Identity management standards needed for cloud-based use cases such as mobile banking, privacy controls, compliance, and digital signatures are under review by a group looking for gaps that need filling so enterprises can securely use online services.
The Identity in the Cloud Technical Committee (TC) at the Organization for the Advancement of Structured Information Standards (OASIS) on Thursday launched a public review period for 29 specific use cases involving identity management standards and the cloud.
The TC hopes services such as authenticating to a bank via a mobile device and a cloud service can be done securely and via established standards, which create development flexibility and lower integration headaches.
The review is somewhat of a crowd-sourcing exercise that involves the industry helping pinpoint gaps in current standards that could cause security, deployment or other issues in the future.
If those gaps exist, extending current standards or creating entirely new standards could plug them. The TC itself, however, is not focused on creating new protocols but rather on defining profiles for identity in the cloud.
The technical committee sponsors include organizations such as Boeing and the Department of Defense and vendors such as Red Hat, Microsoft and Cisco. (Disclosure: my company - Ping Identity - also is a sponsor).
The TC plans to collaborate with other OASIS Technical Committees and relevant standards organizations such as The Open Group, Cloud Security Alliance and the ITU-T.
The TC has set aside 15 days for the review, which ends April 20th.
The use cases examine identity management requirements as they apply to cloud-based interactions that follow common deployment and service models.
The uses cases are organized by a set of primary and secondary categories, including federated identity management, multi-factor authentication, attribute management, governance and security tokens.
Each use case is linked to deployment models, including public or private clouds, and service types such as platform, infrastructure or software.
For example, mobile authentication via a cloud provider shows how a financial company uses a cloud service to authenticate its globally-based mobile clients and to connect them to the closest (cloud) physical location for fast response.
The use case includes authentication, authorization, audit and compliance features and is defined for public and private cloud deployments and platform/infrastructure/software-as-a-service.
The TC is asking reviewers to submit their comments via the group's web page using the "Send a Comment" button at the top of the page.
The list of use cases is available here as a zip file.
"This is the final public review before we publish the use case document as an Oasis Committee Note," said Anil Saldhana, chair of the TC and the lead JBoss security architect at Red Hat. The TC must wait seven days after the review period ends before voting on the document.