There's a new standard aimed at the cloud and this one is focused squarely on a significant gap - authorization.

The Cloud Authorization (CloudAuthZ) technical committee (TC) spun up Dec. 4 at the Organization for the Advancement of Structured Information Standards (OASIS) to tackle standards for determining the most optimal way to enforce policies on who can do what within a cloud environment.

The idea is those standards become part of a cloud infrastructure and support entitlement data and authorization policies used to control a user's access to resources.

"This TC is looking at what happens after authentication and user provisioning has occurred," said Gerry Gebel, a member of the TC and president of Axiomatics Americas. "After that, now what can you do and how is that authorization process facilitated and standardized." (Listen here to Gebel answer my five questions about CloudAuthZ - social login required).

The idea is to deliver a sub-set of entitlements and attributes in a single batch so authorization decisions can be made locally, a design that provides notable efficiencies.

"This is all about standard delivery of contextual attributes and entitlements to a decision making point," said Anil Saldhana, co-chair of the TC and a security architect at RedHat. "In cloud computing, the resources are limited and rather than making a hundred authorization calls it makes sense to make one call to an authorization server, get entitlements or permissions, and make decisions locally."

The group plans to develop profiles and use cases so authorization decisions can be made using end-user attributes such as location, device, age, and department. The profiles will offer standardized mechanisms for compliance monitoring.

The TC, which includes end-user companies such as Bank of America, Boeing, and JP Morgan Chase Bank, intends to leverage existing protocols such as OAuth and the Extensible Access Control Markup Language (XACML), which also was developed at OASIS, to enable delivery of attribute data to policy enforcement points (PEP).

The TC will generate cloud authorization and entitlement profiles for Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), and Software-as-a-Service (SaaS) models.

The TC plans to develop a document detailing specific use cases of authorization and entitlements for cloud computing that the group plans to tackle. The TC also will develop a glossary of terms, craft a document that details relevant standards for allowing enforcement of authorization policies in different cloud models, and a deliver document defining methods of downloading data with a single call to a policy enforcement point.

That work should be completed in the next 12 months, according to the group's charter, which says its work is aimed at architects, designers and implementers of cloud computing infrastructure and services.

 

* Required Fields