20
CloudTrust Protocol Orientation and Status July 2011 | Ron Knode CloudTrust Protocol Orientation

CloudTrust Protocol

  • Upload
    liona

  • View
    34

  • Download
    0

Embed Size (px)

DESCRIPTION

CloudTrust Protocol. Orientation and Status. CloudTrust Protocol Orientation Topics. Why is it? What is it? CTP transfer to CSA {Strong} connection to CloudAudit Existing plans & strategies Things for the CSA/CloudAudit to “resolve” … other stuff …. The Value Equation in the Cloud. - PowerPoint PPT Presentation

Citation preview

Page 1: CloudTrust Protocol

CloudTrust Protocol

Orientation and Status

July 2011 | Ron Knode CloudTrust Protocol Orientation

Page 2: CloudTrust Protocol

CloudTrust Protocol Orientation Topics

• Why is it?• What is it?• CTP transfer to CSA• {Strong} connection to CloudAudit• Existing plans & strategies• Things for the CSA/CloudAudit to “resolve”• … other stuff …

July 2011 | Ron Knode CloudTrust Protocol Orientation

Page 3: CloudTrust Protocol

The Value Equation in the Cloud

July 2011 | Ron Knode CloudTrust Protocol Orientation

VALUE CapturedVALUE CapturedDelivering evidence-based confidence…

with compliance-supporting data & artifacts.

Page 4: CloudTrust Protocol

The CTP Transfer

• Nonexclusive, no-cost, royalty-free license to CloudTrust Protocol(CTP Version 2.0 – see reference #2 below)

• Nonexclusive, no-cost, royalty-free license to make derivative works of/for the CTP

• CSC representative as co-chair of CSA’s CTP Working Group• CSA to include an acknowledgement that CSC is the original developer of

the CTP in any published materials (including electronic publication) that mention the CTP

• Free, unrestricted use of CTP derivative works by CSC

July 2011 | Ron Knode CloudTrust Protocol Orientation

References1. See “Digital Trust in the Cloud”, August 2009,

www.csc.com/security/insights/32270-digital_trust_in_the_cloud2. See “Digital Trust in the Cloud: A Precis on the CloudTrust Protocol (V2.0)”, July 2010, http://

www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp3. See “CSA + CTP = Nebula Nova”, 25 July 2011,

http://www.csc.com/cloud/blog/68078-csa_ctp_nebula_nova_a_commentary_and_essay

Page 5: CloudTrust Protocol

Research Conclusions Summary

Initial Results-August 2009

•The desire to benefit from the elastic promise of cloud processing is blocked for most enterprise applications because of security and privacy concerns.•The re-introduction of transparency into the cloud is the single biggest action needed to create digital trust in a cloud and enable the capture of enterprise-scale payoffs in cloud processing.•Even today there are ways to benefit from cloud processing while technologies and techniques to deliver digital trust in the cloud are evolving.•CSC has created a definition and an approach to "orchestrate" a trusted cloud and restore needed transparency.•Resist the temptation to jump into even a so-called “secure” cloud just to save money.

Aim higher!

Jump into the right “trusted” cloud to create and capture new enterprise value.

CloudTrust Protocol Orientation

www.csc.com/security/insights/32270-digital_trust_in_the_cloudOr at www.csc.com/lefreports

July 2011 | Ron Knode

Page 6: CloudTrust Protocol

CloudTrust Protocol Revealed

Research Extension Detailing “What” and “How” – July 2010

•Transparency in the cloud is the key to capturing digital trust payoffs for both cloud consumers and cloud providers.•The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.•The reliable delivery of only a few elements of transparency generate a lot of digital trust, and that digital trust liberates cloud users to bring more and more core enterprise services and data to cloud techniques.•Transparency-as-a-Service (TaaS) using the CTP provides a flexible, uniform, and simple technique for reclaiming transparency into actual cloud architectures, configurations, services, and status … responding to both cloud user and cloud provider needs.•Transparency protocols like the CTP must be accompanied by corresponding concepts of operation and contractual conditions to be completely effective.

July 2011 | Ron Knode CloudTrust Protocol Orientation

http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

Page 7: CloudTrust Protocol

CTP V2.0Next Updates will be Published through the Cloud Security Alliance

July 2011 | Ron Knode CloudTrust Protocol Orientation

• Syntax

• Semantics

• Self-defined response(No insistence on orthodoxy)– Asset model– Scope of response– Implementation/deployment options

• Extension

• Syntax

• Semantics

• Self-defined response(No insistence on orthodoxy)– Asset model– Scope of response– Implementation/deployment options

• Extension

Page 8: CloudTrust Protocol

Government Specs Extensions Commercial

??? Continuous monitoring … with a purpose

• Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers

??? Claims, offers, and the basis for auditing service delivery

• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments

• FedRAMP• DIACAP• Other C&A standards

Pre-audit checklists and questionnaires to inventory

controls

• Industry-accepted ways to document what security controls exist

NIST 800-53, HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST 800-144, SAS 70, …

The recommended foundations for controls

• Fundamental security principles in assessing the overall security risk of a cloud provider

A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack

CloudTrust Protocol (CTP) Included Within CSA GRC Stack

July 2011 | Ron Knode CloudTrust Protocol Orientation

Deliver “continuous monitoring” required by A&A methodologies

Page 9: CloudTrust Protocol

What vulnerabilities

exist in my cloud configuration?

Transparency as a Service (TaaS) Authorized Users

July 2011 | Ron Knode CloudTrust Protocol Orientation

What audit events have occurred in

my cloud configuration?

Who has access to my data now?

What does my cloud

computing configuration look like now?

Where are my data and

processing being performed?

Page 10: CloudTrust Protocol

CloudTrust Protocol Elements of Transparency CloudTrust Protocol Elements of Transparency1 23

Private Cloud Other Public Clouds CSC Trusted Cloud

Transparency as a Service(TaaS)

Transparency as a Service(TaaS)

Transparency as a Service (TaaS)Turn on the lights you need … when you need them

Page 11: CloudTrust Protocol

CloudTrust Protocol (CTP) Transparency as a Service (TaaS)

Reclaiming Digital Trust Across Security, Privacy, and Compliance Needs

CSC Trusted Community Cloud

TaaS Dashboard

Enterprise

•••Using reclaimed visibility into the cloud

to confirm security and create digital trust

TaaSTaaS

CTPCTPPrivate Trusted Cloud

Responding to all elements of transparency

Responding to all elements of transparency

CloudTrust Agent

TaaSTaaS

Cloud Trust Response

Manager (CRM)

SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI DSS, CFATS, DIACAP, NIST 800-53, ISO27001, CAG, ENISA, CSA V2.3, …

Downstream compliance processing

Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

Page 12: CloudTrust Protocol

Elements of Transparency in the CTP

July 2011 | Ron Knode CloudTrust Protocol Orientation

6 TYPES

Initiation

Policy introduction

Provider assertions

Provider notifications

EVIDENCE REQUESTS

Client extensions

ELEMENTS

Geographic

Platform

Process Onl

y 23

in e

ntire

pro

toco

l

FAMILIES

Configuration

Vulnerabilities

ANCHORING

Audit log

Service Management

Service Statistics

Page 13: CloudTrust Protocol

CloudTrust Protocol PathwaysMapping the Elements of Transparency in Deployment

June 2011 | Ron Knode CloudTrust Protocol Orientation

2323 11

CloudAudit.org SCAPSCAP Sign / sealing

Page 14: CloudTrust Protocol

CloudTrust Protocol V2.0

July 2011 | Ron Knode CloudTrust Protocol Orientation

Syntax• Based on XML• Traditional RESTful web

service over HTTP

See pages of See pages of 5-6 5-6

Attachment AAttachment A

See pages of See pages of 5-6 5-6

Attachment AAttachment A

Page 15: CloudTrust Protocol

Elastic Characteristics of the CTP

Transparency-as-a-ServiceTransparency-as-a-ServiceCTP

CTP

Cloud Consumers

Cloud Providers

Legend:

Provider dimension

Deployment dimension

Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

Page 16: CloudTrust Protocol

RESTful Web ServiceRESTful Web Service

Trust Evidence (Elements of transparency)

Trust Evidence (Elements of transparency)

Multiple Styles of ImplementationThe CTP is machine and human readable

RESTful Web ServiceRESTful Web Service

Trust Evidence (Elements of transparency)

Trust Evidence (Elements of transparency)

IN-BAND

OUT-OF-BAND

Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

Page 17: CloudTrust Protocol

Scope of TaaS Enterprise or Client-Specific

Client Deployed Application

Client Deployed Application

Client Trust Evidence (Partial elements of transparency)

Client Trust Evidence (Partial elements of transparency)

RESTful Web ServiceRESTful Web Service

Trust Evidence (Elements of transparency)

Trust Evidence (Elements of transparency)

ENTERPRISE

CLIENT SPECIFIC

Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

Page 18: CloudTrust Protocol

Undecideds…

• Evidence Request category “integrity and liability verification technique”– Attest to the content, provenance, and imputability of the

response (with legal import)– Transmission integrity not sufficient; Require legal liability of

intent to provide response as delivered• E.g, Surety AbsoluteProof technique

• Final namespace• Trust package correlation with all

contributing (traditional) security services• Identity store for transparency service

authorizations

July 2011 | Ron Knode CloudTrust Protocol Orientation

Page 19: CloudTrust Protocol

Undecideds…

• EoT extension technique– Characteristics of specification– Degree of automation

• Business constructs and back office issues, e.g.,– SLA foundations– Concepts of operation– Service Terms & Conditions recommendations

• Transparency operator training and operations monitoring

July 2011 | Ron Knode CloudTrust Protocol Orientation

Page 20: CloudTrust Protocol