Presentation is loading. Please wait.

Presentation is loading. Please wait.

CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation.

Similar presentations


Presentation on theme: "CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation."— Presentation transcript:

1 CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation

2 CloudTrust Protocol Orientation Topics Why is it? What is it? CTP transfer to CSA {Strong} connection to CloudAudit Existing plans & strategies Things for the CSA/CloudAudit to resolve … other stuff … July 2011 | Ron KnodeCloudTrust Protocol Orientation

3 The Value Equation in the Cloud Security Service Transparency Service Compliance & Trust July 2011 | Ron KnodeCloudTrust Protocol Orientation VALUE Captured Delivering evidence-based confidence… with compliance-supporting data & artifacts.

4 The CTP Transfer Nonexclusive, no-cost, royalty-free license to CloudTrust Protocol (CTP Version 2.0 – see reference #2 below) Nonexclusive, no-cost, royalty-free license to make derivative works of/for the CTP CSC representative as co-chair of CSAs CTP Working Group CSA to include an acknowledgement that CSC is the original developer of the CTP in any published materials (including electronic publication) that mention the CTP Free, unrestricted use of CTP derivative works by CSC July 2011 | Ron KnodeCloudTrust Protocol Orientation References 1.See Digital Trust in the Cloud, August 2009, digital_trust_in_the_cloudwww.csc.com/security/insights/ digital_trust_in_the_cloud 2.See Digital Trust in the Cloud: A Precis on the CloudTrust Protocol (V2.0), July 2010, 3.See CSA + CTP = Nebula Nova, 25 July 2011, csa_ctp_nebula_nova_a_commentary_and_essayhttp://www.csc.com/cloud/blog/ csa_ctp_nebula_nova_a_commentary_and_essay

5 Research Conclusions Summary Initial Results-August 2009 The desire to benefit from the elastic promise of cloud processing is blocked for most enterprise applications because of security and privacy concerns. The re-introduction of transparency into the cloud is the single biggest action needed to create digital trust in a cloud and enable the capture of enterprise-scale payoffs in cloud processing. Even today there are ways to benefit from cloud processing while technologies and techniques to deliver digital trust in the cloud are evolving. CSC has created a definition and an approach to "orchestrate" a trusted cloud and restore needed transparency. Resist the temptation to jump into even a so-called secure cloud just to save money. Aim higher! Jump into the right trusted cloud to create and capture new enterprise value. CloudTrust Protocol Orientation digital_trust_in_the_cloud Or at July 2011 | Ron Knode

6 CloudTrust Protocol Revealed Research Extension Detailing What and How – July 2010 Transparency in the cloud is the key to capturing digital trust payoffs for both cloud consumers and cloud providers. The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency. The reliable delivery of only a few elements of transparency generate a lot of digital trust, and that digital trust liberates cloud users to bring more and more core enterprise services and data to cloud techniques. Transparency-as-a-Service (TaaS) using the CTP provides a flexible, uniform, and simple technique for reclaiming transparency into actual cloud architectures, configurations, services, and status … responding to both cloud user and cloud provider needs. Transparency protocols like the CTP must be accompanied by corresponding concepts of operation and contractual conditions to be completely effective. July 2011 | Ron KnodeCloudTrust Protocol Orientation into_the_cloud_with_ctp

7 CTP V2.0 Next Updates will be Published through the Cloud Security Alliance July 2011 | Ron KnodeCloudTrust Protocol Orientation Syntax Semantics Self-defined response (No insistence on orthodoxy) – Asset model – Scope of response – Implementation/deployment options Extension Syntax Semantics Self-defined response (No insistence on orthodoxy) – Asset model – Scope of response – Implementation/deployment options Extension

8 Government SpecsExtensions Commercial ??? Continuous monitoring … with a purpose Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers ??? Claims, offers, and the basis for auditing service delivery Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments FedRAMP DIACAP Other C&A standards Pre-audit checklists and questionnaires to inventory controls Industry-accepted ways to document what security controls exist NIST , HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST , SAS 70, … The recommended foundations for controls Fundamental security principles in assessing the overall security risk of a cloud provider A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack CloudTrust Protocol (CTP) Included Within CSA GRC Stack July 2011 | Ron KnodeCloudTrust Protocol Orientation Deliver continuous monitoring required by A&A methodologies

9 What vulnerabilities exist in my cloud configuration? Transparency as a Service (TaaS) Authorized Users July 2011 | Ron KnodeCloudTrust Protocol Orientation What audit events have occurred in my cloud configuration? Who has access to my data now? What does my cloud computing configuration look like now? Where are my data and processing being performed?

10 CloudTrust Protocol Elements of Transparency 1 23 Private Cloud Other Public Clouds CSC Trusted Cloud Transparency as a Service (TaaS) Transparency as a Service (TaaS) Turn on the lights you need … when you need them

11 CloudTrust Protocol (CTP) Transparency as a Service (TaaS) Reclaiming Digital Trust Across Security, Privacy, and Compliance Needs CSC Trusted Community Cloud TaaS Dashboard Enterprise Using reclaimed visibility into the cloud to confirm security and create digital trust TaaS CTP Private Trusted Cloud Responding to all elements of transparency Cloud Trust Agent TaaS Cloud Trust Response Manager (CRM) SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI DSS, CFATS, DIACAP, NIST , ISO27001, CAG, ENISA, CSA V2.3, … Downstream compliance processing Source:

12 Elements of Transparency in the CTP July 2011 | Ron KnodeCloudTrust Protocol Orientation 6 TYPES Initiation Policy introduction Provider assertions Provider notifications EVIDENCE REQUESTS Client extensions ELEMENTS Geographic Platform Process Only 23 in entire protocol FAMILIES Configuration Vulnerabilities ANCHORING Audit log Service Management Service Statistics

13 CloudTrust Protocol Pathways Mapping the Elements of Transparency in Deployment June 2011 | Ron KnodeCloudTrust Protocol Orientation 231 CloudAudit.orgSCAP Sign / sealing

14 CloudTrust Protocol V2.0 July 2011 | Ron KnodeCloudTrust Protocol Orientation Syntax Based on XML Traditional RESTful web service over HTTP See pages of 5-6 Attachment A See pages of 5-6 Attachment A

15 Elastic Characteristics of the CTP Transparency-as-a-Service CTP Cloud Consumers Cloud Providers Legend: Provider dimension Deployment dimension Source: into_the_cloud_with_ctp

16 RESTful Web Service Trust Evidence (Elements of transparency) Trust Evidence (Elements of transparency) Multiple Styles of Implementation The CTP is machine and human readable RESTful Web Service Trust Evidence (Elements of transparency) Trust Evidence (Elements of transparency) RESTful Web Service Cloud Provider CloudTrust Protocol Service Cloud Consumer IN-BAND OUT-OF-BAND Source: into_the_cloud_with_ctp

17 Scope of TaaS Enterprise or Client-Specific Client Deployed Application Client Trust Evidence (Partial elements of transparency) Client Trust Evidence (Partial elements of transparency) RESTful Web Service Trust Evidence (Elements of transparency) Trust Evidence (Elements of transparency) RESTful Web Service Cloud Provider CloudTrust Protocol Service Cloud Consumer ENTERPRISE CLIENT SPECIFIC Source: into_the_cloud_with_ctp

18 Undecideds… Evidence Request category integrity and liability verification technique – Attest to the content, provenance, and imputability of the response (with legal import) – Transmission integrity not sufficient; Require legal liability of intent to provide response as delivered E.g, Surety AbsoluteProof technique Final namespace Trust package correlation with all contributing (traditional) security services Identity store for transparency service authorizations July 2011 | Ron KnodeCloudTrust Protocol Orientation

19 Undecideds… EoT extension technique – Characteristics of specification – Degree of automation Business constructs and back office issues, e.g., – SLA foundations – Concepts of operation – Service Terms & Conditions recommendations Transparency operator training and operations monitoring July 2011 | Ron KnodeCloudTrust Protocol Orientation

20


Download ppt "CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation."

Similar presentations


Ads by Google