Scribd Logo
Upload

Welcome to Scribd!

  • CloudTrust Protocol

    Uploaded by

    sawaiscribd
    100 views20 pages
    The document discusses the CloudTrust Protocol (CTP), including its transfer from CSC to the Cloud Security Alliance (CSA), how it fits within the CSA's governance, risk, and compliance stack, and how it provides transparency as a service to help users understand their cloud configuration and address security, compliance, and trust issues. The CTP is presented as a standard way for cloud users to request and receive evidence about key elements of a cloud provider's transparency regarding areas such as data location, access controls, vulnerabilities, and audit logs.

    Original Description:

    Original Title

    CloudTrust-Protocol.ppt

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses the CloudTrust Protocol (CTP), including its transfer from CSC to the Cloud Security Alliance (CSA), how it fits within the CSA's governance, risk, and compliance stack, and how it provides transparency as a service to help users understand their cloud configuration and address security, compliance, and trust issues. The CTP is presented as a standard way for cloud users to request and receive evidence about key elements of a cloud provider's transparency regarding areas such as data location, access controls, vulnerabilities, and audit logs.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    100 views20 pages

    CloudTrust Protocol

    Uploaded by

    sawaiscribd
    The document discusses the CloudTrust Protocol (CTP), including its transfer from CSC to the Cloud Security Alliance (CSA), how it fits within the CSA's governance, risk, and compliance stack, and how it provides transparency as a service to help users understand their cloud configuration and address security, compliance, and trust issues. The CTP is presented as a standard way for cloud users to request and receive evidence about key elements of a cloud provider's transparency regarding areas such as data location, access controls, vulnerabilities, and audit logs.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    CloudTrust Protocol

    Orientation and Status

    July 2011 | Ron Knode CloudTrust Protocol Orientation


    CloudTrust Protocol
    Orientation Topics
    • Why is it?
    • What is it?
    • CTP transfer to CSA
    • {Strong} connection to CloudAudit
    • Existing plans & strategies
    • Things for the CSA/CloudAudit to “resolve”
    • … other stuff …

    July 2011 | Ron Knode CloudTrust Protocol Orientation


    The Value Equation in the Cloud

    Security Transparency Compliance


    Service Service & Trust

    VALUE Captured
    Delivering evidence-based confidence…
    with compliance-supporting data & artifacts.

    July 2011 | Ron Knode CloudTrust Protocol Orientation


    The CTP Transfer
    • Nonexclusive, no-cost, royalty-free license to CloudTrust Protocol
    (CTP Version 2.0 – see reference #2 below)
    • Nonexclusive, no-cost, royalty-free license to make derivative works of/for
    the CTP
    • CSC representative as co-chair of CSA’s CTP Working Group
    • CSA to include an acknowledgement that CSC is the original developer of
    the CTP in any published materials (including electronic publication) that
    mention the CTP
    • Free, unrestricted use of CTP derivative works by CSC

    References
    1. See “Digital Trust in the Cloud”, August 2009, www.csc.com/security/insights/32270-
    digital_trust_in_the_cloud
    2. See “Digital Trust in the Cloud: A Precis on the CloudTrust Protocol (V2.0)”, July 2010,
    http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
    3. See “CSA + CTP = Nebula Nova”, 25 July 2011, http://www.csc.com/cloud/blog/68078-
    csa_ctp_nebula_nova_a_commentary_and_essay
    July 2011 | Ron Knode CloudTrust Protocol Orientation
    Research
    Conclusions Summary
    Initial Results-August 2009

    • The desire to benefit from the elastic promise of cloud


    processing is blocked for most enterprise applications
    because of security and privacy concerns.
    • The re-introduction of transparency into the cloud is the
    single biggest action needed to create digital trust in a
    cloud and enable the capture of enterprise-scale payoffs in
    cloud processing.
    • Even today there are ways to benefit from cloud processing
    while technologies and techniques to deliver digital trust in
    the cloud are evolving.
    • CSC has created a definition and an approach to
    "orchestrate" a trusted cloud and restore needed
    transparency.
    • Resist the temptation to jump into even a so-called
    “secure” cloud just to save money.
    Aim higher!
    Jump into the right “trusted” cloud to create and
    capture new enterprise value.
    www.csc.com/security/insights/32270-
    digital_trust_in_the_cloud
    Or at www.csc.com/lefreports

    July 2011 | Ron Knode CloudTrust Protocol Orientation


    CloudTrust Protocol
    Revealed
    Research Extension Detailing “What” and
    “How” – July 2010

    • Transparency in the cloud is the key to capturing digital


    trust payoffs for both cloud consumers and cloud
    providers.
    • The CloudTrust Protocol (CTP) offers an uncomplicated,
    natural way to request and receive fundamental
    information about essential elements of transparency.
    • The reliable delivery of only a few elements of
    transparency generate a lot of digital trust, and that digital
    trust liberates cloud users to bring more and more core
    enterprise services and data to cloud techniques.
    • Transparency-as-a-Service (TaaS) using the CTP provides a
    flexible, uniform, and simple technique for reclaiming
    transparency into actual cloud architectures,
    configurations, services, and status … responding to both
    cloud user and cloud provider needs.
    • Transparency protocols like the CTP must be accompanied
    by corresponding concepts of operation and contractual
    http://www.csc.com/cloud/insights/57785-
    conditions to be completely effective.
    into_the_cloud_with_ctp

    July 2011 | Ron Knode CloudTrust Protocol Orientation


    CTP V2.0
    Next Updates will be Published through the Cloud Security Alliance

    • Syntax

    • Semantics

    • Self-defined response
    (No insistence on orthodoxy)
    – Asset model
    – Scope of response
    – Implementation/deployment options

    • Extension

    July 2011 | Ron Knode CloudTrust Protocol Orientation


    A Complete Cloud Security
    Governance, Risk, and Compliance (GRC) Stack
    CloudTrust Protocol (CTP) Included Within CSA GRC Stack
    Government Specs Extensions Commercial

    • Common technique and nomenclature


    Deliver “continuous
    Continuous monitoring … with to request and receive evidence and
    ??? monitoring” required by
    a purpose affirmation of controls from cloud
    A&A methodologies
    providers

    • Common interface and namespace to


    Claims, offers, and the basis for automate the Audit, Assertion,
    ???
    auditing service delivery Assessment, and Assurance (A6) of
    cloud environments

    • FedRAMP Pre-audit checklists and


    • Industry-accepted ways to document
    • DIACAP questionnaires to inventory
    controls what security controls exist
    • Other C&A standards

    NIST 800-53, HITRUST CSF,


    ISO 27001/27002, ISACA • Fundamental security principles in
    The recommended
    COBIT, PCI, HIPAA, SOX, assessing the overall security risk of a
    foundations for controls cloud provider
    GLBA, STIG, NIST 800-144,
    SAS 70, …

    July 2011 | Ron Knode CloudTrust Protocol Orientation


    Transparency as a Service (TaaS)
    Authorized Users
    What does my
    Where are my cloud
    data and computing
    What processing being configuration
    vulnerabilities performed? look like now?
    exist in my cloud What audit events
    configuration? Who has have occurred in
    access to my my cloud
    data now? configuration?

    July 2011 | Ron Knode CloudTrust Protocol Orientation


    Transparency as a Service (TaaS)
    Turn on the lights you need … when you need them

    1 CloudTrust Protocol Elements of Transparency 23

     Private Cloud
     Other Public Clouds
     CSC Trusted Cloud

    Transparency as a Service
    (TaaS)
    CloudTrust Protocol (CTP) Transparency as a Service (TaaS)
    Reclaiming Digital Trust Across
    Security, Privacy, and Compliance Needs
    SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI Responding to
    DSS, CFATS, DIACAP, NIST 800-53, ISO27001, CAG, all elements of
    ENISA, CSA V2.3, …
    transparency TaaS

    Enterprise CSC Trusted Community


    Cloud
    Cloud Trust
    Response
    Manager (CRM)

    TaaS
    Dashboard

    TaaS
    Private CTP
    Trusted
    Cloud

    Cloud Responding to •
    Trust all elements of •
    Agent transparency •
    Using reclaimed visibility into the cloud
    Downstream to confirm security and create digital
    compliance trust
    processing
    Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
    Elements of Transparency in the CTP

    6 TYPES
    FAMILIES
    Initiation

    Only 23 in entire protocol


    Configuration
    Policy introduction ELEMENTS
    Vulnerabilities
    Provider assertions Geographic
    ANCHORING
    Provider notifications Platform
    Audit log
    EVIDENCE REQUESTS Process
    Service Management
    Client extensions

    Service Statistics

    July 2011 | Ron Knode CloudTrust Protocol Orientation


    CloudTrust Protocol Pathways
    Mapping the Elements of Transparency in Deployment

    Admin
    Specs Transparency Requests Extensions
    & Ops
    Assertions Evidence Affirmations

    Anchoring: 8, 9, 10
    Configuration Security capabilities and Configuration &
    (geographic,
    definition: 20 operations: 17 vulnerabilities: 3,4,5,6,7
    platform, process)

    SCAP CloudAudit.org SCAP Sign / sealing

    Session Users: 19 Violation: 11 Consumer/provider


    start: 1 Anchors: 21 Audit: 12 negotiated: 24
    Session end: Quotas: 22 Access: 13
    2 Alert conditions: Incident log: 14
    Alerts: 18 23 Config/control: 15
    Stats: 16

    23 1

    June 2011 | Ron Knode CloudTrust Protocol Orientation


    CloudTrust Protocol V2.0
    See pages of
    5-6
    Attachment A
    Syntax
    • Based on XML
    • Traditional RESTful web
    service over HTTP

    July 2011 | Ron Knode CloudTrust Protocol Orientation


    Elastic Characteristics of the CTP
    Cloud Cloud
    Consumers CTP Providers

    CTP
    Transparency-as-a-Service

    Legend:
     Provider dimension
     Deployment dimension
    Source:
    http://www.csc.com/cloud/insights/57785-
    into_the_cloud_with_ctp
    Multiple Styles of Implementation
    The CTP is machine and human readable

    RESTful
    Web
    Service
    OUT-OF-BAND
    RESTful Web
    Service
    Cloud Cloud
    Consumer Provider RESTful
    Trust Web
    Evidence Service
    (Elements of
    transparency) RESTful Web
    CloudTrust Service
    Protocol
    Service Cloud Cloud
    Consumer Provider
    Trust
    Evidence
    (Elements of
    IN-BAND CloudTrust
    transparency)

    Protocol
    Service

    Source:
    http://www.csc.com/cloud/insights/57785-
    into_the_cloud_with_ctp
    Scope of TaaS Enterprise or
    Client-Specific
    RESTful
    Web
    Service

    RESTful Web
    CLIENT SPECIFIC
    Service
    Cloud Cloud
    Consumer Provider RESTful
    Trust Web
    Evidence Service
    (Elements of Client
    transparency)
    CloudTrust
    Deployed
    Protocol Application
    Service Cloud Cloud
    Consumer Provider
    Client Trust
    Evidence
    (Partial
    ENTERPRISE CloudTrust
    elements of
    transparency)
    Protocol
    Service

    Source:
    http://www.csc.com/cloud/insights/57785-
    into_the_cloud_with_ctp
    Undecideds…
    • Evidence Request category “integrity and
    liability verification technique”
    – Attest to the content, provenance, and imputability of the
    response (with legal import)
    – Transmission integrity not sufficient; Require legal liability of
    intent to provide response as delivered
    • E.g, Surety AbsoluteProof technique

    • Final namespace
    • Trust package correlation with all
    contributing (traditional) security services
    • Identity store for transparency service
    authorizations
    July 2011 | Ron Knode CloudTrust Protocol Orientation
    Undecideds…
    • EoT extension technique
    – Characteristics of specification
    – Degree of automation

    • Business constructs and back office issues,


    e.g.,
    – SLA foundations
    – Concepts of operation
    – Service Terms & Conditions recommendations

    • Transparency operator training and


    operations monitoring

    July 2011 | Ron Knode CloudTrust Protocol Orientation

    You might also like