Platform capability based identity management for scalable and secure cloud service access

Abstract

In the past identity management solutions evolved to solve the challenges with username/password based systems to provide a seamless single sign-on (SSO) experience for the user. With the advent of large scale cloud services, the existing SSO solutions for authentication using only username/password need to be revisited. We propose the use of platform capabilities and integrated credentials as a criteria for doing the authentication and authorization of the respective cloud service requesters. Cloud service requesters can be any type of device including PCs, TVs, laptops, phones, tablets and so on. Based on the device type the capabilities can offer information that may be necessary and sometimes sufficient to provide access to a given service. More specifically, a user may not have to enroll to get certain types of cloud services because the platform capabilities and intrinsic certificates may be sufficient without user specific information or input. For example, if a device can provide secure geo specific information then services which are provided for devices in a certain geo can be qualified based on the provided geo information without any additional input. For services that are controlled for enrolled users, instead of establishing a username/password PKI certificates can be embedded on the device which is secured using the platform capabilities. This will allow secure yet seamless access to such cloud services. Such a model where user ID is not mandatory but definitely available per service requirements, allows for enhanced privacy without jeopardizing security. Additionally the flexibility of such a model may allow the scaled identity management policies as required for various types of cloud services.