cloudtrust protocol orientation and status

19
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 1 6 June 2011 CloudTrust Protocol Orientation and Status June 2011 Ron Knode

Upload: others

Post on 03-Feb-2022

2 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: CloudTrust Protocol Orientation and Status

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 16 June 2011

CloudTrust Protocol Orientation and Status

June 2011

Ron Knode

Page 2: CloudTrust Protocol Orientation and Status

CloudTrust Protocol Orientation Topics

Why is it?

What is it?

CTP transfer to CSA

{Strong} connection to CloudAudit

Existing plans & strategies

Things for the CSA/CloudAudit to “resolve”

… other stuff …

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 26 June 2011

Page 3: CloudTrust Protocol Orientation and Status

The Value Equation in the Cloud

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 36 June 2011

Security Service + Transparency Service =

Compliance & Trust VALUE Captured

(delivering evidence-based confidence …with compliance-supporting data & artifacts)

Source: CSC

Page 4: CloudTrust Protocol Orientation and Status

The CTP Transfer

• Nonexclusive, no-cost, royalty-free license to CloudTrust Protocol(CTP Version 2.0 – see reference #2 below)

• Nonexclusive, no-cost, royalty-free license to make derivative works of/for the CTP

• CSC representative as co-chair of CSA’s CTP Working Group

• CSA to include an acknowledgement that CSC is the original developer of the CTP in any published materials (including electronic publication) that mention the CTP

• Free, unrestricted use of CTP derivative works by CSC

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 46 June 2011

References1. See “Digital Trust in the Cloud”, August 2009, www.csc.com/security/insights/32270-

digital_trust_in_the_cloud2. See “Digital Trust in the Cloud: A Precis on the CloudTrust Protocol (V2.0)”, July 2010,

http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

Page 5: CloudTrust Protocol Orientation and Status

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 56 June 2011

Research Conclusions SummaryInitial Results – August 2009

• The desire to benefit from the elastic promise of cloud processing is blocked for most enterprise applications because of security and privacy concerns.

• The re-introduction of transparency into the cloud is the single biggest action needed to create digital trust in a cloud and enable the capture of enterprise-scale payoffs in cloud processing.

• Even today there are ways to benefit from cloud processing while technologies and techniques to deliver digital trust in the cloud are evolving.

• CSC has created a definition and an approach to "orchestrate" a trusted cloud and restore needed transparency.

• Resist the temptation to jump into even a so-called “secure” cloud just to save money.

• Aim higher!

• Jump into the right “trusted” cloud to create and capture new enterprise value.

www.csc.com/security/insights/32270-digital_trust_in_the_cloud

Or at

www.csc.com/lefreports

Page 6: CloudTrust Protocol Orientation and Status

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 66 June 2011

CloudTrust Protocol Revealed(Research extension detailing ‘what’ and ‘how’ – July 2010)

• Transparency in the cloud is the key to capturing digital trust payoffs for both cloud consumers and cloud providers.

• The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.

• The reliable delivery of only a few elements of transparency generate a lot of digital trust, and that digital trust liberates cloud users to bring more and more core enterprise services and data to cloud techniques.

• Transparency-as-a-Service (TaaS) using the CTP provides a flexible, uniform, and simple technique for reclaiming transparency into actual cloud architectures, configurations, services, and status … responding to both cloud user and cloud provider needs.

• Transparency protocols like the CTP must be accompanied by corresponding concepts of operation and contractual conditions to be completely effective. http://www.csc.com/cloud/insights/57785-

into_the_cloud_with_ctp

Page 7: CloudTrust Protocol Orientation and Status

CTP V2.0(next updates will be published through the Cloud Security Alliance)

Syntax

Semantics

Self-defined response(no insistence on orthodoxy)

Asset model

Scope of response

Implementation/deployment options

Extension

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 76 June 2011

Page 8: CloudTrust Protocol Orientation and Status

A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack

CloudTrust Protocol (CTP) Included Within CSA GRC Stack

Government Specs Extensions Commercial

???Continuous monitoring … with

a purpose

• Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers

???Claims, offers, and the basis for auditing service delivery

• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments

• FedRAMP

• DIACAP

• Other C&A standards

Pre-audit checklists and questionnaires to inventory

controls

• Industry-accepted ways to document what security controls exist

NIST 800-53, HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST 800-144, SAS 70, …

The recommended foundations for controls

• Fundamental security principles in assessing the overall security risk of a cloud provider

Deliver “continuous

monitoring” required by

A&A methodologies

6 June 2011 Page 8CloudTrust Protocol Orientation | Ron Knode | CTP to CSA

Page 9: CloudTrust Protocol Orientation and Status

CloudTrust Protocol (CTP) Transparency as a Service (TaaS)Reclaiming Digital Trust Across Security, Privacy, and Compliance

Needs

CSC Trusted Community Cloud

TaaSDashboard

Enterprise

•••

Using reclaimed visibility into the cloud to confirm security and create digital

trust

TaaS

CTP

CTP

CTP

CTP

CTP

CTP

CTPPrivate Trusted Cloud

Responding to all elements of transparency

Responding to all elements of transparency

CloudTrust Agent

TaaS

Cloud Trust Response Manager (CRM)

SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI DSS,

CFATS, DIACAP, NIST 800-53, ISO27001, CAG, ENISA, CSA V2.3, …

Downstream compliance processing

6 June 2011 Page 9CloudTrust Protocol Orientation | Ron Knode | CTP to CSA

Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

Page 10: CloudTrust Protocol Orientation and Status

Transparency-as-a-Service (TaaS)Turn on the lights you need … when you need them

6 June 2011 Page 10CloudTrust Protocol Orientation | Ron Knode | CTP to CSA

Authorized

TaaS Users

CloudTrust Protocol (CTP) Elements of Transparency1 23

• Private Cloud• Other Public Clouds• CSC Trusted Cloud

Transparency-as-a-Service

(TaaS)

CTP

CTPCTP

CTP

CTP

• What does my cloud

computing configuration

look like right now?

• Where are my data and

processing being performed?

• Who has access to my

data now?

• What vulnerabilities exist in

my cloud configuration?

• What audit events have

occurred in my cloud

configuration?• Who has had access

to my data?

. . . . . .

Page 11: CloudTrust Protocol Orientation and Status

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 116 June 2011

Only 23 in total in

the entire protocol

Elements of Transparency in the CTP

6 Types

Initiation

Policy Introduction

Provider assertions

Provider notifications

Evidence requests

Client extensions

• Elements

• Geographic

• Platform

• Process

• Families

• Configuration

• Vulnerabilities

• Anchoring

• Audit log

• Service Management

• Service Statistics

Anchoring

Page 12: CloudTrust Protocol Orientation and Status

CloudTrust Protocol PathwaysMapping the Elements of Transparency in Deployment

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 126 June 2011

Admin

& OpsSpecs Transparency Requests Extensions

Assertions Evidence Affirmations

Configuration

definition: 20

Security capabilities

and operations:17

Configuration &

vulnerabilities:

3,4,5,6,7

Anchoring: 8, 9,

10

(geographic,

platform,

process)

Session

start: 1

Session

end: 2

Alerts: 18

Users: 19

Anchors: 21

Quotas: 22

Alert

conditions: 23

Violation: 11

Audit: 12

Access: 13

Incident log: 14

Config/control: 15

Stats: 16

Consumer/provid

er negotiated: 24

CloudAudit.org SCAPSCAP Sign / sealing

23 1

Page 13: CloudTrust Protocol Orientation and Status

CloudTrust Protocol V2.0 Syntax

Based on XML

Traditional RESTful web service over HTTP

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 136 June 2011

Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

Page 14: CloudTrust Protocol Orientation and Status

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 146 June 2011

Elastic Characteristics of the CTP

Transparency-as-a-Service

CT

P

CT

P

Cloud

Consumers

Cloud

Providers

Legend:

Provider dimension

Deployment

dimension Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

Page 15: CloudTrust Protocol Orientation and Status

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 156 June 2011

Multiple Styles of ImplementationThe CTP is machine and human readable

• In-band

• Out-of-band

Cloud

Provider

CloudTrustProtocol Service

RESTful

Web

Service

RESTful

Web

Service

Trust Evidence

(elements of transparency)

CTP CTP

CTP

CTP

Cloud

Provider

CloudTrustProtocol Service

RESTful

Web

Service

RESTful

Web

Service

Trust Evidence

(elements of transparency)

CTP

CTP

CTP

CTP

Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

Page 16: CloudTrust Protocol Orientation and Status

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 166 June 2011

Scope of TaaSEnterprise or Client-specific

• Enterprise

• Client-specific

Cloud

Provider

CloudTrustPrtocolService

RESTful

Web

Service

RESTful

Web

Service

Trust Evidence

(elements of transparency)

CTP CTP

CTP

CTP

Cloud Provider

CloudTrustProtocol Service

RESTful

Web

Service

Client Trust Evidence

(partial elements of transparency)

CTP CTP

CTP

CTP

Client-

deployed

application

Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

Page 17: CloudTrust Protocol Orientation and Status

Undecided’s …

Evidence Request category “integrity and liability verification technique”

Attest to the content, provenance, and imputability of the response (with legal import)

Transmission integrity not sufficient; Require legal liability of intent to provide response as delivered

E.g, Surety AbsoluteProof technique

Final namespace

Trust package correlation with all contributing (traditional) security services

Identity store for transparency service authorizations

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 176 June 2011

Page 18: CloudTrust Protocol Orientation and Status

Undecided’s …

EoT extension technique

Characteristics of specification

Degree of automation

Business constructs and back office issues, e.g.,

SLA foundations

Concepts of operation

Service Terms & Conditions recommendations

Transparency operator training and operations monitoring

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 186 June 2011

Page 19: CloudTrust Protocol Orientation and Status