cloudtrust protocol orientation and status july 2011 | ron knodecloudtrust protocol orientation
TRANSCRIPT
![Page 1: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/1.jpg)
CloudTrust Protocol
Orientation and Status
July 2011 | Ron Knode CloudTrust Protocol Orientation
![Page 2: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/2.jpg)
CloudTrust Protocol Orientation Topics
• Why is it?• What is it?• CTP transfer to CSA• {Strong} connection to CloudAudit• Existing plans & strategies• Things for the CSA/CloudAudit to “resolve”• … other stuff …
July 2011 | Ron Knode CloudTrust Protocol Orientation
![Page 3: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/3.jpg)
The Value Equation in the Cloud
Security Service
Transparency Service
Compliance & Trust
July 2011 | Ron Knode CloudTrust Protocol Orientation
VALUE CapturedDelivering evidence-based confidence…
with compliance-supporting data & artifacts.
![Page 4: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/4.jpg)
The CTP Transfer
• Nonexclusive, no-cost, royalty-free license to CloudTrust Protocol(CTP Version 2.0 – see reference #2 below)
• Nonexclusive, no-cost, royalty-free license to make derivative works of/for the CTP
• CSC representative as co-chair of CSA’s CTP Working Group• CSA to include an acknowledgement that CSC is the original developer of
the CTP in any published materials (including electronic publication) that mention the CTP
• Free, unrestricted use of CTP derivative works by CSC
July 2011 | Ron Knode CloudTrust Protocol Orientation
References1. See “Digital Trust in the Cloud”, August 2009,
www.csc.com/security/insights/32270-digital_trust_in_the_cloud2. See “Digital Trust in the Cloud: A Precis on the CloudTrust Protocol (V2.0)”, July 2010, http://
www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp3. See “CSA + CTP = Nebula Nova”, 25 July 2011,
http://www.csc.com/cloud/blog/68078-csa_ctp_nebula_nova_a_commentary_and_essay
![Page 5: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/5.jpg)
Research Conclusions Summary
Initial Results-August 2009
• The desire to benefit from the elastic promise of cloud processing is blocked for most enterprise applications because of security and privacy concerns.
• The re-introduction of transparency into the cloud is the single biggest action needed to create digital trust in a cloud and enable the capture of enterprise-scale payoffs in cloud processing.
• Even today there are ways to benefit from cloud processing while technologies and techniques to deliver digital trust in the cloud are evolving.
• CSC has created a definition and an approach to "orchestrate" a trusted cloud and restore needed transparency.
• Resist the temptation to jump into even a so-called “secure” cloud just to save money.
Aim higher!
Jump into the right “trusted” cloud to create and capture new enterprise value.
CloudTrust Protocol Orientation
www.csc.com/security/insights/32270-digital_trust_in_the_cloudOr at www.csc.com/lefreports
July 2011 | Ron Knode
![Page 6: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/6.jpg)
CloudTrust Protocol Revealed
Research Extension Detailing “What” and “How” – July 2010
• Transparency in the cloud is the key to capturing digital trust payoffs for both cloud consumers and cloud providers.
• The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.
• The reliable delivery of only a few elements of transparency generate a lot of digital trust, and that digital trust liberates cloud users to bring more and more core enterprise services and data to cloud techniques.
• Transparency-as-a-Service (TaaS) using the CTP provides a flexible, uniform, and simple technique for reclaiming transparency into actual cloud architectures, configurations, services, and status … responding to both cloud user and cloud provider needs.
• Transparency protocols like the CTP must be accompanied by corresponding concepts of operation and contractual conditions to be completely effective.
July 2011 | Ron Knode CloudTrust Protocol Orientation
http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
![Page 7: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/7.jpg)
CTP V2.0Next Updates will be Published through the Cloud Security Alliance
July 2011 | Ron Knode CloudTrust Protocol Orientation
• Syntax
• Semantics
• Self-defined response(No insistence on orthodoxy)– Asset model– Scope of response– Implementation/deployment options
• Extension
![Page 8: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/8.jpg)
Government Specs Extensions Commercial
??? Continuous monitoring … with a purpose
• Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers
??? Claims, offers, and the basis for auditing service delivery
• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments
• FedRAMP• DIACAP• Other C&A standards
Pre-audit checklists and questionnaires to inventory
controls• Industry-accepted ways to document
what security controls exist
NIST 800-53, HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST 800-144, SAS 70, …
The recommended foundations for controls
• Fundamental security principles in assessing the overall security risk of a cloud provider
A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack
CloudTrust Protocol (CTP) Included Within CSA GRC Stack
July 2011 | Ron Knode CloudTrust Protocol Orientation
Deliver “continuous monitoring” required by A&A methodologies
![Page 9: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/9.jpg)
What vulnerabilities
exist in my cloud configuration?
Transparency as a Service (TaaS) Authorized Users
July 2011 | Ron Knode CloudTrust Protocol Orientation
What audit events have occurred in
my cloud configuration?
Who has access to my data now?
What does my cloud
computing configuration look like now?
Where are my data and
processing being performed?
![Page 10: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/10.jpg)
CloudTrust Protocol Elements of Transparency1 23
Private Cloud Other Public Clouds CSC Trusted Cloud
Transparency as a Service(TaaS)
Transparency as a Service (TaaS)Turn on the lights you need … when you need them
![Page 11: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/11.jpg)
CloudTrust Protocol (CTP) Transparency as a Service (TaaS)
Reclaiming Digital Trust Across Security, Privacy, and Compliance Needs
CSC Trusted Community Cloud
TaaS Dashboard
Enterprise
•••Using reclaimed visibility into the cloud
to confirm security and create digital trust
TaaS
CTPPrivate Trusted Cloud
Responding to all elements of transparency
Responding to all elements of transparency
CloudTrust Agent
TaaS
Cloud Trust Response
Manager (CRM)
SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI DSS, CFATS, DIACAP, NIST 800-53, ISO27001, CAG, ENISA, CSA V2.3, …
Downstream compliance processing
TaaS
Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
![Page 12: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/12.jpg)
Elements of Transparency in the CTP
July 2011 | Ron Knode CloudTrust Protocol Orientation
6 TYPES
Initiation
Policy introduction
Provider assertions
Provider notifications
EVIDENCE REQUESTS
Client extensions
ELEMENTS
Geographic
Platform
Process Onl
y 23
in e
ntire
pro
toco
l
FAMILIES
Configuration
Vulnerabilities
ANCHORING
Audit log
Service Management
Service Statistics
![Page 13: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/13.jpg)
CloudTrust Protocol PathwaysMapping the Elements of Transparency in Deployment
June 2011 | Ron Knode CloudTrust Protocol Orientation
Admin & Ops Specs Transparency Requests Extensions
Assertions Evidence Affirmations
Configuration definition: 20
Security capabilities and operations: 17
Configuration & vulnerabilities: 3,4,5,6,7
Anchoring: 8, 9, 10(geographic,
platform, process)
Session start: 1Session end: 2Alerts: 18
Users: 19Anchors: 21Quotas: 22Alert conditions: 23
Violation: 11Audit: 12Access: 13Incident log: 14Config/control: 15Stats: 16
Consumer/provider negotiated: 24
23 1
CloudAudit.org SCAPSCAP Sign / sealing
![Page 14: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/14.jpg)
CloudTrust Protocol V2.0
July 2011 | Ron Knode CloudTrust Protocol Orientation
Syntax• Based on XML• Traditional RESTful web
service over HTTP
See pages of 5-6
Attachment A
![Page 15: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/15.jpg)
Elastic Characteristics of the CTP
Transparency-as-a-ServiceTransparency-as-a-Service
CTP
CTP
Cloud Consumers
Cloud Providers
Legend:
Provider dimension
Deployment dimension
Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
![Page 16: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/16.jpg)
RESTful Web Service
Trust Evidence (Elements of transparency)
RESTful Web
Service
Cloud Provider
CloudTrust
Protocol Service
Cloud Consum
er
Multiple Styles of ImplementationThe CTP is machine and human readable
RESTful Web Service
Trust Evidence (Elements of transparency)
RESTful Web
Service
Cloud Provider
CloudTrust Protocol Service
Cloud Consumer
IN-BAND
OUT-OF-BAND
Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
![Page 17: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/17.jpg)
Scope of TaaS Enterprise or Client-Specific
Client Deployed Application
Client Trust Evidence (Partial elements of transparency)
RESTful Web
Service
Cloud Provider
CloudTrust
Protocol Service
Cloud Consum
er
RESTful Web Service
Trust Evidence (Elements of transparency)
RESTful Web
Service
Cloud Provider
CloudTrust Protocol Service
Cloud Consumer
ENTERPRISE
CLIENT SPECIFIC
Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
![Page 18: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/18.jpg)
Undecideds…
• Evidence Request category “integrity and liability verification technique”– Attest to the content, provenance, and imputability of the
response (with legal import)– Transmission integrity not sufficient; Require legal liability of
intent to provide response as delivered• E.g, Surety AbsoluteProof technique
• Final namespace• Trust package correlation with all
contributing (traditional) security services• Identity store for transparency service
authorizationsJuly 2011 | Ron Knode CloudTrust Protocol Orientation
![Page 19: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/19.jpg)
Undecideds…
• EoT extension technique– Characteristics of specification– Degree of automation
• Business constructs and back office issues, e.g.,– SLA foundations– Concepts of operation– Service Terms & Conditions recommendations
• Transparency operator training and operations monitoring
July 2011 | Ron Knode CloudTrust Protocol Orientation
![Page 20: CloudTrust Protocol Orientation and Status July 2011 | Ron KnodeCloudTrust Protocol Orientation](https://reader035.vdocuments.mx/reader035/viewer/2022062511/5518cd6c550346881f8b5b7f/html5/thumbnails/20.jpg)
THANK YOU