of the technology within government and industry by providing technical guidance and promoting standards.

The changes between this draft and the previous are mostly terminology and language without any large structural changes. I believe that throughout the industry the base of cloud computing around the five essential characteristics, three service models, and four deployment models are beginning to hold steady.

Draft (V15) NIST Working Definition of Cloud Computing

Authors: Peter Mell and Tim Grance


National Institute of Standards and Technology, Information Technology Laboratory

Note 1: Cloud computing is still an evolving paradigm. Its definitions, use cases, underlying technologies, issues, risks, and benefits will be refined in a spirited debate by the public and private sectors. These definitions, attributes, and characteristics will evolve and change over time.

Note 2: The cloud computing industry represents a large ecosystem of many models, vendors, and market niches. This definition attempts to encompass all of the various cloud approaches.

Definition of Cloud Computing:

Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

Essential Characteristics:

On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.

Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.

Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.

Service Models:

Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Deployment Models:

Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.

Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.

Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

They also have a great presentation on "Effectively and Securely Using the Cloud Computing Paradigm v25"

To learn more about NIST's cloud efforts

Joe Stein

Sunday, August 9, 2009

Amazon Web Services - Elastic Compute Cloud (EC2)

So many folks know Amazon for their books and the oodles of other online e-commerce (buy and wait for it to get delivered) retail store. They also do a nice job (at least through my Roku) with on-demand movies and such. The skinny of this post is about Amazon's "Web Services" (AWS) focused on the "Elastic Compute Cloud" (EC2) product.

The service started a few years back but it has only been a year since they added the Elastic Block Store (EBS) which (in my opinion) makes this a truly viable multi-server computing solution.

Now, I have not yet utilized this service in production so I can not yet speak to that but so far I have spent some cycles on the development side and honestly I have to say I am not sure what I ever did without it.

There is a very small learning curve to get the management console moving along but the getting started guide is well put together

Once you get the hang (as I say this is straight forward) of the console now you can go and find your machine images These images are made by Amazon, Sun, IBM, Oracle and an entire community of folks that share images they have made.

Here are just a few:

Perl Web Starter
Fedora Core 8, 32-bit architecture, Perl, Mason, Apache 2.0, and MySQL.

Java Web Starter
Fedora Core 8, 32-bit architecture, Java 5 EE, Tomcat, Apache, and MySQL.

LAMP Web Starter
Fedora Core 8, 32-bit architecture, PHP5, Apache 2.2, and MySQL.

Ruby on Rails Web Starter
Fedora Core 8, 32-bit architecture, Ruby, Rails, RubyGems, Mongrel, and MySQL.

Amazon Public Images - Windows Server 2003 R2 With Authentication Services and SQL Server Express + IIS + ASP.NET (32bit)

Amazon Public Images - Windows Server 2003 R2 and SQL Server Express + IIS + ASP.NET (64bit)

Being a developer I like to have platforms ready to go for acomplishing what I need to get done. Having these "pre-packaged" enviornments that I can utilize (put simply) reduces cycle times and allows focus for the task at hand.

Amazon is not the only provider (just the only Infrastructure as a Service (IaaS) I have used).

Here are some other services:

Some open source projects (in case you happen to have your own data center with nothing to-do):

Joe Stein

Saturday, August 8, 2009

Facebook RSS News Feed Reader

So recently I started using a RSS Reader, Google Reader as it happens to be. I like being able to pull together news, slashdot, some sports, etc but it left me still with the occasion for going to Facebook to look at my news feeds of friends. After a little digging I could not find anything that would allow me to have my Facebook News Feeds available in any RSS Feeds.

So, here now exists the Facebook RSS News Feed Reader This application allows you to view your Facebook News Feed from within your favorite RSS reader.

What is RSS you may ask? RSS stands for Really Simple Syndication and the specification is maintained here

Here is a quick overview for how it is done.
First you need to get into the Facebook API a little bit. This is both from the how to setup a Facebook app and also understanding their streams.

- Facebook Getting Started
- Facebook Streams

I developed the application in PHP so here is a little more about how that part works. Basically you have to create a type of proxy so the RSS reader is going to connect to your PHP (or other language based) application which then has to internalize (based on parameters for lets say the session) being passed in.

From here you need to:
1) Setup the session for that user to Facebook in your application
2) Read the profile stream in your application based on the HTTP request
3) Create (by parsing the news feed stream) the RSS XML (make sure you set it up correctly [i.e. having a so each item is uniquely defined]).

Now these 3 steps MUST occur AFTER you have had the user follow these steps to give you the one time authenticator so you can have the infinite session. Navigating the programming parts was pretty straight forward once I got through this with little more understanding about how "Facebook Infinite Session Keys Are NOT Dead!".

To get the infinite session key, you have to go to the following URL, replacing YOUR_API_KEY with your Facebook app’s API key: Once you click "Generate" you will get your one time code (show below as example).

With that in your PHP application you now do this:
$facebook = new Facebook($appapikey, $appsecret);//Create a new facebook object
$infinite_key_array = $facebook->api_client->auth_getSession($authtoken); //$authtoken is the value you got from the above one time step
$infinite_key_array['session_key'] has the value for the session. You can MUST store this (depending on your implementation along with the user id).

Now that you have done this this session id (and the person's user id) is all you need to continue. Now you can setup a session in your PHP app to Facebook and only require some paramaters to be passed in for the RSS feed.

$facebook->api_client->user = $_GET["u"];
$facebook->api_client->session_key = $_GET["s"];
$facebook->api_client->expires = 0;

From here, read your stream.
$feed = $facebook->api_client->stream_get();

Loops through your posts from the $feed and create the RSS XML with the proper headers e.g.
header("Content-Type: application/xml; charset=ISO-8859-1");
header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0", false); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past

Joe Stein