Attempt at a tangible security use case / rough format
Matt Rutkowski
security that should resonate with many people:
Use Case:
Rapidly Scaling an Insurance Application using a Public Cloud
Description:
An insurance company’s new Insurance policy claims application’s has
proven to be valuable in capturing customer and property damage data.
A hurricane is predicted to hit the gulf coast region of the United
States and the IT Staff wishes to elastically scale out the new
application to accommodate the additional customers and field agents
that may need it in the aftermath. The company's IT Staff selects a
Public Cloud Provider that uses open security standards to fulfill
their short-term compute needs and host additional images of their
insurance policy claims application.
View:
Customer, IT Staff
Security Patterns Featured:
-Federated Trust (certificate/key exchange b/w enterprise, cloud
provider)
-Federated Access Control (security policy applied at cloud provider)
-Federated Configuration Management (application configuration,
metadata and access policy applied at cloud provider)
Security Areas Impacted:
- Key/Cert. Mgmt. (trust, key exchange, key/cert store)
- Identity Management, Entitlement, Access Control
- Configuration Mgmt. (image configuration, app. policy)
- Storage Security (application image, metadata)
Underlying Standards:
- x509 Certificates (Trust, key exchange)
- SAML 2.0 (admin identity and entitlements)
- OVF Application Images & Metadata
- SPML (service provisioning)
One could carry the example of having an agent of the insurance
company then use Federated SSO (authenticating thru an external
Identity Provider) to establish credentials that can use Federated
Identity to access the application being hosted at the new public
cloud provider. We could break down the scenario into the steps needed
to fulfill the scenario and feature each security pattern, management/
infrastructure control that is needed from the security framework.
What other parts to a use case template do we need for security-based
use cases?
Do we need to clarify internal/external considerations (provider vs.
customer)? Do we need a new taxonomy for these use cases?
Matt Rutkowski
without attribution (as if it were his own) here:
http://sentry-com.net/blog/?p=251&cpage=1#comment-4265
Apparently, the author has some thoughts around end-user form
encryption and am disappointed he did not choose to carry on the
discussion here in the open.
I have submitted a "reply" to to this effect from the blog entry and
hopefully will see some result; however, I will note that he controls
which replies/responses get approved as the blogsite is hosted as part
of his company's on-line presence.
Quite disappointing for now...
On Dec 10, 8:40 pm, Matt Rutkowski <mrutkowsk...@gmail.com> wrote:
> Here is an example of a customer-level use case that highlights
>
Paulo Calcada
Paulo
--
You received this message because you are subscribed to the Google Groups "Cloud Computing Use Cases" group.
To post to this group, send email to cloud-comput...@googlegroups.com.
To unsubscribe from this group, send email to cloud-computing-us...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cloud-computing-use-cases?hl=en.
--
http://pcalcada.name
--
Gary Mazz
case but solutions. There can be use case patterns including
recognition of relationships, mandates and regulations, the
identification of assets and possibly risk models. Calling out any
technologies or functional areas falls into the areas of best practices
and solutions, which is widely different than a use case document.
my 2 cents
cheers,
gary mazz
Matt Rutkowski wrote:
> Here is an example of a customer-level use case that highlights
> security that should resonate with many people:
>
> Use Case:
> Rapidly Scaling an Insurance Application using a Public Cloud
>
> Description:
drus...@ca.ibm.com
his post and provided the correct attribution.
To Dr.Eli Talmor, Thank you
Dave
Paulo Calcada
;)
--
You received this message because you are subscribed to the Google Groups "Cloud Computing Use Cases" group.
To post to this group, send email to cloud-comput...@googlegroups.com.
To unsubscribe from this group, send email to cloud-computing-us...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cloud-computing-use-cases?hl=en.
--
http://pcalcada.name
--
Matt Rutkowski
I completely agree that XACML is an important open standard to
reference for policy representation and endpoint enforcement. It
would appear on every use case (wherever there is an policy
enforcement point (PEP) to access a cloud based resource). With this
use case I was trying to focus more on the "trust" establishment and
identity since this was a "simple" access by a single user. If you
look at another use case I posted (showing new application test and
development) perhaps this involves more role-based access control and
should list XACML there (if I forgot, will have to look).
Thanks for the reminder,
Matt
Gary Mazz
This looks like an significant effort, attempting to document and derive
requirements from th use cases. For example, insurance regulations as
well as privacy mandates vary widely between local and federal mandates.
Even well funded organizations missioned with security have been long to
avoid this type of effort.
From the outcome of the scenario below, it looks like we are
reinventing the wheel. Much of the outcome work has been done by Liberty
alliance, kartina and work has been enisa. I've attached the enisa
cloud risk assessment document.
-gary
<<snip from other email to this group >>
Here is a little known kantara initiative working identity management
issues http://www.kantarainitiative.org Here is a link to their
collaboration groups web page:
http://kantarainitiative.org/wordpress/groups This is the link to
their identity framework document:
http://kantarainitiative.org/confluence/download/attachments/655421/Kantara+IAF-1200-Levels+of+Assurance.doc
Here is the liberty alliance application and detailing of the levels :
http://eap.projectliberty.org/docs/Trust_Framework_010605_final.pdf
Matt Rutkowski wrote:
> Here is an example of a customer-level use case that highlights
> security that should resonate with many people:
>
> Use Case:
> Rapidly Scaling an Insurance Application using a Public Cloud
>
> Description:
> An insurance company�s new Insurance policy claims application�s has