Re: [WG-CloudIDSec] Thank you for signing the GPA for the Cloud Identity and Security Best Practices WG

[Neil McEvoy]

Hi guys

Actually I was just discussing with Sal that the group has been dormant for a while, but now may be time to re-start our efforts with a fresh agenda and schedule..

Polling the group to see appetite for this....??

Neil.

- IDaaS group agenda: Update

For refreshed agenda ideas I'd like to suggest incorporating some IDaaS specific materials into a 'G-Cloud for Europe' content campaign I am working on right now, as there are specific Identity requirements outlined in recent RFPs published by the EU for their pan-European Cloud plans and requirements.

Here is the start of this paper:

http://digital-government.info/guides/gcloud-europe/

Specifically in the EU RFPs they ask for a number of requirements that are Identity related:

1. Secure Interoperable Authentication:

"All lots need some way of authentication. This can be by the public administration during service provision, or by the end user. Where authentication is involved, standard protocols need to be provided. In particular, the European cross-border interoperability framework provided by STORK and STORK 2.0 needs to be supported, the upcoming interoperability framework defined by the eIDAS Regulation, respectively."

"Where authentication is needed, standard protocols must be provided. The European eID interoperability framework provided by STORK and the eIDAS Regulation shall be supported. I.e., the provided service must allow holders of an European eID supported by STORK (a notified eID under the eIDAS Regulation, respectively) to use this eID to authenticate."

"The eIDAS Regulation (Regulation of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC) is to be considered. On the authentication process, the interoperability framework under article 12 of eIDAS is not yet defined. The bidders can take the STORK protocol (SAML 2.0, WebSSO) as working assumption."

2. Legislation-aware Cloud storage

Their ultimate goal is "legislation-aware" cloud services, incorporating digital archiving through identity, including to more cutting edge Personal Cloud areas that would suggest an opportunity for UMA. Ie. they want very granular controls over data access, including reporting alerts for unauthorized access, that is built into the Cloud services.

On Wed, Jan 14, 2015 at 10:03 PM, Oliver Maerz <oli...@kantarainitiative.org> wrote:

Hello Jim,

Thank you for your email. And yes, the group is active and the work group conference call is on the first Tuesday of the month (Time: 07:00 PT | 10:00 ET | 14:00 UTC). So the next call will be on February 3, 2015.  I am cc'ing Neil for confirmation. 

Thanks,

Oliver

---------- Forwarded message ----------
From: Meck, Jim <jm...@mitre.org>
Date: Wed, Jan 14, 2015 at 6:48 PM
Subject: RE: Thank you for signing the GPA for the Cloud Identity and Security Best Practices WG
To: Oliver Maerz <oli...@kantarainitiative.org>

Oliver, Thank you.  Glad to be aboard.  I will check the site for a meeting schedule.  I understand and respect the drill as a voting member.  Question please – I couldn’t immediate find a scheduled entry for the Cloud Identity and Security Best Practices WG.  Is the WG active and I simply didn’t look hard enough for a meeting schedule, or is the WG more event/demand driven? 

 

Will check a bit harder.  Thank you for the welcome.

Jim 

 

From: Oliver Maerz [mailto:oli...@kantarainitiative.org]
Sent: Wednesday, January 14, 2015 4:37 PM
To: Meck, Jim
Cc: Neil McEvoy
Subject: Thank you for signing the GPA for the Cloud Identity and Security Best Practices WG

 

Thank you for signing the GPA for the Cloud Identity and Security Best Practices WG.  You are also subscribed to the list serve.

 

To manage your password, login (jim.meck) at http://idp.kantarainitiative.org/ and change it there, then your update will be reflected on the Kantara Initiative Confluence Wiki site.  Note that all of the passwords are managed at the respective IdPs and not with Kantara Initiative

 

You have signed the agreement as a "voting" member.  Just to note, as a voting participant, should you fail to attend two consecutive meetings of the group, you may at the discretion of the Chair be re-classified as a non-voting member. Voting status may reacquired by attending a meeting of the group.  Because your participation status is "voting", you now contribute to our quorum requirements (noting over 50% voting participants needed for quorum).

 

Please let me know if you have questions, we look forward to your participation with the group.

 

Regards,

Oliver

 

--

Oliver Maerz

External Consultant

 

Kantara Initiative  

+1 (616) 422-7848

oliver (at) kantarainitiative.org

http://www.kantarainitiative.org

 

 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. No representation is made on its accuracy or completeness of the information contained in this electronic message. Certain assumptions may have been made in the preparation of this material as at this date, and are subject to change without notice. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. Please reply to Oliver Maerz and destroy all copies of this message and any attachments from your system.

 

 

--

Oliver Maerz

External Consultant

Kantara Initiative  

+1 (616) 422-7848

oliver (at) kantarainitiative.org

http://www.kantarainitiative.org

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. No representation is made on its accuracy or completeness of the information contained in this electronic message. Certain assumptions may have been made in the preparation of this material as at this date, and are subject to change without notice. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this e-mail and any attachment(s) is strictly prohibited. Please reply to Oliver Maerz and destroy all copies of this message and any attachments from your system.

--

Neil McEvoy

CEO

http://CloudBestPractices.net

[Colin Wallis]

Hi Neil

CloudID Sec came up on the Leadership Council call today which prompted me to respond to this.

Certainly there is lots of activity going on in Europe, what with eIDAS, G-Cloud and so on.

There also is a lot of competition for mind share as well.

And there are many more groups, listservs, and forums than there are active participants to fill them.

I guess it comes down to the degree of motivation folks have to put their time in, relative to all the other activities competing for that share of time.   
The scope and scale of the effort is huge, and IMHO the effort involved to get significant attention will be considerable.

And the space is maturing quite well.

Cloud Service Providers are embracing standards on security, privacy, interoperability, portability and putting in connectors and APIs to make Identity in the cloud a reality.

I'm not sure I can add anything significant to the discussion and potential work items, given my own competing priorities, but that may change! 

Given things have been quiet here, maybe the best course of action is to drop back to a Discussion Group for 2015, and re-evaluate if there is sufficient interest/work items to move back up to a Working Group in a year? 

Cheers

Colin   

---

Date: Fri, 6 Feb 2015 11:36:14 +0000
From: neil....@cloudbestpractices.net
To: oli...@kantarainitiative.org; wg-clo...@kantarainitiative.org
CC: s...@idmachines.com
Subject: Re: [WG-CloudIDSec] Thank you for signing the GPA for the Cloud Identity and Security Best Practices WG

Hi guys

Actually I was just discussing with Sal that the group has been dormant for a while, but now may be time to re-start our efforts with a fresh agenda and schedule..

Polling the group to see appetite for this....??

Neil.

- IDaaS group agenda: Update

For refreshed agenda ideas I'd like to suggest incorporating some IDaaS specific materials into a 'G-Cloud for Europe' content campaign I am working on right now, as there are specific Identity requirements outlined in recent RFPs published by the EU for their pan-European Cloud plans and requirements.

Here is the start of this paper:

http://digital-government.info/guides/gcloud-europe/

Specifically in the EU RFPs they ask for a number of requirements that are Identity related:

1. Secure Interoperable Authentication:

"All lots need some way of authentication. This can be by the public administration during service provision, or by the end user. Where authentication is involved, standard protocols need to be provided. In particular, the European cross-border interoperability framework provided by STORK and STORK 2.0 needs to be supported, the upcoming interoperability framework defined by the eIDAS Regulation, respectively."

"Where authentication is needed, standard protocols must be provided. The European eID interoperability framework provided by STORK and the eIDAS Regulation shall be supported. I.e., the provided service must allow holders of an European eID supported by STORK (a notified eID under the eIDAS Regulation, respectively) to use this eID to authenticate."

"The eIDAS Regulation (Regulation of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC) is to be considered. On the authentication process, the interoperability framework under article 12 of eIDAS is not yet defined. The bidders can take the STORK protocol (SAML 2.0, WebSSO) as working assumption."

2. Legislation-aware Cloud storage

Their ultimate goal is "legislation-aware" cloud services, incorporating digital archiving through identity, including to more cutting edge Personal Cloud areas that would suggest an opportunity for UMA. Ie. they want very granular controls over data access, including reporting alerts for unauthorized access, that is built into the Cloud services.

<snip>