Call for Participation: Cloud Authorization (CloudAuthZ) TC

A new OASIS technical committee is being formed. The OASIS Cloud Authorization (CloudAuthZ) has been proposed by the members of OASIS listed in the charter below. The TC name, statement of purpose, scope, list of deliverables, audience, IPR mode and language specified in the proposal will constitute the TC’s official charter. Submissions of technology for consideration by the TC, and the beginning of technical discussions, may occur no sooner than the TC’s first meeting.

The eligibility requirements for becoming a participant in the TC at the first meeting are:

(a) you must be an employee or designee of an OASIS member organization or an individual member of OASIS, and


(b) you must join the Technical Committee, which members may do by using the Roster “join group” link on the TC’s web page at [a].

To be considered a voting member at the first meeting, you must:

(a) join the Technical Committee at least 7 days prior to the first meeting (on or before 27 November 2012); and


(b) you must attend the first meeting of the TC, at the time and date fixed below (4 December 2012, 11:00 am Eastern time).

Participants also may join the TC at a later time. OASIS and the TC welcomes all interested parties.

Non-OASIS members who wish to participate may contact us about joining OASIS [b]. In addition, the public may access the information resources maintained for each TC: a mail list archive, document repository and public comments facility, which will be linked from the TC’s public home page at [c].

Please feel free to forward this announcement to any other appropriate lists. OASIS is an open standards organization; we encourage your participation.

———-

[a] https://www.oasis-open.org/apps/org/workgroup/cloudauthz/index.php


[b] See http://www.oasis-open.org/join/


[c] http://www.oasis-open.org/committees/cloudauthz/

— Charter of the TC

(1)(a) The name of the TC
OASIS Cloud Authorization (CloudAuthZ) Technical Committee

(1)(b) Statement of Purpose

As Cloud Computing gains traction in the industry, Cloud providers face challenges from the lack of standardized profiles for authorization and entitlements. In Cloud Computing Systems, resources such as bandwidth and memory are constrained. There are, for example, use cases where the access policy enforcement of a cloud resource needs to be performed as close to the Consumer as possible. In addition, in most enforcement models, there are general requirements for making attributes, including contextual attributes, readily available to Policy Enforcement Points in order to streamline calls to the authorization engine. This requires availability of attributes including contextual attributes. Additionally, since the computing resources are limited, there are use cases where there is a need for the Policy Enforcement Point to obtain the contextual entitlements that the Consumer has with one call, rather than perform a large number of calls to the authorization engine as seen in the classic enforcement model.

The CloudAuthZ Technical Committee will use existing, well designed standards, to provide mechanisms for enabling the delivery of cloud contextual attributes to Policy Enforcement Points. Such mechanisms can enable the development of cloud infrastructures that provide in real time a subset of contextual entitlements sets that a decision point can use to authorize or deny a Consumer’s use of a specific resource. By developing standard mechanisms to do this, the need to customize the interactions between customer and vendor systems will be reduced, the overhead needed to support authorization and entitlement will decrease, and portability across multiple systems will be enhanced.

The CloudAuthZ Technical Committee will use existing, well designed standards to provide mechanisms for enabling the delivery of contextual entitlements to the Policy Enforcement Points.

(1)(c) Scope of work

The purpose of this TC is to generate profiles for Cloud authorization and entitlements. The group’s goal is to define configurations of relevant standards that enable authorization policies to be enforced in the most optimal way possible. In addition, these profiles will offer standardized mechanisms for compliance monitoring. The TC will develop techniques that allow a Consumer to receive a set of allowed entitlements and will develop authorization mechanisms that can use these entitlements to determine applicable contextual policies in real time.

1. The TC will define use cases for authorization and entitlements in a Cloud Computing context. These may be new or existing use cases as the TC determines. The TC may reuse use cases identified by the OASIS Identity in the Cloud (IDCloud) TC in the context of Cloud authorization.

2. When necessary, the TC will work on defining missing specifications for Cloud authorization and entitlements. The TC will reuse as a primary objective, existing standards as well as standards that are being developed in the area of scope. The TC will make an effort to not reinvent the wheel.

3. The TC will generate Cloud authorization and entitlements profiles for Platform As A Service (PaaS), Infrastructure As a Service (IaaS), and Software As a Service (SaaS) models of Cloud Computing.

4. In all of its work, the TC should, to the extent feasible, prefer widely implementable, widely interoperable, modular standards, extensions, profiles, and methods that permit use by a variety of participants.

Out of Scope: Identity Management Provisioning.

(1)(d) List of deliverables

1. A document calling out in detail the specific use cases of authorization and entitlements in a Cloud Computing context that the TC plans to address in its Work Products. This document will be completed and approved by the TC by January 2013. This document will be a Non-Standards Track Work Product.

2. A Glossary defining key terms as the TC intends them to be used in its Work Products. The Glossary will be a Non-Standards Track Work Product.

3. A document detailing the configuration of relevant standards in order to allow enforcement of authorization policies to be carried out using the Cloud Computing Models of IaaS, PaaS, and SaaS. This document will be completed and approved by the TC by June 2013. This document will be a Standards Track Work Product.

4. A document detailing the configuration of relevant standards/specifications to define the download of contextual entitlements in a single call to a Policy Enforcement Point, using the Cloud Computing Models of IaaS, PaaS, and SaaS as examples in this document. This document will be completed and approved by the TC by December 2013. This document will be a Standards Track Work Product.

(1)(e) IPR Mode under which the TC will operate

The CloudAuthZ TC will operate under the Non-Assertion IPR mode as defined in the OASIS Intellectual Property Rights (IPR) Policy effective 15 October 2010.

(1)(f) Anticipated audience or users

The CloudAuthZ TC is intended for the following audiences: architects, designers and implementers of Cloud Computing Infrastructure and Services.

1.(g) Language

TC business will be conducted in English. The output documents will be written in English.

(2) Non-normative information regarding the startup of the TC

(2)(a) Similar or Applicable Work

The TC will develop strong liaison relationships with other OASIS Technical Committees and with standards groups in the industry potentially including IETF, ITU-T, ISO, and W3C. The TC will be free to adopt liaison relationships with any standards organization as it sees fit.

Relevant work:

1. OASIS has Identity in the Cloud (IDCloud) TC [1] and Extensible Access Control Markup Language (XACML) TC [2], whose work will be reused as necessary.

2. IETF has Web authorization (Oauth) work ongoing [3].

3. Rabobank, IBM, and Novay are participating in CEA: Context-Enhanced Authorization SII Innovation Project [4]

(2)(b) Date, Time, and Location of First Meeting

The first meeting of the CloudAuthZ TC will be a teleconference to be held on Tuesday, 4 December 2012, 11am to 12pm Eastern. This teleconference will be sponsored by Red Hat.

(2)(c) Ongoing Meeting Plans and Sponsors

It is anticipated that the CloudAuthZ TC will meet via teleconference every two weeks for 60 minutes at a time determined by the TC members during the TC’s first meeting. It is anticipated that the CloudAuthZ TC will meet face-to-face every 6 months at a time and location to be determined by the TC members. TC members will determine the actual pace of face-to-face and teleconference meetings. One of the proposers, as listed below, will sponsor the teleconferences unless other TC members offer to donate their own facilities.

(2)(d) Proposers of the TC

Anil Saldhana, anil.saldhana@redhat.com, RedHat
Scott Stark, sstark@redhat.com, RedHat
Mark Little, mlittle@redhat.com, RedHat
Abbie Barbir, abbie.barbir@bankofamerica.com, Bank of America
Marian Radu, radu.marian@baml.com, Bank of America
Shahrokh Shahidzadeh, shahrokh.shahidzadeh@intel.com, Intel
Jonathan Sander, jonathan.sander@quest.com, Quest
Doron Grinstein, Doron.Grinstein@quest.com, Quest
Danny Thorpe, Danny.Thorpe@quest.com, Quest
Erik Rissanen, erik@axiomatics.com, Axiomatics
Gerry Gebel, ggebel@axiomatics.com, Axiomatics
David Brossard, david.brossard@axiomatics.com, Axiomatics
Thomas Hardjono, hardjono@mit.edu, MIT
Tomas Gustavsson, tomas@primekey.se, PrimeKey
Dawn Jutla, Dawn.Jutla@SMU.CA, St.Mary’s University
Prabath Siriwardena, prabath@wso2.com, WSO2
Paul Fremantle, paul@wso2.com, WSO2
Craig Forster, craig.forster@sailpoint.com, Sailpoint Technologies
Darran Rolls, darran.rolls@sailpoint.com, Sailpoint Technologies
Tony Rutkowski, tony@yaanatech.com, Yaana Technologies
Mary Ruddy, mary@meristic.com, Identity Commons
Gershon Janssen, gershon@qroot.com, Individual
Rakesh Radhakrishnan, rakesh2005@gmail.com, Individual

(2)(e) Statements of Support

Mark Little, mlittle@redhat.com, RedHat: As Primary Representative for Red Hat, we are pleased to support the OASIS Cloud Authorization Technical Committee in its work.

Abbie Barbir, abbie.barbir@bankofamerica.com, Bank of America: As Bank of America representative to OASIS, I approve the Cloud Authorization TC Charter, and endorse all BofA proposers listed.

Shahrokh Shahidzadeh, shahrokh.shahidzadeh@intel.com, Intel: As the primary representing Intel Corp at OASIS I like to report that we do support the formation of Oasis Cloud Authorization TC per attached proposal.

Doron Grinstein doron.grinstein@quest.com, Quest Software, Inc.: As Quest Software, Inc.’s representative to OASIS, I approve the Cloud Authorization TC Charter, and endorse all Quest proposers listed.

Erik Risannen, erik@axiomatics.com, Axiomatics: As the OASIS primary contact for Axiomatics, I support the creation of the proposed OASIS Cloud Authorization Technical Committee as described in its Charter.

Thomas Hardjono, hardjono@mit.edu, MIT: As MIT’s representative to OASIS, I approve the Cloud Authorization TC Charter, and endorse all MIT proposers listed.

Paul Fremantle,paul@wso2.com, WSO2: As the OASIS Primary Representative for WSO2, I support the creation of the proposed OASIS Cloud Authorization Technical Committee as described in this Charter.

Tomas Gustavsson, tomas@primekey.se, Primekey: As primary representative, I hereby declare that I support the Cloud Authorization TC.
Dawn Jutla, Dawn.Jutla@SMU.CA, St.Mary’s University: As the primary OASIS representative of Saint Mary’s University, I support the OASIS Cloud Authorization TC charter.

Tony Rutkowski, tony@yaanatech.com, Yaana Technologies: Yaana Technologies LLC supports this charter and the creation of this TC.
Mary Ruddy, mary@meristic.com, Identity Commons: As the Identity Commons liaison to OASIS and primary representative, I approve the Cloud Authorization TC Charter.

Darran Rolls, darran.rolls@sailpoint.com, Sailpoint Technologies: As the Sailpoint Technologies primary representative, I support the OASIS Cloud Authorization TC charter.

(2)(f) TC Convener

Abbie Barbir, abbie.barbir@bankofamerica.com, will be the Convener of the CloudAuthZ TC.

(2)(g) Affiliation to Member Section

OASIS IDtrust Member Section

(2)(h) Initial Contribution

None

(2)(i) Draft Frequently Asked Questions (FAQ) (optional)

N/A

(2)(j) Working title and acronym for the Work Products to be developed by the TC

To Be Determined.

References

[1] OASIS Identity in the Cloud (IDCloud) TC
http://www.oasis-open.org/committees/id-cloud/

[2] OASIS Extensible Access Control Markup Language (XACML) TC
http://www.oasis-open.org/committees/xacml/

[3] IETF Web Authorization Protocol (OAuth) Working Group
http://datatracker.ietf.org/wg/oauth/charter/

[4] Novay Project CEA: Context-Enhanced Authorization
http://www.novay.nl/okb/projects/context-enhanced-authorization/12435