School of Computer & Information SciencesITS-532 Cloud C.docx

School of Computer & Information Sciences
ITS-532 Cloud Computing
Chapter 5 – Identity as a Service (IDaaS)
Content from:
Primary Textbook: Jamsa, K. A. (2013). Cloud computing:
SaaS, PaaS, IaaS, virtualization, business models, mobile,
security and more. Burlington, MA: Jones & Bartlett Learning.
Secondary Textbook: Erl, T., Mahmood, Z., & Puttini, R.
(2014). Cloud computing: concepts, technology, & architecture.
Upper Saddle River, NJ: Prentice Hall.
1
Learning Objectives
Describe challenges related to ID management.
Describe and discuss single sign-on (SSO) capabilities.
List the advantages of IDaaS solutions.
Discuss IDaaS solutions offered by various companies.
IDaaS Defined
Identity (or identification) as a service (IDaaS)—Cloud-based
approaches to managing user identities, including usernames,
passwords, and access. Also sometimes referred to as “identity
management as a service.

Identity and Access Management (IAM)
Identity and Access Management includes the components and
policies necessary to control user identify and access
privileges.
Authentication
Username/Password, digital signatures, digital certificates,
biometrics
Authorization
Granular controls for mapping identities and rights
User Management
Creation and administration of new user identities, groups,
passwords, and policies
Credential Management
Establishes identities and access control rules for user accounts
4
(Erl, 2014)
Single Sign-On (SSO)
Single sign-on (SSO)—PA process that allows a user to log into
a central authority and then access other sites and services for
which he or she has credentials.

Advantages of SSO
Fewer username and password combinations for users to
remember and manage
Less password fatigue caused by the stress of managing
multiple passwords
Less user time consumed by having to log in to individual
systems
Fewer calls to help desks for forgotten passwords
A centralized location for IT staff to manage password
compliance and reporting
Disadvantages of SSO
The primary disadvantage of SSO systems is the potential for a
single source of failure. If the authentication server fails, users
will not be able to log in to other servers.
Thus, having a cloud-based authentication server with system
redundancy reduces the risk of system unavailability.
How Single Sign On Works
The single sign on mechanism enables one cloud service
consumer to be authenticated by a security broker. Once
established, the security context is persistent when the
consumer accesses other cloud based IT resources.
8
(Erl, 2014)
Figure 10.9 - A cloud consumer provides the security broker
with login credentials (1). The security broker response with an

authentication token (message with small lock symbol) upon
successful authentication, which contains cloud service
consumer identify information (2) that is used to automatically
authenticate the cloud service consumer across Cloud Services
A, B, and C (3).
Federated ID Management
FIDM describes the technologies and protocols that combine to
enable a user to bring security credentials across different
security domains (different servers running potentially different
operating systems).
Security Assertion Markup Language (SAML)
Behind the scenes, many FIDM systems use the Security
Assertion Markup Language (SAML) to package a user’s
security credentials.
Account Provisioning
The process of creating a user account on a system is called
account provisioning.
Because different employees may need different capabilities on
each system, the provisioning process can be complex.
When an employee leaves the company, a deprovisioning
process must occur to remove the user’s accounts.

Unfortunately, the IT staff is not always immediately informed
that an employee no longer works for the company, or the IT
staff misses a server account and the user may still have access
to one or more systems.
4 A’s of Cloud Identity
Authentication: The process of validating a user for on-site and
cloud-based solutions.
Authorization: The process of determining and specifying what
a user is allowed to do on each server.
Account management: The process of synchronizing user
accounts by provisioning and deprovisioning access.
Audit logging: The process of tracking which applications users
access and when.
Real World: Ping Identity IDaaS
Ping Identity provides cloud-based ID management software
that supports FIDM and user account provisioning.
Real World: PassworkBank IDaaS
PasswordBank provides an IDaaS solution that supports on-site
and cloud-based system access. Its Federated ID Management
(FIDM/FIM) service supports enterprise-wide SSO (E-SSO) and

SSO for web-based applications (WebSSO).
The PasswordBank solutions perform the FIDM without the use
of SAML.
Security Assertion Markup Language (SAML) is a standard for
logging users into applications based on their sessions in
another context. This single sign-on (SSO) login standard has
significant advantages over logging in using
a username/password:
No need to type in credentials
No need to remember and renew passwords
No weak passwords
PasswordBank solutions support a myriad of devices, including
the iPhone.
PasswordBank's unique Identity-as-a-Service (IDaaS) Single
Sign-On software securely automates all logons to corporate and
cloud applications.
OpenID
OpenID allows users to use an existing account to log in to
multiple websites. Today, more than 1 billion OpenID accounts
exist and are accepted by thousands of websites.
Companies that support OpenID include Google, Yahoo!, Flickr,
Myspace, WordPress.com, and more
OpenID was created in the summer of 2005 by an open source
community trying to solve a problem that was not easily solved
by other existing identity technologies.

by other existing identity technologies. As such, OpenID is
decentralized and not owned by anyone, nor should it be.
Today, anyone can choose to use an OpenID or become an
OpenID Provider for free without having to register or be
approved by any organization.
15
Advantages of Using OpenID
Increased site conversion rates (rates at which customers choose
to join websites) because users do not need to register
Access to greater user profile content
Fewer problems with lost passwords
Ease of content integration into social networking sites
Mobile ID Management
Threats to mobile devices include the following:
Identity theft if a device is lost or stolen
Eavesdropping on data communications
Surveillance of confidential screen content
Phishing of content from rogue sites
Man-in-the-middle attacks through intercepted signals
Inadequate device resources to provide a strong security
implementation
Social attacks on unaware users that yield identity information

Cloud Based Security Groups
Cloud resource segmentation is a process of creating separate
physical and virtual IT environments for different users and
groups to increase security.
18
(Erl, 2014)
Figure 10.11 - Cloud-Based Security Group A encompasses
Virtual Servers A and D and is assigned to Cloud Consumer A.
Cloud-Based Security Group B is comprised of Virtual Servers
B, C, and E and is assigned to Cloud Consumer B. If Cloud
Service Consumer A’s credentials are compromised, the attacker
would only be able to access and damage the virtual servers in
Cloud-Based Security Group A, thereby protecting Virtual
Servers B, C, and E.
Hardened Virtual Server Images
When creating a virtual server from a template, the hardening
process removes unnecessary software from the system to limit
vulnerabilities that could be exploited by hackers.
19
(Erl, 2014)
Figure 10.13 - A cloud provider applies its security policies to
harden its standard virtual server images.
Key Terms

References
Primary:
Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS,
virtualization, business models, mobile, security and more.
Burlington, MA: Jones & Bartlett Learning.
Secondary:
Erl, T., Mahmood, Z., & Puttini, R. (2014). Cloud computing:
concepts, technology, & architecture. Upper Saddle River, NJ:
Prentice Hall.
21
Identity management
Identity Management as a service (IDAAS)
A Case example using ms azure
Contents
Definitions
Security – A Shared Responsibility
Authentication and Authorization
Managed Identities (Azure)

Security Advantages
Organizations face many challenges with securing their
datacenters, including recruiting and keeping security experts,
using many security tools, and keeping pace with the volume
and complexity of threats.
As computing environments move from customer-controlled
datacenters to the cloud, the responsibility of security also
shifts. Security of the operational environment is now a concern
shared by both cloud providers and customers. By shifting these
responsibilities to a cloud service like Azure, organizations can
reduce focus on activities that aren't core business
competencies. Depending on the specific technology choices,
some security protections will be built into the particular
service, while addressing others will remain the customer's
responsibility. To ensure that the proper security controls are
provided, a careful evaluation of the services and technology
choices becomes necessary.
24
Security is a shared responsibility
Look in the slide notes below for topics to consider talking
about

The first shift you'll make is from on-premises data centers to
infrastructure as a service (IaaS). With IaaS, you are leveraging
the lowest-level service and asking Azure to create virtual
machines (VMs) and virtual networks. At this level, it's still
your responsibility to patch and secure your operating systems
and software, as well as configure your network to be secure. At
Contoso Shipping, you are taking advantage of IaaS when you
start using Azure VMs instead of your on-premises physical
servers. In addition to the operational advantages, you receive
the security advantage of having outsourced concern over
protecting the physical parts of the network.
Moving to platform as a service (PaaS) outsources several
security concerns. At this level, Azure is taking care of the
operating system and of most foundational software like
database management systems. Everything is updated with the
latest security patches and can be integrated with Azure Active
Directory for access controls. PaaS also comes with many
operational advantages. Rather than building whole
infrastructures and subnets for your environments by hand, you
can "point and click" within the Azure portal or run automated
scripts to bring complex, secured systems up and down, and
scale them as needed. Contoso Shipping uses Azure Event Hubs
for ingesting telemetry data from drones and trucks — as well
as a web app with an Azure Cosmos DB back end with its
mobile apps — which are all examples of PaaS.
With software as a service (SaaS), you outsource almost
everything. SaaS is software that runs with an internet
infrastructure. The code is controlled by the vendor but
configured to be used by the customer. Like so many
companies, Contoso Shipping uses Office 365, which is a great
example of SaaS!
For all cloud deployment types, you own your data and

identities. You are responsible for helping secure your data and
identities, your on-premises resources, and the cloud
components you control (which vary by service type).
Regardless of the deployment type, you always retain
responsibility for the following items:
Data
Endpoints
Accounts
Access management
25
A Layered Approach
Data
In almost all cases, attackers are after data:
Stored in a database
Stored on disk inside virtual machines
Stored on a SaaS application such as Office 365
Stored in cloud storage
It's the responsibility of those storing and controlling access to
data to ensure that it's properly secured. Often, there are
regulatory requirements that dictate the controls and processes
that must be in place to ensure the confidentiality, integrity, and
availability of the data.
26
A Layered Approach

Application
Ensure applications are secure and free of vulnerabilities.
Store sensitive application secrets in a secure storage medium.
Make security a design requirement for all application
development.
Integrating security into the application development life cycle
will help reduce the number of vulnerabilities introduced in
code. We encourage all development teams to ensure their
applications are secure by default, and that they're making
security requirements non-negotiable.
27
A Layered Approach
Compute
Secure access to virtual machines.
Implement endpoint protection and keep systems patched and
current.
Malware, unpatched systems, and improperly secured systems
open your environment to attacks. The focus in this layer is on
making sure your compute resources are secure, and that you
have the proper controls in place to minimize security issues

28
A Layered Approach
Networking
Limit communication between resources.
Deny by default.
Restrict inbound internet access and limit outbound, where
appropriate.
Implement secure connectivity to on-premises networks.
At this layer, the focus is on limiting the network connectivity
across all your resources to allow only what is required. By
limiting this communication, you reduce the risk of lateral
movement throughout your network.
29
A Layered Approach
Perimeter
Use distributed denial of service (DDoS) protection to filter
large-scale attacks before they can cause a denial of service for
end users.
Use perimeter firewalls to identify and alert on malicious
attacks against your network.

At the network perimeter, it's about protecting from network-
based attacks against your resources. Identifying these attacks,
eliminating their impact, and alerting you when they happen are
important ways to keep your network secure.
30
A Layered Approach
Identity and access
Control access to infrastructure and change control.
Use single sign-on and multi-factor authentication.
Audit events and changes.
The identity and access layer is all about ensuring identities are
secure, access granted is only what is needed, and changes are
logged.
31
A Layered Approach
Physical security
Physical building security and controlling access to computing
hardware within the data center is the first line of defense.

With physical security, the intent is to provide physical
safeguards against access to assets. These safeguards ensure
that other layers can't be bypassed, and loss or theft is handled
appropriately.
32
Authentication & Authorization Defined
Authentication is the process of establishing the identity of a
person or service looking to access a resource. It involves the
act of challenging a party for legitimate credentials and
provides the basis for creating a security principal for identity
and access control use. It establishes if they are who they say
they are.
Authorization is the process of establishing what level of access
an authenticated person or service has. It specifies what data
they're allowed to access and what they can do with it.

34
Active Directory
(Microsoft Azure)
What is Azure Active Directory?
Azure AD is a cloud-based identity service. It has built in
support for synchronizing with your existing on-premises
Active Directory or can be used stand-alone.
This means that all your applications, whether on-premises, in
the cloud (including Office 365), or even mobile can share the
same credentials.
Administrators and developers can control access to internal
and external data and applications using centralized rules and
policies configured in Azure AD.
same credentials.

35
Azure Active Directory (AD)
Azure AD provides services such as:
Authentication.
Single-Sign-On (SSO).
Application management.
Business to business (B2B) identity services.
Business-to-Customer (B2C) identity services.
Device Management.
Authentication. This includes verifying identity to access
applications and resources, and providing functionality such as
self-service password reset, multi-factor authentication (MFA),
a custom banned password list, and smart lockout services.
Single-Sign-On (SSO). SSO enables users to remember only one
ID and one password to access multiple applications. A single
identity is tied to a user, simplifying the security model. As
users change roles or leave an organization, access
modifications are tied to that identity, greatly reducing the
effort needed to change or disable accounts.
Application management. You can manage your cloud and on-

premises apps using Azure AD Application Proxy, SSO, the My
apps portal (also referred to as Access panel), and SaaS apps.
Business to business (B2B) identity services. Manage your
guest users and external partners while maintaining control over
your own corporate data
Business-to-Customer (B2C) identity services. Customize and
control how users sign up, sign in, and manage their profiles
when using your apps with services.
Device Management. Manage how your cloud or on-premises
devices access your corporate data.
36
Single Sign-On
SSO with Azure Active Directory
By leveraging Azure AD for SSO you'll also have the ability to
combine multiple data sources into an intelligent security graph.
This security graph enables the ability to provide threat analysis
and real-time identity protection to all accounts in Azure AD,
including accounts that are synchronized from your on-premises
AD.
By using a centralized identity provider, you'll have centralized
the security controls, reporting, alerting, and administration of
your identity infrastructure.
As Contoso Shipping integrates its existing Active Directory
instance with Azure AD, you will make controlling access
consistent across the organization.
Doing so will also greatly simplify the ability to sign into email
and Office 365 documents without having to reauthenticate.
The more identities a user must manage, the greater the risk of a
credential-related security incident. More identities mean more
passwords to remember and change. Password policies can vary

between applications and, as complexity requirements increase,
it becomes increasingly difficult for users to remember them.
Now, consider the logistics of managing all those identities.
Additional strain is placed on help desks as they deal with
account lockouts and password reset requests. If a user leaves
an organization, tracking down all those identities and ensuring
they are disabled can be challenging. If an identity is
overlooked, this could allow access when it should have been
eliminated.
With single sign-on (SSO), users need to remember only one ID
and one password. Access across applications is granted to a
single identity tied to a user, simplifying the security model. As
modifications are tied to the single identity, greatly reducing
the effort needed to change or disable accounts. Using single
sign-on for accounts will make it easier for users to manage
their identities and will increase the security capabilities in
your environment.
37
Multi-factor authentication
Multi-factor authentication (MFA) provides additional security
for your identities by requiring two or more elements for full
authentication. These elements fall into three categories:
Something you know
Something you possess
Something you are
Something you know would be a password or the answer to a
security question. Something you possess could be a mobile app

that receives a notification or a token-generating
device. Something you are is typically some sort of biometric
property, such as a fingerprint or face scan used on many
mobile devices.
Using MFA increases security of your identity by limiting the
impact of credential exposure. An attacker who has a user's
password would also need to have possession of their phone or
their face in order to fully authenticate. Authentication with
only a single factor verified is insufficient, and the attacker
would be unable to use only those credentials to authenticate.
The benefits this brings to security are huge, and we can't
emphasize enough the importance of enabling MFA wherever
possible.
Azure AD has MFA capabilities built in and will integrate with
other third-party MFA providers. MFA should be used for users
in the Global Administrator role in Azure AD, because these are
highly sensitive accounts. All other accounts can have MFA
enabled.
For Contoso Shipping, you decide to enable MFA any time a
user is signing in from a non-domain-connected computer —
which includes the mobile apps your drivers use.
38
Providing identities to services
Something you know
Something you are

It's usually valuable for services to have identities. Often, and
against best practices, credential information is embedded in
configuration files. With no security around these configuration
files, anyone with access to the systems or repositories can
access these credentials and risk exposure.
Azure AD addresses this problem through two methods: service
principals and managed identities for Azure services.
39
Service principals
Something you know
Something you are
Service principals
To understand service principals, it's useful to first understand
the words identity and principal, because of how they are used
in the identity management world.
An identity is just a thing that can be authenticated. Obviously,
this includes users with a user name and password, but it can
also include applications or other servers, which might
authenticate with secret keys or certificates.
A principal is an identity acting with certain roles or claims.
Usually, it is not useful to consider identity and principal
separately, but think of using 'sudo' on a Bash prompt in Linux

or on Windows using "run as Administrator." In both those
cases, you are still logged in as the same identity as before, but
you've changed the role under which you are executing. Groups
are often also considered principals because they can have
rights assigned.
A service principal is an identity that is used by a service or
application. And like other identities, it can be assigned roles.
40
an Identity
Service principals

rights assigned.
41
a principal
rights assigned.
rights assigned.
42

a service principal
43
a service principal
44
Managed identities for Azure services
ITS 532

The creation of service principals can be a tedious process, and
there are a lot of touch points that can make maintaining them
difficult. Managed identities for Azure services are much easier
and will do most of the work for you.
A managed identity can be instantly created for any Azure
service that supports it—and the list is constantly growing.
When you create a managed identity for a service, you are
creating an account on your organization's Active Directory (a
specific organization's Active Directory instance is known as an
"Active Directory Tenant"). The Azure infrastructure will
automatically take care of authenticating the service and
managing the account. You can then use that account like any
other Azure AD account, including securely letting the
authenticated service access other Azure resources.
45
Role-Based access control (RBAC)
Roles are sets of permissions, like "Read-only" or
"Contributor", that users can be granted to access an Azure
service instance.
Identities are mapped to roles directly or through group
membership. Separating security principals, access permissions,
and resources provides simple access management and fine-
grained control. Administrators are able to ensure the minimum
necessary permissions are granted.
Roles can be granted at the individual service instance level, but
they also flow down the Azure Resource Manager hierarchy.

service instance.
46
RBAC scope
47
Privileged Identity Management
In addition to managing Azure resource access with role-based
access control (RBAC), a comprehensive approach to
infrastructure protection should consider including the ongoing
auditing of role members as their organization changes and
evolves. Azure AD Privileged Identity Management (PIM) is an
additional, paid-for offering that provides oversight of role
assignments, self-service, and just-in-time role activation and
Azure AD and Azure resource access reviews.
48

Summary
Identity allows us to maintain a security perimeter, even outside
our physical control.
With single sign-on and appropriate role-based access
configuration, we can always be sure who has the ability to see
and manipulate our data and infrastructure.
49
School of Computer & Information Sciences
ITS-532 Cloud Computing

Chapter 5 – Identity as a Service (IDaaS)
Content from:
Primary Textbook: Jamsa, K. A. (2013). Cloud computing:
SaaS, PaaS, IaaS, virtualization, business models, mobile,
security and more. Burlington, MA: Jones & Bartlett Learning.
Secondary Textbook: Erl, T., Mahmood, Z., & Puttini, R.
(2014). Cloud computing: concepts, technology, & architecture.
Upper Saddle River, NJ: Prentice Hall.
1
Learning Objectives
Describe challenges related to ID management.
Describe and discuss single sign-on (SSO) capabilities.
List the advantages of IDaaS solutions.
Discuss IDaaS solutions offered by various companies.
IDaaS Defined
Identity (or identification) as a service (IDaaS)—Cloud-based
approaches to managing user identities, including usernames,
passwords, and access. Also sometimes referred to as “identity
management as a service.
Identity and Access Management (IAM)
Identity and Access Management includes the components and
policies necessary to control user identify and access
privileges.

Authentication
Username/Password, digital signatures, digital certificates,
biometrics
Authorization
Granular controls for mapping identities and rights
User Management
Creation and administration of new user identities, groups,
passwords, and policies
Credential Management
Establishes identities and access control rules for user accounts
4
(Erl, 2014)
Single Sign-On (SSO)
Single sign-on (SSO)—PA process that allows a user to log into
a central authority and then access other sites and services for
which he or she has credentials.
Advantages of SSO
Fewer username and password combinations for users to
remember and manage
Less password fatigue caused by the stress of managing
multiple passwords
Less user time consumed by having to log in to individual
systems
Fewer calls to help desks for forgotten passwords
A centralized location for IT staff to manage password

compliance and reporting
Disadvantages of SSO
The primary disadvantage of SSO systems is the potential for a
single source of failure. If the authentication server fails, users
will not be able to log in to other servers.
Thus, having a cloud-based authentication server with system
redundancy reduces the risk of system unavailability.
How Single Sign On Works
The single sign on mechanism enables one cloud service
consumer to be authenticated by a security broker. Once
established, the security context is persistent when the
consumer accesses other cloud based IT resources.
8
(Erl, 2014)
Figure 10.9 - A cloud consumer provides the security broker
with login credentials (1). The security broker response with an
authentication token (message with small lock symbol) upon
successful authentication, which contains cloud service
consumer identify information (2) that is used to automatically
authenticate the cloud service consumer across Cloud Services
A, B, and C (3).

Federated ID Management
FIDM describes the technologies and protocols that combine to
enable a user to bring security credentials across different
security domains (different servers running potentially different
operating systems).
Security Assertion Markup Language (SAML)
Behind the scenes, many FIDM systems use the Security
Assertion Markup Language (SAML) to package a user’s
security credentials.
Account Provisioning
The process of creating a user account on a system is called
account provisioning.
Because different employees may need different capabilities on
each system, the provisioning process can be complex.
When an employee leaves the company, a deprovisioning
process must occur to remove the user’s accounts.
Unfortunately, the IT staff is not always immediately informed
that an employee no longer works for the company, or the IT
staff misses a server account and the user may still have access
to one or more systems.
4 A’s of Cloud Identity

Authentication: The process of validating a user for on-site and
cloud-based solutions.
Authorization: The process of determining and specifying what
a user is allowed to do on each server.
Account management: The process of synchronizing user
accounts by provisioning and deprovisioning access.
Audit logging: The process of tracking which applications users
access and when.
Real World: Ping Identity IDaaS
Ping Identity provides cloud-based ID management software
that supports FIDM and user account provisioning.
Real World: PassworkBank IDaaS
PasswordBank provides an IDaaS solution that supports on-site
and cloud-based system access. Its Federated ID Management
(FIDM/FIM) service supports enterprise-wide SSO (E-SSO) and
SSO for web-based applications (WebSSO).
The PasswordBank solutions perform the FIDM without the use
of SAML.
Security Assertion Markup Language (SAML) is a standard for
logging users into applications based on their sessions in
another context. This single sign-on (SSO) login standard has
significant advantages over logging in using

a username/password:
No need to type in credentials
No need to remember and renew passwords
No weak passwords
PasswordBank solutions support a myriad of devices, including
the iPhone.
PasswordBank's unique Identity-as-a-Service (IDaaS) Single
Sign-On software securely automates all logons to corporate and
cloud applications.
OpenID
OpenID allows users to use an existing account to log in to
multiple websites. Today, more than 1 billion OpenID accounts
exist and are accepted by thousands of websites.
Companies that support OpenID include Google, Yahoo!, Flickr,
Myspace, WordPress.com, and more
by other existing identity technologies.
by other existing identity technologies. As such, OpenID is
decentralized and not owned by anyone, nor should it be.
Today, anyone can choose to use an OpenID or become an
OpenID Provider for free without having to register or be
approved by any organization.
15

Advantages of Using OpenID
Increased site conversion rates (rates at which customers choose
to join websites) because users do not need to register
Access to greater user profile content
Fewer problems with lost passwords
Ease of content integration into social networking sites
Mobile ID Management
Threats to mobile devices include the following:
Identity theft if a device is lost or stolen
Eavesdropping on data communications
Surveillance of confidential screen content
Phishing of content from rogue sites
Man-in-the-middle attacks through intercepted signals
Inadequate device resources to provide a strong security
implementation
Social attacks on unaware users that yield identity information
Cloud Based Security Groups
Cloud resource segmentation is a process of creating separate
physical and virtual IT environments for different users and
groups to increase security.
18
(Erl, 2014)
Figure 10.11 - Cloud-Based Security Group A encompasses
Virtual Servers A and D and is assigned to Cloud Consumer A.
Cloud-Based Security Group B is comprised of Virtual Servers

B, C, and E and is assigned to Cloud Consumer B. If Cloud
Service Consumer A’s credentials are compromised, the attacker
would only be able to access and damage the virtual servers in
Cloud-Based Security Group A, thereby protecting Virtual
Servers B, C, and E.
Hardened Virtual Server Images
When creating a virtual server from a template, the hardening
process removes unnecessary software from the system to limit
vulnerabilities that could be exploited by hackers.
19
(Erl, 2014)
Figure 10.13 - A cloud provider applies its security policies to
harden its standard virtual server images.
Key Terms
References
Primary:
Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS,
virtualization, business models, mobile, security and more.
Burlington, MA: Jones & Bartlett Learning.
Secondary:
Erl, T., Mahmood, Z., & Puttini, R. (2014). Cloud computing:

concepts, technology, & architecture. Upper Saddle River, NJ:
Prentice Hall.
21
Identity management
Identity Management as a service (IDAAS)
A Case example using ms azure
Contents
Definitions
Security – A Shared Responsibility
Managed Identities (Azure)
Security Advantages
Organizations face many challenges with securing their

datacenters, including recruiting and keeping security experts,
using many security tools, and keeping pace with the volume
and complexity of threats.
As computing environments move from customer-controlled
datacenters to the cloud, the responsibility of security also
shifts. Security of the operational environment is now a concern
shared by both cloud providers and customers. By shifting these
responsibilities to a cloud service like Azure, organizations can
reduce focus on activities that aren't core business
competencies. Depending on the specific technology choices,
some security protections will be built into the particular
service, while addressing others will remain the customer's
responsibility. To ensure that the proper security controls are
provided, a careful evaluation of the services and technology
choices becomes necessary.
24
Security is a shared responsibility
Look in the slide notes below for topics to consider talking
about
The first shift you'll make is from on-premises data centers to
infrastructure as a service (IaaS). With IaaS, you are leveraging
the lowest-level service and asking Azure to create virtual
machines (VMs) and virtual networks. At this level, it's still
your responsibility to patch and secure your operating systems
and software, as well as configure your network to be secure. At

Contoso Shipping, you are taking advantage of IaaS when you
start using Azure VMs instead of your on-premises physical
servers. In addition to the operational advantages, you receive
the security advantage of having outsourced concern over
protecting the physical parts of the network.
Moving to platform as a service (PaaS) outsources several
security concerns. At this level, Azure is taking care of the
operating system and of most foundational software like
database management systems. Everything is updated with the
latest security patches and can be integrated with Azure Active
Directory for access controls. PaaS also comes with many
operational advantages. Rather than building whole
infrastructures and subnets for your environments by hand, you
can "point and click" within the Azure portal or run automated
scripts to bring complex, secured systems up and down, and
scale them as needed. Contoso Shipping uses Azure Event Hubs
for ingesting telemetry data from drones and trucks — as well
as a web app with an Azure Cosmos DB back end with its
mobile apps — which are all examples of PaaS.
With software as a service (SaaS), you outsource almost
everything. SaaS is software that runs with an internet
infrastructure. The code is controlled by the vendor but
configured to be used by the customer. Like so many
companies, Contoso Shipping uses Office 365, which is a great
example of SaaS!
For all cloud deployment types, you own your data and
identities. You are responsible for helping secure your data and
identities, your on-premises resources, and the cloud
components you control (which vary by service type).
Regardless of the deployment type, you always retain
responsibility for the following items:
Data
Endpoints
Accounts

Access management
25
A Layered Approach
Data
In almost all cases, attackers are after data:
Stored in a database
Stored on disk inside virtual machines
Stored on a SaaS application such as Office 365
Stored in cloud storage
It's the responsibility of those storing and controlling access to
data to ensure that it's properly secured. Often, there are
regulatory requirements that dictate the controls and processes
that must be in place to ensure the confidentiality, integrity, and
availability of the data.
26
A Layered Approach
Application
Ensure applications are secure and free of vulnerabilities.
Store sensitive application secrets in a secure storage medium.
Make security a design requirement for all application
development.

Integrating security into the application development life cycle
will help reduce the number of vulnerabilities introduced in
code. We encourage all development teams to ensure their
applications are secure by default, and that they're making
security requirements non-negotiable.
27
A Layered Approach
Compute
Secure access to virtual machines.
Implement endpoint protection and keep systems patched and
current.
Malware, unpatched systems, and improperly secured systems
open your environment to attacks. The focus in this layer is on
making sure your compute resources are secure, and that you
have the proper controls in place to minimize security issues
28
A Layered Approach
Networking
Limit communication between resources.

Deny by default.
Restrict inbound internet access and limit outbound, where
appropriate.
Implement secure connectivity to on-premises networks.
At this layer, the focus is on limiting the network connectivity
across all your resources to allow only what is required. By
limiting this communication, you reduce the risk of lateral
movement throughout your network.
29
A Layered Approach
Perimeter
Use distributed denial of service (DDoS) protection to filter
large-scale attacks before they can cause a denial of service for
end users.
Use perimeter firewalls to identify and alert on malicious
attacks against your network.
At the network perimeter, it's about protecting from network-
based attacks against your resources. Identifying these attacks,
eliminating their impact, and alerting you when they happen are
important ways to keep your network secure.

30
A Layered Approach
Identity and access
Control access to infrastructure and change control.
Use single sign-on and multi-factor authentication.
Audit events and changes.
The identity and access layer is all about ensuring identities are
secure, access granted is only what is needed, and changes are
logged.
31
A Layered Approach
Physical security
Physical building security and controlling access to computing
hardware within the data center is the first line of defense.
With physical security, the intent is to provide physical
safeguards against access to assets. These safeguards ensure
that other layers can't be bypassed, and loss or theft is handled
appropriately.

32
Authentication & Authorization Defined
Authentication is the process of establishing the identity of a
person or service looking to access a resource. It involves the
act of challenging a party for legitimate credentials and
provides the basis for creating a security principal for identity
and access control use. It establishes if they are who they say
they are.
Authorization is the process of establishing what level of access
an authenticated person or service has. It specifies what data
they're allowed to access and what they can do with it.
34
Active Directory
(Microsoft Azure)

same credentials.
same credentials.
35
Azure Active Directory (AD)

Authentication.
Single-Sign-On (SSO).
Application management.
Business to business (B2B) identity services.
Business-to-Customer (B2C) identity services.
Device Management.
Authentication. This includes verifying identity to access
applications and resources, and providing functionality such as
self-service password reset, multi-factor authentication (MFA),
a custom banned password list, and smart lockout services.
Single-Sign-On (SSO). SSO enables users to remember only one
ID and one password to access multiple applications. A single
identity is tied to a user, simplifying the security model. As
modifications are tied to that identity, greatly reducing the
effort needed to change or disable accounts.
Application management. You can manage your cloud and on-
premises apps using Azure AD Application Proxy, SSO, the My
apps portal (also referred to as Access panel), and SaaS apps.
Business to business (B2B) identity services. Manage your
guest users and external partners while maintaining control over
your own corporate data
Business-to-Customer (B2C) identity services. Customize and
control how users sign up, sign in, and manage their profiles
when using your apps with services.
Device Management. Manage how your cloud or on-premises

devices access your corporate data.
36
Single Sign-On
SSO with Azure Active Directory
By leveraging Azure AD for SSO you'll also have the ability to
combine multiple data sources into an intelligent security graph.
This security graph enables the ability to provide threat analysis
and real-time identity protection to all accounts in Azure AD,
including accounts that are synchronized from your on-premises
AD.
By using a centralized identity provider, you'll have centralized
the security controls, reporting, alerting, and administration of
your identity infrastructure.
As Contoso Shipping integrates its existing Active Directory
instance with Azure AD, you will make controlling access
consistent across the organization.
Doing so will also greatly simplify the ability to sign into email
and Office 365 documents without having to reauthenticate.
The more identities a user must manage, the greater the risk of a
credential-related security incident. More identities mean more
passwords to remember and change. Password policies can vary
between applications and, as complexity requirements increase,
it becomes increasingly difficult for users to remember them.
Now, consider the logistics of managing all those identities.
Additional strain is placed on help desks as they deal with
account lockouts and password reset requests. If a user leaves
an organization, tracking down all those identities and ensuring
they are disabled can be challenging. If an identity is
overlooked, this could allow access when it should have been
eliminated.

With single sign-on (SSO), users need to remember only one ID
and one password. Access across applications is granted to a
single identity tied to a user, simplifying the security model. As
modifications are tied to the single identity, greatly reducing
the effort needed to change or disable accounts. Using single
sign-on for accounts will make it easier for users to manage
their identities and will increase the security capabilities in
your environment.
37
Multi-factor authentication
Something you know
Something you are
Something you know would be a password or the answer to a
security question. Something you possess could be a mobile app
that receives a notification or a token-generating
device. Something you are is typically some sort of biometric
property, such as a fingerprint or face scan used on many
mobile devices.
Using MFA increases security of your identity by limiting the
impact of credential exposure. An attacker who has a user's
password would also need to have possession of their phone or
their face in order to fully authenticate. Authentication with
only a single factor verified is insufficient, and the attacker

would be unable to use only those credentials to authenticate.
The benefits this brings to security are huge, and we can't
emphasize enough the importance of enabling MFA wherever
possible.
Azure AD has MFA capabilities built in and will integrate with
other third-party MFA providers. MFA should be used for users
in the Global Administrator role in Azure AD, because these are
highly sensitive accounts. All other accounts can have MFA
enabled.
For Contoso Shipping, you decide to enable MFA any time a
user is signing in from a non-domain-connected computer —
which includes the mobile apps your drivers use.
38
Providing identities to services
Something you know
Something you are
It's usually valuable for services to have identities. Often, and
against best practices, credential information is embedded in
configuration files. With no security around these configuration
files, anyone with access to the systems or repositories can
access these credentials and risk exposure.
Azure AD addresses this problem through two methods: service
principals and managed identities for Azure services.

39
Service principals
Something you know
Something you are
Service principals
rights assigned.
40

an Identity
Service principals
rights assigned.
41

a principal
rights assigned.
rights assigned.
42
a service principal

43
a service principal
44
Managed identities for Azure services
ITS 532
The creation of service principals can be a tedious process, and
there are a lot of touch points that can make maintaining them
difficult. Managed identities for Azure services are much easier
and will do most of the work for you.
A managed identity can be instantly created for any Azure
service that supports it—and the list is constantly growing.
When you create a managed identity for a service, you are
creating an account on your organization's Active Directory (a
specific organization's Active Directory instance is known as an

"Active Directory Tenant"). The Azure infrastructure will
automatically take care of authenticating the service and
managing the account. You can then use that account like any
other Azure AD account, including securely letting the
authenticated service access other Azure resources.
45
Role-Based access control (RBAC)
service instance.
service instance.

46
RBAC scope
47
Privileged Identity Management
48
Summary
Identity allows us to maintain a security perimeter, even outside
our physical control.

With single sign-on and appropriate role-based access
configuration, we can always be sure who has the ability to see
and manipulate our data and infrastructure.
49
the opposition to Jesus: the world which does not know the
Father who has
sent Jesus into the world (17: 25–6).
Was Judas in charge of the arresting party (18. 3)? The REB
(and some
other translations) leaves the question open: ‘Judas made his
way there with
a detachment of soldiers, and with the temple police.’ One can
visualize

Judas mingling with the arresting party. The NRSV (and other
transla-
tions) reflect the Greek much more accurately: ‘Judas brought a
detach-
ment of soldiers.’ Judas takes the initiative, leads the way, and
hence is fully
culpable.
John 18: 13 records that Jesus was taken first of all ‘to Annas,
who was the
father-in-law of Caiaphas, the high priest that year’. Annas is
then referred
to twice as ‘high priest’ (18: 19, 22). Since there could only be
one high
priest in post at any one time, is the evangelist’s reference to
both Annas
and Caiaphas as ‘high priest’ hopelessly muddled? Probably
not. It is likely
that the title ‘high priest’ continued to be used for Annas even
after his
departure from office: he held a ‘patriarchal’ position in high-
priestly cir-
cles (cf. Luke 3: 2; Acts 4: 6), and still enjoyed the courtesy
title, ‘high
priest’, as did some other respected high priests (Josephus,

Antiquities §34).
The comment that Caiaphas was high priest ‘that year’ does not
necessarily
imply that the evangelist believed (wrongly) that the office was
held for
only one year: most scholars accept that the sense is ‘that
particularly
memorable year’.
The preceding discussion of some of the issues raised by a close
reading
of John 18 confirms that this gospel is like a stream in which
children can
wade and elephants swim. My hope is that my readers will want
to become
elephants and wade further into other parts of this fascinating
but
enigmatic gospel.
Purpose and setting
In the final verse of the gospel proper, the evangelist seems to
state his
purpose very clearly: the signs written in this book are recorded
‘so that
you may believe that Jesus is the Christ, the Son of God’ (20:

31). But does
the evangelist mean that these are written ‘so that you may
continue to
believe’ or ‘in order that you may come to believe’? Is the
gospel written to
strengthen faith or is it intended to be a missionary tract?
Unfortunately
116 | the four gospels
Co
py
ri
gh
t
©
2
00
2.
O
UP
O
xf
or
d.
A
ll
r
ig
ht
s
re
se

rv
ed
.
Ma
y
no
t
be
r
ep
ro
du
ce
d
in
a
ny
f
or
m
wi
th
ou
t
pe
rm
is
si
on
f
ro
m
th
e
pu

bl
is
he
r,
e
xc
ep
t
fa
ir
u
se
s
pe
rm
it
te
d
un
de
r
U.
S.
o
r
ap
pl
ic
ab
le
c
op
yr
ig

ht
l
aw
.
EBSCO Publishing : eBook Collection (EBSCOhost) - printed
on 3/15/2020 1:53 PM via SAINT LEO
UNIV
AN: 478397 ; Stanton, Graham.; The Gospels and Jesus
Account: stleocol
the Greek is ambiguous. And to make matters worse two forms
of the verb
are found in the early manuscripts.
Most scholars accept that the evangelist writes with his own
Christian
readers and listeners primarily in mind. In 6: 68–9 Peter speaks
for the
reader: ‘Lord . . . you have the words of eternal life. We have
come to
believe and know that you are the Holy One of God.’ Passages
such as 8: 31
(‘If you continue in my word, you are truly my disciples’) and
15: 4 ff.
(‘Abide in me . . . those who abide in me, and I in them bear
much fruit’)

are addressed to believers. At the climax of the Prologue in 1:
14, the faith
not only of the evangelist himself, but also of Christians
associated with
him, is confessed in the words: ‘we have beheld his glory, glory
as of the
only Son from the Father’ (cf. also 1: 16).
What do we know about the recipients of this gospel? We have
already
noted passages which indicate that they are involved in fierce
controversy
with the Jewish synagogue. (See pp. 99 and 111.) This is a
pervasive theme.
The rejection of Jesus by ‘his own people’ is noted in the
Prologue (1: 11). In
the dialogue with Nicodemus there is a dramatic change at 3:
11. Up until
that point Jesus and Nicodemus have been speaking as
individuals. But
suddenly the evangelist switches to plural pronouns: this change
cannot be
brought out in English translations unless we resort to ‘thee’
and ‘thou’ in
the preceding verses. In 3: 11 we move to John’s day and to

discussion
between Christians and Jews: ‘We (Christians) speak of what
we know, and
testify to what we have seen; but you (Jews) do not receive our
testimony.’
In chapters 5–9 there are repeated references to the theological
disputes
between Christians and Jews. The evangelist’s readers are
undoubtedly at
loggerheads with their Jewish neighbours.
At least some members of the evangelist’s communities have
parted
company painfully with local synagogues. Down through history
minority
religious groups which have parted with the ‘parent’ group have
tended to
become inward-looking and isolated from the world ‘outside’.
This atti-
tude is often said to be ‘sectarian’, though that term begs
questions of
definition. What is hardly in doubt is that the evangelist and his
readers are
at odds not only with Judaism but with the world in general.
This is

reflected clearly in the farewell discourses addressed by Jesus
to the
disciples—but on another level the evangelist is speaking to his
own
readers and listeners. In 15: 18–19 Jesus says: ‘If the world
hates you, be
aware that it hated me before it hated you. If you belonged to
the world,
john’s gospel: ‘i am the way’ | 117
Co
py
ri
gh
t
©
2
00
2.
O
UP
O
xf
or
d.
A
ll
r
ig
ht
s

re
se
rv
ed
.
Ma
y
no
t
be
r
ep
ro
du
ce
d
in
a
ny
f
or
m
wi
th
ou
t
pe
rm
is
si
on
f
ro
m
th

e
pu
bl
is
he
r,
e
xc
ep
t
fa
ir
u
se
s
pe
rm
it
te
d
un
de
r
U.
S.
o
r
ap
pl
ic
ab
le
c
op

yr
ig
ht
l
aw
.
UNIV
Account: stleocol
the world would love you as its own. But because you do not
belong to the
world, but I have chosen you out of the world—therefore the
world hates
you.’
This isolation from the world is also expressed clearly at the
climax of
the farewell discourses in chapter 17. Jesus does not pray for
the world, but
‘on behalf of those whom you gave me’ (v. 9). The disciples are
‘not of the
world, just as I am not of the world’ (vv. 14, 16).
Not surprisingly, the ethical teaching in this gospel is directed
almost

entirely to Christians. The ‘new commandment’ which Jesus
gives his dis-
ciples is ‘love one another’ (13: 34). This is the central ethical
principle in
John: it is love for one’s fellow-Christian which is being
expressed, not love
for one’s neighbour or enemy. This is in strong contrast to Matt.
5: 44, ‘I
say to you, Love your enemies and pray for those who persecute
you’, and
to the parable of the good Samaritan which is the reply to the
lawyer’s
question, ‘Who is my neighbour?’ (Luke 10: 25–37; cf. also
Mark 12: 31 ff.).
The sayings of Jesus in the synoptic gospels on marriage,
divorce, property,
and the state are all missing in John. There is no sign of Luke’s
insistence
that the story of Jesus is related in any way to world history
(see above,
pp. 80–1).
The recipients of this gospel, then, do seem to be decidedly at
odds both

with their Jewish neighbours and also with the world in general.
What was
their relationship to other strands of early Christianity? This is
an interest-
ing but difficult question: it raises numerous issues which we
cannot pur-
sue here. In his influential commentary Rudolf Bultmann (1971)
argued
that some passages in John were added by an ‘ecclesiastical
redactor’ after
its composition in order to bring it into line with ‘mainstream’
Christian-
ity at the end of the first century. He claimed that in genuine
Johannine
thought there is no room for the sacraments; the passages which
seem to
allude to them most clearly were later additions. Similarly, the
passages
which refer to future judgement ‘at the last day’ (5: 28–9; 6:
39–40, 44, 54;
12: 48) are taken as additions. Bultmann insisted that the
evangelist’s
primary emphasis was on the judgement which takes place in
the present

when people are confronted with the claims of Jesus, so there
can be no
room for future judgement.
If Bultmann’s analysis is correct, then this gospel does
represent a form
of Christianity which is very different from most of the strands
we can
trace in the closing decades of the first century. But even if,
with most
118 | the four gospels
Co
py
ri
gh
t
©
2
00
2.
O
UP
O
xf
or
d.
A
ll
r
ig
ht

s
re
se
rv
ed
.
Ma
y
no
t
be
r
ep
ro
du
ce
d
in
a
ny
f
or
m
wi
th
ou
t
pe
rm
is
si
on
f
ro
m

th
e
pu
bl
is
he
r,
e
xc
ep
t
fa
ir
u
se
s
pe
rm
it
te
d
un
de
r
U.
S.
o
r
ap
pl
ic
ab
le
c

op
yr
ig
ht
l
aw
.
UNIV
Account: stleocol
THE GOSPEL ACCORDING TO JOHN
The Gospel according to John is quite different in character
from the three synoptic gospels. It is highly literary and
symbolic. It does not follow the same order or reproduce the
same stories as the synoptic gospels. To a much greater degree,
it is the product of a developed theological reflection and grows
out of a different circle and tradition. It was probably written in
the 90s of the first century.
The Gospel of John begins with a magnificent prologue, which
states many of the major themes and motifs of the gospel, much
as an overture does for a musical work. The prologue proclaims
Jesus as the preexistent and incarnate Word of God who has
revealed the Father to us. The rest of the first chapter forms the
introduction to the gospel proper and consists of the Baptist’s
testimony about Jesus (there is no baptism of Jesus in this
gospel—John simply points him out as the Lamb of God),
followed by stories of the call of the first disciples, in which
various titles predicated of Jesus in the early church are
presented.
The gospel narrative contains a series of “signs”—the gospel’s
word for the wondrous deeds of Jesus. The author is primarily

interested in the significance of these deeds, and so interprets
them for the reader by various reflections, narratives, and
discourses. The first sign is the transformation of water into
wine at Cana (Jn 2:1–11); this represents the replacement of the
Jewish ceremonial washings and symbolizes the entire creative
and transforming work of Jesus. The second sign, the cure of
the royal official’s son (Jn 4:46–54) simply by the word of
Jesus at a distance, signifies the power of Jesus’ life-giving
word. The same theme is further developed by other signs,
probably for a total of seven. The third sign, the cure of the
paralytic at the pool with five porticoes in chap. 5, continues
the theme of water offering newness of life. In the preceding
chapter, to the woman at the well in Samaria Jesus had offered
living water springing up to eternal life, a symbol of the
revelation that Jesus brings; here Jesus’ life-giving word
replaces the water of the pool that failed to bring life. Jn
6 contains two signs, the multiplication of loaves and the
walking on the waters of the Sea of Galilee. These signs are
connected much as the manna and the crossing of the Red Sea
are in the Passover narrative and symbolize a new exodus. The
multiplication of the loaves is interpreted for the reader by the
discourse that follows, where the bread of life is used first as a
figure for the revelation of God in Jesus and then for the
Eucharist. After a series of dialogues reflecting Jesus’ debates
with the Jewish authorities at the Feast of Tabernacles in Jn
7; 8, the sixth sign is presented in Jn 9, the sign of the young
man born blind. This is a narrative illustration of the theme of
conflict in the preceding two chapters; it proclaims the triumph
of light over darkness, as Jesus is presented as the Light of the
world. This is interpreted by a narrative of controversy between
the Pharisees and the young man who had been given his sight
by Jesus, ending with a discussion of spiritual blindness and
spelling out the symbolic meaning of the cure. And finally, the
seventh sign, the raising of Lazarus in chap. 11, is the climax of
signs. Lazarus is presented as a token of the real life that Jesus,
the Resurrection and the Life, who will now ironically be put to

death because of his gift of life to Lazarus, will give to all who
believe in him once he has been raised from the dead.
After the account of the seven signs, the “hour” of Jesus arrives,
and the author passes from sign to reality, as he moves into the
discourses in the upper room that interpret the meaning of the
passion, death, and resurrection narratives that follow. The
whole gospel of John is a progressive revelation of the glory of
God’s only Son, who comes to reveal the Father and then
returns in glory to the Father. The author’s purpose is clearly
expressed in what must have been the original ending of the
gospel at the end of Jn 20: “Now Jesus did many other signs in
the presence of [his] disciples that are not written in this book.
But these are written that you may [come to] believe that Jesus
is the Messiah, the Son of God, and that through this belief you
may have life in his name.”
Critical analysis makes it difficult to accept the idea that the
gospel as it now stands was written by one person. Jn 21 seems
to have been added after the gospel was completed; it exhibits a
Greek style somewhat different from that of the rest of the
work. The prologue (Jn 1:1–18) apparently contains an
independent hymn, subsequently adapted to serve as a preface to
the gospel. Within the gospel itself there are also some
inconsistencies, e.g., there are two endings of Jesus’ discourse
in the upper room (Jn 14:31; 18:1). To solve these problems,
scholars have proposed various rearrangements that would
produce a smoother order. However, most have come to the
conclusion that the inconsistencies were probably produced by
subsequent editing in which homogeneous materials were added
to a shorter original.
Other difficulties for any theory of eyewitness authorship of the
gospel in its present form are presented by its highly developed
theology and by certain elements of its literary style. For
instance, some of the wondrous deeds of Jesus have been
worked into highly effective dramatic scenes (Jn 9); there has
been a careful attempt to have these followed by discourses that
explain them (Jn 5; 6); and the sayings of Jesus have been

woven into long discourses of a quasi-poetic form resembling
the speeches of personified Wisdom in the Old Testament.
The gospel contains many details about Jesus not found in the
synoptic gospels, e.g., that Jesus engaged in a baptizing
ministry (Jn 3:22) before he changed to one of preaching and
signs; that Jesus’ public ministry lasted for several years (see
note on Jn 2:13); that he traveled to Jerusalem for various
festivals and met serious opposition long before his death (Jn
2:14–25; 5; 7–8); and that he was put to death on the day before
Passover (Jn 18:28). These events are not always in
chronological order because of the development and editing that
took place. However, the accuracy of much of the detail of the
fourth gospel constitutes a strong argument that the Johannine
tradition rests upon the testimony of an eyewitness. Although
tradition identified this person as John, the son of Zebedee,
most modern scholars find that the evidence does not support
this.
The fourth gospel is not simply history; the narrative has been
organized and adapted to serve the evangelist’s theological
purposes as well. Among them are the opposition to the
synagogue of the day and to John the Baptist’s followers, who
tried to exalt their master at Jesus’ expense, the desire to show
that Jesus was the Messiah, and the desire to convince
Christians that their religious belief and practice must be rooted
in Jesus. Such theological purposes have impelled the evangelist
to emphasize motifs that were not so clear in the synoptic
account of Jesus’ ministry, e.g., the explicit emphasis on his
divinity.
The polemic between synagogue and church produced bitter and
harsh invective, especially regarding the hostility toward Jesus
of the authorities—Pharisees and Sadducees—who are combined
and referred to frequently as “the Jews” (see note on Jn 1:19).
These opponents are even described in Jn 8:44 as springing
from their father the devil, whose conduct they imitate in
opposing God by rejecting Jesus, whom God has sent. On the
other hand, the author of this gospel seems to take pains to

show that women are not inferior to men in the Christian
community: the woman at the well in Samaria (Jn 4) is
presented as a prototype of a missionary (Jn 4:4–42), and the
first witness of the resurrection is a woman (Jn 20:11–18).
The final editing of the gospel and arrangement in its present
form probably dates from between A.D. 90 and 100.
Traditionally, Ephesus has been favored as the place of
composition, though many support a location in Syria, perhaps
the city of Antioch, while some have suggested other places,
including Alexandria.
The principal divisions of the Gospel according to John are the
following:
I. Prologue (1:1–18)
II. The Book of Signs (1:19–12:50)
III. The Book of Glory (13:1–20:31)
IV. Epilogue: The Resurrection Appearance in Galilee (21:1–
25)
Paper 3
Identify any historical purpose(s) behind the writing of Luke’s
Gospel, Acts of the Apostles, and John’s Gospel. Include a
reference to any historical factor mentioned in the recommended
sources that may have triggered the writing of Luke’s Gospel,
Acts of the Apostles, and John’s Gospels as well as references
to statements within those three. Include at least one historical
factor and at least one reference to each Gospel studied. A
historical factor is one a historian would recognize whether the
historian has religious faith or not. Restrict your resources to
those below as well as any information within the course
modules. Be sure to distinguish between paraphrase and direct
quotes. Type a 350-750 word paper using MLA formatting.
Resources: eBook available via SLU library: eBook available
via SLU library: Stanton, Graham The Gospels of Jesus . Oxford
U. Press 2nd ed., 2002, (The Gospels of Jesus ),pp.116-118. See

also Won-Ha Hwang & J G van der Watt. “The Identity of the
Recipients of the Fourth Gospel in the Light of the Purpose of
the Gospel.” HTS : Theological Studies, v63 n2 (Jun 2007):
683-698.
(http://www.usccb.org/bible/scripture.cfm?bk=John&ch= And (
http://saintleo.worldcat.org/title/the-identity-of-the-recipients-
of-the-fourth-gospel-in-the-light-ofthe-purpse-of-the-
gospel/oclc/5878507889&referer=brief_results) eBook available
via SLU library: : Balentine, Samuel E. The Oxford
Encyclopedia of the Bible and Theology. Oxford University
Press : 2014 (The Oxford Encyclopedia of the Bible and
Theology. ), Chapter “Luke-Acts.” eBook available via SLU
library: Carroll, John and Jennifer Cox.Luke: a Commentary
Westminster John Knox Press, 2012 ( Luke: A Commentary ),
pp. 398-404.

School of Computer & Information SciencesITS-532 Cloud C.docx

More Related Content

Similar to School of Computer & Information SciencesITS-532 Cloud C.docx (20)

More from jeffsrosalyn (20)

Recently uploaded (20)

School of Computer & Information SciencesITS-532 Cloud C.docx