Take a sneak peek at the new NIST.gov and let us know what you think!
(Please note: some content may not be complete on the beta site.).
Actors: cloud-subscriber, cloud-subscriber-administrator, cloud-provider
Goals: The cloud-subscriber requires changes to user credentials in the enterprise's identity provider system to be automatically communicated to the corresponding infrastructure in the cloud-provider's system to ensure the integrity of access and conformance to enterprise policies are maintained in near real time. This is an extension and optimization of the use case for User Account Provisioning.
Assumption: The cloud-subscriber has well defined policies and capabilities for identity and access management for its enterprise IT applications and data objects. The cloud-subscriber has enterprise infrastructure to support the export of user account identity and credential data. The cloud-provider has identity provider capabilities and has provided an interface (Web browser-based user interface or an API set) to accept cloud-subscriber's input and/or upload of cloud-subscriber-user identity data for account synchronization. The cloud-provider's identity provider capabilities have been setup to communicate securely with the cloud-provider's identity management interface (APIs).
Success Scenario (IaaS):
Steps: The cloud-subscriber-administrator creates/schedules a repeatable job to monitor changes to the enterprise's identity provider store, and configures the policies to synchronize the changes to the cloud-provider's identity management interface (APIs). The scheduled job monitors changes in user identity and credential data, and bulk processes updates to the cloud-provider's identity management sub-system in near real time, thus keeping the identity and credential data in-sync.
Failure Condition/Failure Handling: The cloud-subscriber-user accesses the cloud application/service/data in-between of the credential synchronization and breaks integrity of access and conformance to enterprise policy.