Posted 6:53 AM

CBAC to the rescue, once again

Nishant Kaushik posts today ("How Do Governance Controls Fit Into IDMaaS?"), commenting and expanding on the issue of Identity Management as a Service first raised by Kim Cameron (and extended here) and elaborated on by Craig Burton.

Nishant's main issue with the IDMaaS discussion is that it omits the governance layer:

"What I was surprised to find missing from Kim’s and Craig’s discussion about IDMaaS were the governance controls one needs in identity management (and therefore IDMaaS) – like approval workflows, access request and access recertification."

 He concludes by saying:

"I’ve always felt that one of the biggest challenges facing Enterprise IDaaS was the need to compose, in real-time and at scale, a context sensitive identity that combines assertions from various authoritative sources (selected based on the usage context) with a core identity from the users chosen identity provider."

 This is just Context-based Access Control (CBAC, sometimes called ABAC for Attribute-based Access Control) extended to the cloud environment. The cloud-based IDMaaS would need a virtual engine with connectors to the relevant sources of authority for the attributes as well as a policy enforcement point (PEP) to actually grant the access token if justified. Moving to the cloud changes the platform, changes some protocols and changes some (small r) roles, but the abstracted architecture remains the same. It's just a question of extending the reach of the governance rules we already have.