Transcription of The NIST Cloud Federation Reference Architecture
1 NIST Special Publication 500-332 The NIST Cloud Federation Reference Architecture Craig A. Lee Robert B. Bohn Martial Michel This publication is available free of charge from: NIST Special Publication 500-332 The NIST Cloud Federation Reference Architecture Craig A. Lee Information Systems and Cyber Division The Aerospace Corporation Robert B. Bohn NIST Cloud computing Program Advanced Networking Technologies Division Information Technology Laboratory NIST Martial Michel Data Machines Corporation This publication is available free of charge from: February 2020 Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of standards and Technology Walter Copan, NIST Director and Undersecretary of Commerce for standards and Technology i National Institute of standards and Technology (NIST) Special Publication 500-332 92 pages (February 2020) Certain commercial entities, equipment, or materials may be identified in this document to describe an experimental procedure or concept adequately.
2 Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts and methodologies, may be used by Federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, Federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review all publications during public comment periods and provide feedback to NIST. All NIST publications are available at Comments on this publication may be submitted to: National Institute of standards and Technology Attn: Advanced Networking Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8920) Gaithersburg, MD 20899-8920 All comments are subject to release under the Freedom of Information Act (FOIA).
3 _____ This publication is available free of charge from: ii Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at NIST promotes the economy and public welfare by providing technical leadership for the Nation s measurement and standards infrastructure. ITL develops tests, test methods, Reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology (IT). ITL s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in Federal information systems. This document reports on ITL s research, guidance, and outreach efforts in IT and its collaborative activities with industry, government, and academic organizations. Abstract This document presents the NIST Federated Cloud Reference Architecture model.
4 This actor/role-based model used the guiding principles of the NIST Cloud computing Reference Architecture to develop an eleven component model. This document describes these components individually and how they function as an ensemble. There are many possible deployments and governance options which lend themselves to create a suite of Federation options from simple to complex. The basics of Cloud Federation can be described through the interactions of the actors in a layered three planes representation of trust, security, and resource sharing and usage. A discussion on possible future standards and use cases are also described in great detail. Key words Federation ; Identity; Resources; Authentication, Authorization, Cloud computing . _____ This publication is available free of charge from: iii Table of Contents Executive Summary .. viii 1 Introduction .. 1 Background .. 1 Report Production .. 2 Report Structure .. 2 2. The Essence of Federation .. 3 Essential Characteristics of a Cloud Federation .
5 4 Federations as Virtual Administrative Domains .. 4 Federation Membership and Identity Credentials .. 5 Shared Resource Metadata and Discovery .. 5 Federation Governance .. 6 Further Observations .. 6 Illustrating Federation : A Three-Plane 7 Some Federation Use Case Examples .. 9 3. The Cloud Federation Reference 10 Administrative Domains .. 12 Regulatory Environments .. 12 Identity Provider .. 12 Cloud Service Consumer .. 13 Cloud Service Provider .. 13 Cloud Service Management .. 13 Resource Abstraction and Control Layer .. 14 Federation Operator .. 15 Federation Manager .. 15 Federation Membership Management .. 16 Federation Policy management .. 17 Federation Resource Management .. 18 Federation Monitoring & Reporting .. 19 Federation Accounting & Billing .. 19 Federation Portability & Interoperability .. 19 Federation Auditor .. 20 Federation Broker .. 20 _____ This publication is available free of charge from: iv Federation Carrier.
6 22 Security .. 22 4. Federation Governance: Requirements and 23 Federation Instantiation .. 23 Federation Discovery .. 24 Federation Membership .. 25 Membership Criteria and Requirements .. 25 New Member On-boarding Process .. 26 A Member s Federation Identity .. 26 Individual and Organizational Memberships .. 27 Federated Resource Availability and Discovery .. 27 Federated Resource Access .. 28 Monitoring, Reporting, Accounting, Auditing, and Incident 29 Termination .. 29 5. Deployment Models .. 30 Basic Site and Federation Manager (FM) Deployments .. 31 Centralized FM Deployments .. 32 Pair-wise FM Deployments .. 32 Larger FM Deployments .. 33 Mixed Internal/External FM Deployments .. 34 Federation Auditor Deployments .. 35 Federation Broker Deployments .. 35 6. Deployment Governance: Requirements and 37 Trust Federations .. 37 Establishing Trust Federations .. 37 On-boarding New Site Members Establishing Site-to-FM Trust.
7 38 On-Boarding New Federation Managers Establishing FM-to-FM Trust . 39 Transitivity and Delegation of Trust .. 40 Federations and Trust Federations at Scale .. 40 7. A Catalog of Deployment Properties .. 41 8. Existing Tools and standards Relevant to NIST s Cloud Federation Reference Architecture .. 44 9. Areas of Possible/Needed Federation -Specific standards .. 45 _____ This publication is available free of charge from: v Federation Manager Protocols and API standards .. 45 Federation Definition standards .. 46 Federation Discovery and Provisioning .. 47 10. Final Observations .. 47 References .. 48 Appendix A. Cloud Federation Terms and Definitions .. 50 Appendix B. Example Use Cases .. 59 The Conflated Road Dataset Workflow .. 59 The WS02-OpenID Connect Use Case .. 74 List of Tables Table 1: Deployment Models and Trust Relationships .. 37 Table 2: Cloud Federation Terms and Definitions.. 58 List of Figures Figure 1. Ordinary authentication and authorization.
8 3 Figure 2. Federated authentication and authorization.. 4 Figure 3. A Three-Plane Illustration of the 8 Figure 4. The NIST Cloud Federation Reference Architecture Actors.. 11 Figure 5. Centralized FM Deployments exhibiting external and internal FMs.. 32 Figure 6. Pair-wise, Hierarchical FM Deployments.. 32 Figure 7. Pair-wise, P2P FM 33 Figure 8. Larger Hierarchical Internal FM Deployments.. 33 Figure 9. Larger Hierarchical External FM Deployments.. 34 Figure 10. Larger P2P FM Deployments; Internal (left) and External (right).. 34 Figure 11. Mixed Internal/External FM Deployments.. 34 Figure 12. On-boarding a new 39 Figure 13. A Federation of Federations.. 39 Figure 14. A Spectrum of Deployment Properties and Options.. 42 Appendix Figure 1. The Road Dataset Conflation Workflow.. 59 Appendix Figure 2. The System Components.. 61 Appendix Figure 3. Fed Admin A instantiates Federation DisasterResp in Federation Manager A.. 62 Appendix Figure 4.
9 Federation Admin A populates Federation DisasterResp.. 63 Appendix Figure 5. Federation Admin B decides to join Federation DisasterResp.. 64 Appendix Figure 6, Fed Admin B populates Federation DisasterResp with their information.. 65 Appendix Figure 7. The Federation Managers achieve consistency.. 66 Appendix Figure 8. User A authenticates to Federation DisasterResp.. 67 Appendix Figure 9. User A Retrieves the Roads Workflow Definition.. 68 _____ This publication is available free of charge from: vi Appendix Figure 10. User A Instantiates the BPMN Workflow Engine.. 69 Appendix Figure 11. Workflow services are instantiated.. 70 Appendix Figure 12. The workflow is initiated.. 71 Appendix Figure 13. The second workflow step is executed.. 72 Appendix Figure 14. The last workflow step is executed and final results returned.. 73 Appendix Figure 1. The WS02 Architecture .. 74 Appendix Figure 2. A Federation Manager based on WS02 and OpenID 75 Appendix Figure 3.
10 The WS02 API Server registers a redirection URI.. 76 Appendix Figure 4. Site Admin A does initial configuration of a Federation Foo.. 77 Appendix Figure 5. WS02 API Servers exchange Federation information.. 78 Appendix Figure 6. User A authenticates to their local WS02.. 79 Appendix Figure 7. User A is authorized to do discovery on the Foo Service Catalog.. 80 Appendix Figure 8. User A invokes a service in Site B.. 81 _____ This publication is available free of charge from: vii Acknowledgements This document reflects the contributions and discussions by the membership of the NIST Federated Cloud Public Working Group (FC-PWG), co-chaired by Robert Bohn (NIST ITL), and Craig A. Lee (The Aerospace Corporation). NIST would like to acknowledge the specific contributions1 to this document made by the following FC-PWG members: Victor Danilchenko Schneider Electric Craig A. Lee The Aerospace Corporation Martial Michel Data Machines Corporation Alexander Rebo US Department of Treasury Bryan Ward UniSys Steve Woodward Cloud Perspectives Khalil Yazdi Yazdi Associates Robert Bohn NIST John Messina NIST 1 Contributors are members of the NIST Federated Cloud Public Working Group who dedicated great effort to prepare and gave substantial time on a regular basis to research and development in support of this document.
