CloudAudit Working Group Update April 2011. CloudAudit Charter Provide a common interface and namespace that allows cloud computing providers to automate.

Slides:

Advertisements

Similar presentations

Policy based Cloud Services on a VCL platform Karuna P Joshi, Yelena Yesha, Tim Finin, Anupam Joshi University of Maryland, Baltimore County.

Advertisements

CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation.

A centre of expertise in digital information management A QA Framework To Support Your Library Web Site Review Brian Kelly UKOLN University of Bath Bath.

DMTF Cloud Standards Cloud Management & OVF Update to ITU-T SG13.

Copyright © 2011 Cloud Security Alliance Trusted Cloud Initiative Work Group Session.

Copyright © 2011 Cloud Security Alliance Cloud Controls Matrix Work Group Session Sean Cordero President of Cloudwatchmen,

Building an Operational Enterprise Architecture and Service Oriented Architecture Best Practices Presented by: Ajay Budhraja Copyright 2006 Ajay Budhraja,

UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.

1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )

Future Software Architectures Combining the Web 2.0 with the Semantic Web to realize future Web Communities Maarten Visser

Peoplesoft: Building and Consuming Web Services

Microsoft Office Sharepoint Server 2007 (MOSS) Overview Momentum Microsoft November 15, 2007.

RSS RSS is a method that uses XML to distribute web content on one web site, to many other web sites. RSS allows fast browsing for news and updates.

CORDRA Philip V.W. Dodds March The “Problem Space” The SCORM framework specifies how to develop and deploy content objects that can be shared and.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

THE NEXT STEP IN WEB SERVICES By Francisco Curbera,… Memtimin MAHMUT 2012.

Software to Data model Lenos Vacanas, Stelios Sotiriadis, Euripides Petrakis Technical University of Crete (TUC), Greece Workshop.

Crystal Hoyer Program Manager IIS Team Preview of features that will be announced at MIX09 Please do not blog, take pictures or video of session.

Cloud Security Alliance Research & Roadmap Jim Reavis Executive Director August 2011.

© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM Laura Posey, Chair CAIQ.

C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.

Using the SAS® Information Delivery Portal

The Semantic Web Service Shuying Wang Outline Semantic Web vision Core technologies XML, RDF, Ontology, Agent… Web services DAML-S.

How to Gain Comfort in Losing Control to the Cloud Randolph Barr CSO - Qualys, Inc SourceBoston, 23. April 2010.

OASIS ebXML Registry Standard Open Forum 2003 on Metadata Registries 10:30 – 11:15 January 20, 2003 Kathryn Breininger The Boeing Company Chair, OASIS.

Risk Management & Legal Issues in Cloud Practice Christopher Dodorico Director, PricewaterhouseCoopers Wednesday, October 10, 2012.

Roles and Responsibilities

Cloud Security Alliance Research & Roadmap

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy

EU Project proposal. Andrei S. Lopatenko 1 EU Project Proposal CERIF-SW Andrei S. Lopatenko Vienna University of Technology

1 st -4 th December st BioXHIT Annual Meeting WorkPackage 5.2: Implementation of Data management and Project Tracking in Structure Solution Peter.

1 Schema Registries Steven Hughes, Lou Reich, Dan Crichton NASA 21 October 2015.

Copyright © 2011 Cloud Security Alliance Cloud Security Alliance Research & Roadmap Jim Reavis, Executive Director, CSA.

Web Services. Abstract  Web Services is a technology applicable for computationally distributed problems, including access to large databases What other.

EPA Enterprise Data Architecture Metadata Framework Assessment Kevin J. Kirby, Enterprise Data Architect EPA Enterprise Architecture Team

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Health eDecisions Use Case 2: CDS Guidance Service Strawman of Core Concepts Use Case 2 1.

Disseminating News Within Your Organisation Brian Kelly UKOLN University of Bath Bath, BA2 7AY UKOLN is supported by: URL

Metadata By N.Gopinath AP/CSE Metadata and it’s role in the lifecycle. The collection, maintenance, and deployment of metadata Metadata and tool integration.

Module: Software Engineering of Web Applications Chapter 2: Technologies 1.

Cloud Computing Use Case Draft v2.

G.Govi CERN/IT-DB 1 September 26, 2003 POOL Integration, Testing and Release Procedure Integration  Packages structure  External dependencies  Configuration.

© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM.

OASIS ebXML Registry Standard Open Forum 2003 on Metadata Registries 10:30 – 11:15 January 20, 2003 Kathryn Breininger The Boeing Company Chair, OASIS.

RSS Syndication CS 431 – Carl Lagoze – Cornell University.

Introducing Novell ® Identity Manager 4 Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/ (14pt)

Servizi di brokering Valerio Venturi CCR Giornata di formazione dedicata al Cloud Computing 6 Febbraio 2013.

© Cloud Security Alliance, 2015 Sean Cordero, Chair CCM.

Submitted by: Moran Mishan. Instructed by: Osnat (Ossi) Mokryn, Dr.

International Planetary Data Alliance Registry Project Update September 16, 2011.

RSA Professional Services RSA SecurID Solution Design and Implementation (D&I) Services.

Dr. Ir. Yeffry Handoko Putra

Open Governance Platform

Chapter 6: Securing the Cloud

Chapter 8 Environments, Alternatives, and Decisions.

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Policy based Cloud Services on a VCL platform

e-Invoicing – e-Ordering 20/11/2008

AMI Security Roadmap April 13, 2007.

2/24/2019 6:15 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Metadata The metadata contains

Cloud Management & OVF Update to ITU-T SG13

SDMX IT Tools SDMX Registry

Microsoft Virtual Academy

Day 1, Session 4 Building Your Service Catalog

Presentation transcript:

CloudAudit Working Group Update April 2011

CloudAudit Charter Provide a common interface and namespace that allows cloud computing providers to automate collection of Audit, Assertion, Assessment, and Assurance Artifacts (A6) of their operating environments Allow authorized consumers of services and concerned parties to do likewise via an open, extensible and secure interface and methodology.

What CloudAudit Does Provide a structure for organizing assertions and supporting documentation for specific controls across different compliance frameworks in a way that simplifies discovery by humans and tools. Define a namespace that can support diverse frameworks Express compliance frameworks in that namespace Define the mechanisms for requesting and responding to queries relating to specific controls Integrate with portals and AAA systems

How CloudAudit Works Utilize security automation capabilities with existing tools/protocols/frameworks via a standard, open and extensible set of interfaces Keep it simple, lightweight and easy to implement; offer primitive definitions & language structure using HTTP(S) first at a very basic level Allow for extension and elaboration by providers and choice of trusted assertion validation sources, checklist definitions, etc.

Context for CloudAudit CloudAudit is not designed to validate or attest “compliance” Automates collection and presentation of data supporting queries using a common set of namespaces aligned CSA Cloud Control Matrix Artifacts are accessible by a human operating a web browser or a tool capable of utilizing CloudAudit over HTTP(S). The consumers of this information are internal & external auditors, compliance teams, risk managers, security teams, etc. & in the longer term, brokers

Aligned to CSA Control Matrix Officially folded CloudAudit under the Cloud Security Alliance in October, 2010 First efforts aligned to compliance frameworks as established by CSA Control Matrix: PCI DSS NIST HIPAA COBIT ISO Incorporate CSA’s CAI and additional CompliancePacks Expand alignment to “infrastructure” and “operations” -centric views also

What Was Delivered in v1.0 The first release of CloudAudit provides for the scoped capability for providers to store evidentiary data in well-defined namespaces aligned to the 5 CSA Control Matrix Mappings (PCI, HIPAA, NIST800-53, ISO27002,COBIT)* The data in these namespaces is arbitrary and can be named and file-typed as such, so we need a way of dealing with what can be one to hundreds of supporting files, the contents of some of which are actually URIs to other locations * Update v1.1 packaging available to include CSA CCM Updates

Current Discussions* Stack Providers with whom we have discussed CloudAudit: VMware, Citrix, Microsoft, OpenStack Cloud Service Providers with whom we have discussed CloudAudit: AWS, Google, Microsoft, Terremark, Savvis, Rackspace Tool (GRC) solution providers with whom we are discussing CloudAudit Implementation: Agiliance, RSA Audit/Standards associations with whom we are discussing CloudAudit: ISACA, ODCA, BITS, ISO, Open Group, DMTF, IETF * NOTE: Discussions do not imply commitment to proceed or intent to support

What’s On The 6 Month Roadmap Extend ATOM in manifest.xml to provide for timestamps, signatures and version control [need XML/ATOM expertise] Version control and change notification in conjunction with… …Architecture for registry services [cloudaudit.net] and extensions of such (public and/or private) Implementation architecture for “atomic queries” (e.g. “PCI Compliant,” or “SAS-70 Certified” Expand On Specific CloudAudit Use Cases: CloudAudit for Federal Government CloudAudit for Cloud Providers CloudAudit for Auditors/Assessors

How It Works

Atom Specification (RFC4287) Atom is an XML-based document format that describes lists of related information known as "feeds". Feeds are composed of a number of items, known as "entries", each with an extensible set of attached metadata. For example, each entry has a title. The primary use case that Atom addresses is the syndication of Web content such as weblogs and news headlines to Web sites as well as directly to user agents.

Request Flow for Users & Tools

index.html/default.jsp/etc. Index.html is for dumb browser consumption Typically, the direct human user use case It can be omitted if directory browsing is enabled (not recommended) It contains JavaScript to look for the manifest.xml file, parse it, and render it as HTML. If no manifest.xml exists, it should list the directory contents relevant to the control in question

Manifest.xml Structured listing of control contents Can be extended to provide contextual information Primarily aimed at tool consumption In Atom format

Manifest.xml Example

What This Looks Like (CSA CompliancePack)

…Which Yields:

…Further

…Assuming You Are Authorized, Of Course

Project Deliverables Initial Release Deliverables: ution_ zip ution_ zip Contains all CompliancePacks, documentation and scripts needed to begin implementation of CloudAudit Working with Service Providers and Tool Vendors for Adoption