Presentation is loading. Please wait.

Presentation is loading. Please wait.

CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation.

Published byGarret Goslee Modified over 10 years ago

Similar presentations

Presentation on theme: "CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation."— Presentation transcript:

1 CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation

2 CloudTrust Protocol Orientation Topics Why is it? What is it? CTP transfer to CSA {Strong} connection to CloudAudit Existing plans & strategies Things for the CSA/CloudAudit to resolve … other stuff … July 2011 | Ron KnodeCloudTrust Protocol Orientation

3 The Value Equation in the Cloud Security Service Transparency Service Compliance & Trust July 2011 | Ron KnodeCloudTrust Protocol Orientation VALUE Captured Delivering evidence-based confidence… with compliance-supporting data & artifacts.

4 The CTP Transfer Nonexclusive, no-cost, royalty-free license to CloudTrust Protocol (CTP Version 2.0 – see reference #2 below) Nonexclusive, no-cost, royalty-free license to make derivative works of/for the CTP CSC representative as co-chair of CSAs CTP Working Group CSA to include an acknowledgement that CSC is the original developer of the CTP in any published materials (including electronic publication) that mention the CTP Free, unrestricted use of CTP derivative works by CSC July 2011 | Ron KnodeCloudTrust Protocol Orientation References 1.See Digital Trust in the Cloud, August 2009, www.csc.com/security/insights/32270- digital_trust_in_the_cloudwww.csc.com/security/insights/32270- digital_trust_in_the_cloud 2.See Digital Trust in the Cloud: A Precis on the CloudTrust Protocol (V2.0), July 2010, http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp 3.See CSA + CTP = Nebula Nova, 25 July 2011, http://www.csc.com/cloud/blog/68078- csa_ctp_nebula_nova_a_commentary_and_essayhttp://www.csc.com/cloud/blog/68078- csa_ctp_nebula_nova_a_commentary_and_essay

5 Research Conclusions Summary Initial Results-August 2009 The desire to benefit from the elastic promise of cloud processing is blocked for most enterprise applications because of security and privacy concerns. The re-introduction of transparency into the cloud is the single biggest action needed to create digital trust in a cloud and enable the capture of enterprise-scale payoffs in cloud processing. Even today there are ways to benefit from cloud processing while technologies and techniques to deliver digital trust in the cloud are evolving. CSC has created a definition and an approach to "orchestrate" a trusted cloud and restore needed transparency. Resist the temptation to jump into even a so-called secure cloud just to save money. Aim higher! Jump into the right trusted cloud to create and capture new enterprise value. CloudTrust Protocol Orientation www.csc.com/security/insights/32270- digital_trust_in_the_cloud Or at www.csc.com/lefreports July 2011 | Ron Knode

6 CloudTrust Protocol Revealed Research Extension Detailing What and How – July 2010 Transparency in the cloud is the key to capturing digital trust payoffs for both cloud consumers and cloud providers. The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency. The reliable delivery of only a few elements of transparency generate a lot of digital trust, and that digital trust liberates cloud users to bring more and more core enterprise services and data to cloud techniques. Transparency-as-a-Service (TaaS) using the CTP provides a flexible, uniform, and simple technique for reclaiming transparency into actual cloud architectures, configurations, services, and status … responding to both cloud user and cloud provider needs. Transparency protocols like the CTP must be accompanied by corresponding concepts of operation and contractual conditions to be completely effective. July 2011 | Ron KnodeCloudTrust Protocol Orientation http://www.csc.com/cloud/insights/57785- into_the_cloud_with_ctp

7 CTP V2.0 Next Updates will be Published through the Cloud Security Alliance July 2011 | Ron KnodeCloudTrust Protocol Orientation Syntax Semantics Self-defined response (No insistence on orthodoxy) – Asset model – Scope of response – Implementation/deployment options Extension Syntax Semantics Self-defined response (No insistence on orthodoxy) – Asset model – Scope of response – Implementation/deployment options Extension

8 Government SpecsExtensions Commercial ??? Continuous monitoring … with a purpose Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers ??? Claims, offers, and the basis for auditing service delivery Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments FedRAMP DIACAP Other C&A standards Pre-audit checklists and questionnaires to inventory controls Industry-accepted ways to document what security controls exist NIST 800-53, HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST 800-144, SAS 70, … The recommended foundations for controls Fundamental security principles in assessing the overall security risk of a cloud provider A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack CloudTrust Protocol (CTP) Included Within CSA GRC Stack July 2011 | Ron KnodeCloudTrust Protocol Orientation Deliver continuous monitoring required by A&A methodologies

9 What vulnerabilities exist in my cloud configuration? Transparency as a Service (TaaS) Authorized Users July 2011 | Ron KnodeCloudTrust Protocol Orientation What audit events have occurred in my cloud configuration? Who has access to my data now? What does my cloud computing configuration look like now? Where are my data and processing being performed?

10 CloudTrust Protocol Elements of Transparency 1 23 Private Cloud Other Public Clouds CSC Trusted Cloud Transparency as a Service (TaaS) Transparency as a Service (TaaS) Turn on the lights you need … when you need them

11 CloudTrust Protocol (CTP) Transparency as a Service (TaaS) Reclaiming Digital Trust Across Security, Privacy, and Compliance Needs CSC Trusted Community Cloud TaaS Dashboard Enterprise Using reclaimed visibility into the cloud to confirm security and create digital trust TaaS CTP Private Trusted Cloud Responding to all elements of transparency Cloud Trust Agent TaaS Cloud Trust Response Manager (CRM) SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI DSS, CFATS, DIACAP, NIST 800-53, ISO27001, CAG, ENISA, CSA V2.3, … Downstream compliance processing Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

12 Elements of Transparency in the CTP July 2011 | Ron KnodeCloudTrust Protocol Orientation 6 TYPES Initiation Policy introduction Provider assertions Provider notifications EVIDENCE REQUESTS Client extensions ELEMENTS Geographic Platform Process Only 23 in entire protocol FAMILIES Configuration Vulnerabilities ANCHORING Audit log Service Management Service Statistics

13 CloudTrust Protocol Pathways Mapping the Elements of Transparency in Deployment June 2011 | Ron KnodeCloudTrust Protocol Orientation 231 CloudAudit.orgSCAP Sign / sealing

14 CloudTrust Protocol V2.0 July 2011 | Ron KnodeCloudTrust Protocol Orientation Syntax Based on XML Traditional RESTful web service over HTTP See pages of 5-6 Attachment A See pages of 5-6 Attachment A

15 Elastic Characteristics of the CTP Transparency-as-a-Service CTP Cloud Consumers Cloud Providers Legend: Provider dimension Deployment dimension Source: http://www.csc.com/cloud/insights/57785- into_the_cloud_with_ctp

16 RESTful Web Service Trust Evidence (Elements of transparency) Trust Evidence (Elements of transparency) Multiple Styles of Implementation The CTP is machine and human readable RESTful Web Service Trust Evidence (Elements of transparency) Trust Evidence (Elements of transparency) RESTful Web Service Cloud Provider CloudTrust Protocol Service Cloud Consumer IN-BAND OUT-OF-BAND Source: http://www.csc.com/cloud/insights/57785- into_the_cloud_with_ctp

17 Scope of TaaS Enterprise or Client-Specific Client Deployed Application Client Trust Evidence (Partial elements of transparency) Client Trust Evidence (Partial elements of transparency) RESTful Web Service Trust Evidence (Elements of transparency) Trust Evidence (Elements of transparency) RESTful Web Service Cloud Provider CloudTrust Protocol Service Cloud Consumer ENTERPRISE CLIENT SPECIFIC Source: http://www.csc.com/cloud/insights/57785- into_the_cloud_with_ctp

18 Undecideds… Evidence Request category integrity and liability verification technique – Attest to the content, provenance, and imputability of the response (with legal import) – Transmission integrity not sufficient; Require legal liability of intent to provide response as delivered E.g, Surety AbsoluteProof technique Final namespace Trust package correlation with all contributing (traditional) security services Identity store for transparency service authorizations July 2011 | Ron KnodeCloudTrust Protocol Orientation

19 Undecideds… EoT extension technique – Characteristics of specification – Degree of automation Business constructs and back office issues, e.g., – SLA foundations – Concepts of operation – Service Terms & Conditions recommendations Transparency operator training and operations monitoring July 2011 | Ron KnodeCloudTrust Protocol Orientation

20

Download ppt "CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation."

Similar presentations

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through.

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales Enforcing Business Rules and Information Security Policies through.
Reinventing Email using REST. Anything addressable by a URI is called a resource GET, PUT, POST, DELETE WebDAV (MOVE, LOCK)

Reinventing using REST. Anything addressable by a URI is called a resource GET, PUT, POST, DELETE WebDAV (MOVE, LOCK)
Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
Distributed Data Processing

Distributed Data Processing
Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.

Massachusetts Digital Government Summit October 19, 2009 IT Management Frameworks An Overview of ISO 27001:2005.
Improving the way we learn

Improving the way we learn
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Introducing Progress Arcade Roy Ellis

Introducing Progress Arcade Roy Ellis
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Building an Operational Enterprise Architecture and Service Oriented Architecture Best Practices Presented by: Ajay Budhraja Copyright 2006 Ajay Budhraja,

Building an Operational Enterprise Architecture and Service Oriented Architecture Best Practices Presented by: Ajay Budhraja Copyright 2006 Ajay Budhraja,
Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research

Minding Your Own Business The Platform for Privacy Preferences Project and Privacy Minder Lorrie Faith Cranor AT&T Labs-Research
Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.

Connecting People With Information DoD Net-Centric Services Strategy Frank Petroski October 31, 2006.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.

MS DB Proposal Scott Canaan B. Thomas Golisano College of Computing & Information Sciences.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

Similar presentations

Ads by Google