CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation.

Slides:



Advertisements
Similar presentations
April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through.
Advertisements

Reinventing using REST. Anything addressable by a URI is called a resource GET, PUT, POST, DELETE WebDAV (MOVE, LOCK)
Agenda What is Compliance? Risk and Compliance Management
Distributed Data Processing
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.
Improving the way we learn
Course: e-Governance Project Lifecycle Day 1
Introducing Progress Arcade Roy Ellis
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Building an Operational Enterprise Architecture and Service Oriented Architecture Best Practices Presented by: Ajay Budhraja Copyright 2006 Ajay Budhraja,
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Controls – What Works
Information Security Policies and Standards
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
By Collin Smith COBIT Introduction By Collin Smith
MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
CloudAudit Working Group Update April CloudAudit Charter Provide a common interface and namespace that allows cloud computing providers to automate.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Systems Integration & Consulting June Copyright ® 2009 Ayenda Agenda Introduction to Systems Integration System Integration Challenges and Opportunities.
Wally Kowal, President and Founder Canadian Cloud Computing Inc.
Plan Introduction What is Cloud Computing?
Developing Enterprise Architecture
Cloud Computing in Large Scale Projects George Bourmas Sales Consulting Manager Database & Options.
MIGRATING INTO A CLOUD P. Sai Kiran. 2 Cloud Computing Definition “It is a techno-business disruptive model of using distributed large-scale data centers.
February Semantion Privately owned, founded in 2000 First commercial implementation of OASIS ebXML Registry and Repository.
Jim Reavis, Executive Director Cloud Security Alliance November 22, 2010 Developing a Baseline On Cloud Security.
 Cloud computing  Workflow  Workflow lifecycle  Workflow design  Workflow tools : xcp, eucalyptus, open nebula.
Cloud Security Alliance Research & Roadmap Jim Reavis Executive Director August 2011.
Application Training — Lead Management System. Slide 2 Module Agenda Module Break-upDuration (minutes) Lesson 1: Introduction to Lead Management System10.
HIPAA COMPLIANCE WITH DELL
SECURITY Is cloud computing secure? Are Microsoft Online Services secure? Is cloud computing secure? Are Microsoft Online Services secure? PRIVACY What.
Computer Science and Engineering 1 Cloud ComputingSecurity.
Introduction to Cloud Computing
TECHNOLOGY GUIDE THREE
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Cloud Security Alliance Research & Roadmap
ETICS2 All Hands Meeting VEGA GmbH INFSOM-RI Uwe Mueller-Wilm Palermo, Oct ETICS Service Management Framework Business Objectives and “Best.
Cloud Use Cases, Required Standards, and Roadmaps Excerpts From Cloud Computing Use Cases White Paper
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Plan  Introduction  What is Cloud Computing?  Why is it called ‘’Cloud Computing’’?  Characteristics of Cloud Computing  Advantages of Cloud Computing.
1 Advanced Software Architecture Muhammad Bilal Bashir PhD Scholar (Computer Science) Mohammad Ali Jinnah University.
Introducing Microsoft Azure Government Steve Read Barbara Brucker.
Copyright © 2011 Cloud Security Alliance Cloud Security Alliance Research & Roadmap Jim Reavis, Executive Director, CSA.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Frontline Enterprise Security
Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.
REST By: Vishwanath Vineet.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
PRIVACYRELIABILIT Y SECURITY Secures against attacks Protects confidentiality, integrity, and availability of data and systems Helps manage risk Protects.
Microsoft Azure and ServiceNow: Extending IT Best Practices to the Microsoft Cloud to Give Enterprises Total Control of Their Infrastructure MICROSOFT.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
The Four Pillars of Identity: A Solution for Online Success Tom Shinder Principle Writer and Knowledge Engineer, SCD iX Solutions Group Microsoft Corporation.
Security Policy and Key Management Centrally Manage Encryption Keys - Oracle TDE, SQL Server TDE and Vormetric. Tina Stewart, Vice President.
Presenter Gene Geiger, A-LIGN Partner -HITRUST Practitioner -CPA -CISSP -CCSK -QSA -PCIP -ISO 27K LA.
Devices 10 billion Internet- connected devices by 2016 People 1 billion+ people use social media services today Cloud 30 % of data will live in or pass.
International Planetary Data Alliance Registry Project Update September 16, 2011.
Developing a Baseline On Cloud Security Jim Reavis, Executive Director
Automating Security in the Cloud
Welcome!.
e-Invoicing – e-Ordering 20/11/2008
Computer Science and Engineering
IT Management Services Infrastructure Services
Presentation transcript:

CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation

CloudTrust Protocol Orientation Topics Why is it? What is it? CTP transfer to CSA {Strong} connection to CloudAudit Existing plans & strategies Things for the CSA/CloudAudit to resolve … other stuff … July 2011 | Ron KnodeCloudTrust Protocol Orientation

The Value Equation in the Cloud Security Service Transparency Service Compliance & Trust July 2011 | Ron KnodeCloudTrust Protocol Orientation VALUE Captured Delivering evidence-based confidence… with compliance-supporting data & artifacts.

The CTP Transfer Nonexclusive, no-cost, royalty-free license to CloudTrust Protocol (CTP Version 2.0 – see reference #2 below) Nonexclusive, no-cost, royalty-free license to make derivative works of/for the CTP CSC representative as co-chair of CSAs CTP Working Group CSA to include an acknowledgement that CSC is the original developer of the CTP in any published materials (including electronic publication) that mention the CTP Free, unrestricted use of CTP derivative works by CSC July 2011 | Ron KnodeCloudTrust Protocol Orientation References 1.See Digital Trust in the Cloud, August 2009, digital_trust_in_the_cloudwww.csc.com/security/insights/ digital_trust_in_the_cloud 2.See Digital Trust in the Cloud: A Precis on the CloudTrust Protocol (V2.0), July 2010, See CSA + CTP = Nebula Nova, 25 July 2011, csa_ctp_nebula_nova_a_commentary_and_essayhttp:// csa_ctp_nebula_nova_a_commentary_and_essay

Research Conclusions Summary Initial Results-August 2009 The desire to benefit from the elastic promise of cloud processing is blocked for most enterprise applications because of security and privacy concerns. The re-introduction of transparency into the cloud is the single biggest action needed to create digital trust in a cloud and enable the capture of enterprise-scale payoffs in cloud processing. Even today there are ways to benefit from cloud processing while technologies and techniques to deliver digital trust in the cloud are evolving. CSC has created a definition and an approach to "orchestrate" a trusted cloud and restore needed transparency. Resist the temptation to jump into even a so-called secure cloud just to save money. Aim higher! Jump into the right trusted cloud to create and capture new enterprise value. CloudTrust Protocol Orientation digital_trust_in_the_cloud Or at July 2011 | Ron Knode

CloudTrust Protocol Revealed Research Extension Detailing What and How – July 2010 Transparency in the cloud is the key to capturing digital trust payoffs for both cloud consumers and cloud providers. The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency. The reliable delivery of only a few elements of transparency generate a lot of digital trust, and that digital trust liberates cloud users to bring more and more core enterprise services and data to cloud techniques. Transparency-as-a-Service (TaaS) using the CTP provides a flexible, uniform, and simple technique for reclaiming transparency into actual cloud architectures, configurations, services, and status … responding to both cloud user and cloud provider needs. Transparency protocols like the CTP must be accompanied by corresponding concepts of operation and contractual conditions to be completely effective. July 2011 | Ron KnodeCloudTrust Protocol Orientation into_the_cloud_with_ctp

CTP V2.0 Next Updates will be Published through the Cloud Security Alliance July 2011 | Ron KnodeCloudTrust Protocol Orientation Syntax Semantics Self-defined response (No insistence on orthodoxy) – Asset model – Scope of response – Implementation/deployment options Extension Syntax Semantics Self-defined response (No insistence on orthodoxy) – Asset model – Scope of response – Implementation/deployment options Extension

Government SpecsExtensions Commercial ??? Continuous monitoring … with a purpose Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers ??? Claims, offers, and the basis for auditing service delivery Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments FedRAMP DIACAP Other C&A standards Pre-audit checklists and questionnaires to inventory controls Industry-accepted ways to document what security controls exist NIST , HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST , SAS 70, … The recommended foundations for controls Fundamental security principles in assessing the overall security risk of a cloud provider A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack CloudTrust Protocol (CTP) Included Within CSA GRC Stack July 2011 | Ron KnodeCloudTrust Protocol Orientation Deliver continuous monitoring required by A&A methodologies

What vulnerabilities exist in my cloud configuration? Transparency as a Service (TaaS) Authorized Users July 2011 | Ron KnodeCloudTrust Protocol Orientation What audit events have occurred in my cloud configuration? Who has access to my data now? What does my cloud computing configuration look like now? Where are my data and processing being performed?

CloudTrust Protocol Elements of Transparency 1 23 Private Cloud Other Public Clouds CSC Trusted Cloud Transparency as a Service (TaaS) Transparency as a Service (TaaS) Turn on the lights you need … when you need them

CloudTrust Protocol (CTP) Transparency as a Service (TaaS) Reclaiming Digital Trust Across Security, Privacy, and Compliance Needs CSC Trusted Community Cloud TaaS Dashboard Enterprise Using reclaimed visibility into the cloud to confirm security and create digital trust TaaS CTP Private Trusted Cloud Responding to all elements of transparency Cloud Trust Agent TaaS Cloud Trust Response Manager (CRM) SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI DSS, CFATS, DIACAP, NIST , ISO27001, CAG, ENISA, CSA V2.3, … Downstream compliance processing Source:

Elements of Transparency in the CTP July 2011 | Ron KnodeCloudTrust Protocol Orientation 6 TYPES Initiation Policy introduction Provider assertions Provider notifications EVIDENCE REQUESTS Client extensions ELEMENTS Geographic Platform Process Only 23 in entire protocol FAMILIES Configuration Vulnerabilities ANCHORING Audit log Service Management Service Statistics

CloudTrust Protocol Pathways Mapping the Elements of Transparency in Deployment June 2011 | Ron KnodeCloudTrust Protocol Orientation 231 CloudAudit.orgSCAP Sign / sealing

CloudTrust Protocol V2.0 July 2011 | Ron KnodeCloudTrust Protocol Orientation Syntax Based on XML Traditional RESTful web service over HTTP See pages of 5-6 Attachment A See pages of 5-6 Attachment A

Elastic Characteristics of the CTP Transparency-as-a-Service CTP Cloud Consumers Cloud Providers Legend: Provider dimension Deployment dimension Source: into_the_cloud_with_ctp

RESTful Web Service Trust Evidence (Elements of transparency) Trust Evidence (Elements of transparency) Multiple Styles of Implementation The CTP is machine and human readable RESTful Web Service Trust Evidence (Elements of transparency) Trust Evidence (Elements of transparency) RESTful Web Service Cloud Provider CloudTrust Protocol Service Cloud Consumer IN-BAND OUT-OF-BAND Source: into_the_cloud_with_ctp

Scope of TaaS Enterprise or Client-Specific Client Deployed Application Client Trust Evidence (Partial elements of transparency) Client Trust Evidence (Partial elements of transparency) RESTful Web Service Trust Evidence (Elements of transparency) Trust Evidence (Elements of transparency) RESTful Web Service Cloud Provider CloudTrust Protocol Service Cloud Consumer ENTERPRISE CLIENT SPECIFIC Source: into_the_cloud_with_ctp

Undecideds… Evidence Request category integrity and liability verification technique – Attest to the content, provenance, and imputability of the response (with legal import) – Transmission integrity not sufficient; Require legal liability of intent to provide response as delivered E.g, Surety AbsoluteProof technique Final namespace Trust package correlation with all contributing (traditional) security services Identity store for transparency service authorizations July 2011 | Ron KnodeCloudTrust Protocol Orientation

Undecideds… EoT extension technique – Characteristics of specification – Degree of automation Business constructs and back office issues, e.g., – SLA foundations – Concepts of operation – Service Terms & Conditions recommendations Transparency operator training and operations monitoring July 2011 | Ron KnodeCloudTrust Protocol Orientation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.