NIST logo
*
Bookmark and Share

****WORKING DOCUMENT****

5.1      Identity Management - User Account Provisioning

Actors: cloud-subscriber, cloud-subscriber-administrator, cloud-provider

Goals: The cloud-subscriber requires to provision (create) user accounts for cloud-subscriber-users to access the cloud. Optimally, the cloud-subscriber requires the synchronization of enterprise system-wide user accounts from enterprise data center-based infrastructure to the cloud, as part of the necessary process to streamline and enforce identical enterprise security (i.e., authentication and access control policies) on cloud-subscriber-users accessing the cloud.

Assumption: The cloud-subscriber has well defined policies and capabilities for identity and access management for its enterprise IT applications and data objects. The cloud-subscriber has enterprise infrastructure to support the export of cloud-subscriber-user account identity and credential data. The cloud-provider has identity provider (IdP) capabilities and has provided an interface (Web browser-based user interface or an API set) to accept the cloud-subscriber's input and/or upload of cloud-subscriber-user identity data for account provisioning. The cloud-subscriber can establish trusted connections to these cloud services.

Success Scenario 1 (IaaS): This scenario illustrates how a cloud-subscriber can provision user/administrator accounts (mainly IT administrators, e.g., billing manager, system administrator, network engineer, etc.) on the IaaS cloud.

            Steps: The cloud-subscriber-administrator gathers user identity and credential information (could be an extract or export from the enterprise's identity management store) and the account provisioning policies, including user privilege settings, such as user group/role assignment information. Optionally, the cloud-subscriber-administrator transforms and formats the provisioning data into the format required by the cloud-provider. The cloud-subscriber-administrator uses an identity management tool provided by the cloud-provider, through a Web browser-based user interface, a command line tool, or a set of identity management APIs, to input/upload the account provisioning data for the cloud-subscriber. Optionally, the cloud-subscriber-administrator uses the cloud-provider's interface (Web browser-based, command line, or APIs) to configure access control policies of the new user accounts provisioned, ensuring enterprise dictated access policies are in place in the cloud and can be leveraged by the authentication and access control mechanism deployed in the cloud.

Success Scenario 2 (PaaS, SaaS): This scenario illustrates how a cloud-subscriber can provision end user accounts in the cloud, often in bulk fashion. The user identity and credential data are often readily available from the enterprise's identity management store.

            Steps: The cloud-subscriber-administrator gathers user identity and credential information (often an extract or export from the enterprise's identity management store) and the security policies data, including user privilege settings, such as user group/role assignment information. Optionally, the cloud-subscriber-administrator transforms and formats the identity data into a standard-compliant format, such as SPML. The cloud-subscriber-administrator uses an identity management tool provided by the cloud-provider, through a Web browser-based user interface, a command line tool, or a set of identity management APIs, to upload the bulk account provisioning data for the cloud-subscriber-users. The cloud-provider's identity management capabilities are now configured with the cloud-subscriber-user account data and the cloud-subscriber's access control policy is now in place to be enforced.

Failure Condition/Failure Handling: TBD (User identity meta-data information from the enterprise doesn't meet cloud-provider's requirements, etc.)

Credit: Cloud Security Alliance's Guidance for Identity and Access Management, V2.1; Amazon AWS Identity and Access Management (IAM) tools and documentation.