Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

CloudTrust Protocol - Cloud Security Alliance

advertisement 
CloudTrust Protocol
Orientation and Status
July 2011 | Ron Knode
CloudTrust Protocol Orientation
CloudTrust Protocol
Orientation Topics
•
•
•
•
•
•
•
Why is it?
What is it?
CTP transfer to CSA
{Strong} connection to CloudAudit
Existing plans & strategies
Things for the CSA/CloudAudit to “resolve”
… other stuff …
July 2011 | Ron Knode
CloudTrust Protocol Orientation
The Value Equation in the Cloud
Security
Service
Transparency
Service
Compliance
& Trust
VALUE Captured
Delivering evidence-based confidence…
with compliance-supporting data & artifacts.
July 2011 | Ron Knode
CloudTrust Protocol Orientation
The CTP Transfer
• Nonexclusive, no-cost, royalty-free license to CloudTrust Protocol
(CTP Version 2.0 – see reference #2 below)
• Nonexclusive, no-cost, royalty-free license to make derivative works of/for
the CTP
• CSC representative as co-chair of CSA’s CTP Working Group
• CSA to include an acknowledgement that CSC is the original developer of
the CTP in any published materials (including electronic publication) that
mention the CTP
• Free, unrestricted use of CTP derivative works by CSC
References
1. See “Digital Trust in the Cloud”, August 2009, www.csc.com/security/insights/32270digital_trust_in_the_cloud
2. See “Digital Trust in the Cloud: A Precis on the CloudTrust Protocol (V2.0)”, July 2010,
http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
3. See “CSA + CTP = Nebula Nova”, 25 July 2011, http://www.csc.com/cloud/blog/68078csa_ctp_nebula_nova_a_commentary_and_essay
July 2011 | Ron Knode
CloudTrust Protocol Orientation
Research
Conclusions Summary
Initial Results-August 2009
• The desire to benefit from the elastic promise of cloud
processing is blocked for most enterprise applications
because of security and privacy concerns.
• The re-introduction of transparency into the cloud is the
single biggest action needed to create digital trust in a
cloud and enable the capture of enterprise-scale payoffs in
cloud processing.
• Even today there are ways to benefit from cloud processing
while technologies and techniques to deliver digital trust in
the cloud are evolving.
• CSC has created a definition and an approach to
"orchestrate" a trusted cloud and restore needed
transparency.
• Resist the temptation to jump into even a so-called
“secure” cloud just to save money.
Aim higher!
Jump into the right “trusted” cloud to create and
capture new enterprise value.
www.csc.com/security/insights/32270digital_trust_in_the_cloud
Or at www.csc.com/lefreports
July 2011 | Ron Knode
CloudTrust Protocol Orientation
CloudTrust Protocol
Revealed
Research Extension Detailing “What” and
“How” – July 2010
http://www.csc.com/cloud/insights/57785into_the_cloud_with_ctp
July 2011 | Ron Knode
• Transparency in the cloud is the key to capturing digital
trust payoffs for both cloud consumers and cloud
providers.
• The CloudTrust Protocol (CTP) offers an uncomplicated,
natural way to request and receive fundamental
information about essential elements of transparency.
• The reliable delivery of only a few elements of
transparency generate a lot of digital trust, and that digital
trust liberates cloud users to bring more and more core
enterprise services and data to cloud techniques.
• Transparency-as-a-Service (TaaS) using the CTP provides a
flexible, uniform, and simple technique for reclaiming
transparency into actual cloud architectures,
configurations, services, and status … responding to both
cloud user and cloud provider needs.
• Transparency protocols like the CTP must be accompanied
by corresponding concepts of operation and contractual
conditions to be completely effective.
CloudTrust Protocol Orientation
CTP V2.0
Next Updates will be Published through the Cloud Security Alliance
• Syntax
• Semantics
• Self-defined response
(No insistence on orthodoxy)
–
Asset model
–
–
Scope of response
Implementation/deployment options
• Extension
July 2011 | Ron Knode
CloudTrust Protocol Orientation
A Complete Cloud Security
Governance, Risk, and Compliance (GRC) Stack
CloudTrust Protocol (CTP) Included Within CSA GRC Stack
Government
???
Deliver “continuous
monitoring” required by
A&A methodologies
???
• FedRAMP
• DIACAP
• Other C&A standards
NIST 800-53, HITRUST CSF,
ISO 27001/27002, ISACA
COBIT, PCI, HIPAA, SOX,
GLBA, STIG, NIST 800-144,
SAS 70, …
July 2011 | Ron Knode
Specs
Extensions
Commercial
Continuous monitoring … with
a purpose
• Common technique and nomenclature
to request and receive evidence and
affirmation of controls from cloud
providers
Claims, offers, and the basis for
auditing service delivery
• Common interface and namespace to
automate the Audit, Assertion,
Assessment, and Assurance (A6) of
cloud environments
Pre-audit checklists and
questionnaires to inventory
controls
• Industry-accepted ways to document
what security controls exist
The recommended
foundations for controls
• Fundamental security principles in
assessing the overall security risk of a
cloud provider
CloudTrust Protocol Orientation
Transparency as a Service (TaaS)
Authorized Users
What
vulnerabilities
exist in my cloud
configuration?
July 2011 | Ron Knode
What does my
cloud
computing
configuration
look like now?
Where are my
data and
processing being
performed?
Who has
access to my
data now?
CloudTrust Protocol Orientation
What audit events
have occurred in
my cloud
configuration?
Transparency as a Service (TaaS)
Turn on the lights you need … when you need them
1
CloudTrust Protocol
Elements of Transparency
 Private Cloud
 Other Public Clouds
 CSC Trusted Cloud
Transparency as a Service
(TaaS)
23
CloudTrust Protocol (CTP) Transparency as a Service (TaaS)
Reclaiming Digital Trust Across
Security, Privacy, and Compliance Needs
SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI
DSS, CFATS, DIACAP, NIST 800-53, ISO27001, CAG,
ENISA, CSA V2.3, …
Responding to
all elements of
transparency
Enterprise
TaaS
CSC Trusted Community
Cloud
Cloud Trust
Response
Manager (CRM)
TaaS
Dashboard
TaaS
Private
Trusted
Cloud
Cloud
Trust
Agent
Downstream
compliance
processing
CTP
Responding to
all elements of
transparency
•
Using reclaimed visibility into the cloud
to confirm security and create digital
trust
Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
•
•
Elements of Transparency in the CTP
6 TYPES
FAMILIES
Configuration
Policy introduction
ELEMENTS
Vulnerabilities
Provider assertions
Geographic
ANCHORING
Provider notifications
Platform
Audit log
EVIDENCE REQUESTS
Process
Service Management
Client extensions
Service Statistics
July 2011 | Ron Knode
CloudTrust Protocol Orientation
Only 23 in entire protocol
Initiation
CloudTrust Protocol Pathways
Mapping the Elements of Transparency in Deployment
Admin
& Ops
Session
start: 1
Session end:
2
Alerts: 18
Specs
Transparency Requests
Assertions
Evidence
Affirmations
Configuration
definition: 20
Security capabilities and
operations: 17
Configuration &
vulnerabilities: 3,4,5,6,7
Anchoring: 8, 9, 10
(geographic,
platform, process)
SCAP
CloudAudit.org
SCAP
Sign / sealing
Users: 19
Anchors: 21
Quotas: 22
Alert conditions:
23
Violation: 11
Audit: 12
Access: 13
Incident log: 14
Config/control: 15
Stats: 16
23
June 2011 | Ron Knode
CloudTrust Protocol Orientation
Extensions
Consumer/provider
negotiated: 24
1
CloudTrust Protocol V2.0
Syntax
See pages of
5-6
Attachment A
• Based on XML
• Traditional RESTful web
service over HTTP
July 2011 | Ron Knode
CloudTrust Protocol Orientation
Elastic Characteristics of the CTP
Cloud
Providers
Legend:
 Provider dimension
 Deployment dimension
Source:
http://www.csc.com/cloud/insights/57785into_the_cloud_with_ctp
Transparency-as-a-Service
CTP
CTP
Cloud
Consumers
Multiple Styles of Implementation
The CTP is machine and human readable
OUT-OF-BAND
RESTful
Web
Service
RESTful Web
Service
Cloud
Consumer
Cloud
Provider
RESTful
Web
Service
Trust
Evidence
(Elements of
transparency)
CloudTrust
Protocol
Service
RESTful Web
Service
Cloud
Consumer
Cloud
Provider
Trust
Evidence
IN-BAND
Source:
http://www.csc.com/cloud/insights/57785into_the_cloud_with_ctp
(Elements of
transparency)
CloudTrust
Protocol
Service
Scope of TaaS Enterprise or
Client-Specific
RESTful
Web
Service
RESTful Web
Service
Cloud
Consumer
CLIENT SPECIFIC
Cloud
Provider
RESTful
Web
Service
Trust
Evidence
(Elements of
transparency)
CloudTrust
Protocol
Service
Client
Deployed
Application
Cloud
Consumer
Cloud
Provider
Client Trust
Evidence
ENTERPRISE
Source:
http://www.csc.com/cloud/insights/57785into_the_cloud_with_ctp
CloudTrust
Protocol
Service
(Partial
elements of
transparency)
Undecideds…
• Evidence Request category “integrity and
liability verification technique”
– Attest to the content, provenance, and imputability of the
response (with legal import)
– Transmission integrity not sufficient; Require legal liability of
intent to provide response as delivered
• E.g, Surety AbsoluteProof technique
• Final namespace
• Trust package correlation with all
contributing (traditional) security services
• Identity store for transparency service
authorizations
July 2011 | Ron Knode
CloudTrust Protocol Orientation
Undecideds…
• EoT extension technique
– Characteristics of specification
– Degree of automation
• Business constructs and back office issues,
e.g.,
– SLA foundations
– Concepts of operation
– Service Terms & Conditions recommendations
• Transparency operator training and
operations monitoring
July 2011 | Ron Knode
CloudTrust Protocol Orientation
Related documents
Document
Document
More on the project
More on the project
Document
Document
Van as-a-Service naar at-your-Service
Van as-a-Service naar at-your-Service
Chapter 11: Ascending and Descending Air
Chapter 11: Ascending and Descending Air
PowerPoint ******
PowerPoint ******
Download
advertisement