Thursday, June 07, 2012

CBAC to the rescue, once again

Nishant Kaushik posts today ("How Do Governance Controls Fit Into IDMaaS?"), commenting and expanding on the issue of Identity Management as a Service first raised by Kim Cameron (and extended here) and elaborated on by Craig Burton.

Nishant's main issue with the IDMaaS discussion is that it omits the governance layer:

"What I was surprised to find missing from Kim’s and Craig’s discussion about IDMaaS were the governance controls one needs in identity management (and therefore IDMaaS) – like approval workflows, access request and access recertification."
 He concludes by saying:
"I’ve always felt that one of the biggest challenges facing Enterprise IDaaS was the need to compose, in real-time and at scale, a context sensitive identity that combines assertions from various authoritative sources (selected based on the usage context) with a core identity from the users chosen identity provider."
 This is just Context-based Access Control (CBAC, sometimes called ABAC for Attribute-based Access Control) extended to the cloud environment. The cloud-based IDMaaS would need a virtual engine with connectors to the relevant sources of authority for the attributes as well as a policy enforcement point (PEP) to actually grant the access token if justified. Moving to the cloud changes the platform, changes some protocols and changes some (small r) roles, but the abstracted architecture remains the same. It's just a question of extending the reach of the governance rules we already have.

Most attribute or role stores are not well governed today. Usually some admin set an attribute and has no idea if that attribute is still true. Govertnance of attributes is sorely needed, and that includes workflow and recertification. I think that was NKs point.
Post a Comment

© 2003-2006 The Virtual Quill, All Rights Reserved


[Powered by Blogger]