cloudtrust protocol orientation and status

CloudTrust Protocol Orientation | Ron Knode | CTP to CSA 6 June 2011

CloudTrust Protocol Orientation and Status

June 2011

Ron Knode

CloudTrust Protocol Orientation Topics

Why is it?

What is it?

CTP transfer to CSA

{Strong} connection to CloudAudit

Existing plans & strategies

Things for the CSA/CloudAudit to “resolve”

… other stuff …


The Value Equation in the Cloud


Security Service + Transparency Service =

Compliance & Trust VALUE Captured

(delivering evidence-based confidence …with compliance-supporting data & artifacts)

Source: CSC

The CTP Transfer

• Nonexclusive, no-cost, royalty-free license to CloudTrust Protocol(CTP Version 2.0 – see reference #2 below)

• Nonexclusive, no-cost, royalty-free license to make derivative works of/for the CTP

• CSC representative as co-chair of CSA’s CTP Working Group

• CSA to include an acknowledgement that CSC is the original developer of the CTP in any published materials (including electronic publication) that mention the CTP

• Free, unrestricted use of CTP derivative works by CSC


References1. See “Digital Trust in the Cloud”, August 2009, www.csc.com/security/insights/32270-

digital_trust_in_the_cloud2. See “Digital Trust in the Cloud: A Precis on the CloudTrust Protocol (V2.0)”, July 2010,

http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

http://www.csc.com/security/insights/32270-digital_trust_in_the_cloud







Research Conclusions SummaryInitial Results – August 2009

• The desire to benefit from the elastic promise of cloud processing is blocked for most enterprise applications because of security and privacy concerns.

• The re-introduction of transparency into the cloud is the single biggest action needed to create digital trust in a cloud and enable the capture of enterprise-scale payoffs in cloud processing.

• Even today there are ways to benefit from cloud processing while technologies and techniques to deliver digital trust in the cloud are evolving.

• CSC has created a definition and an approach to "orchestrate" a trusted cloud and restore needed transparency.

• Resist the temptation to jump into even a so-called “secure” cloud just to save money.

• Aim higher!

• Jump into the right “trusted” cloud to create and capture new enterprise value.

www.csc.com/security/insights/32270-digital_trust_in_the_cloud

Or at

www.csc.com/lefreports


CloudTrust Protocol Revealed(Research extension detailing ‘what’ and ‘how’ – July 2010)

• Transparency in the cloud is the key to capturing digital trust payoffs for both cloud consumers and cloud providers.

• The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.

• The reliable delivery of only a few elements of transparency generate a lot of digital trust, and that digital trust liberates cloud users to bring more and more core enterprise services and data to cloud techniques.

• Transparency-as-a-Service (TaaS) using the CTP provides a flexible, uniform, and simple technique for reclaiming transparency into actual cloud architectures, configurations, services, and status … responding to both cloud user and cloud provider needs.

• Transparency protocols like the CTP must be accompanied by corresponding concepts of operation and contractual conditions to be completely effective. http://www.csc.com/cloud/insights/57785-

into_the_cloud_with_ctp

CTP V2.0(next updates will be published through the Cloud Security Alliance)

Syntax

Semantics

Self-defined response(no insistence on orthodoxy)

Asset model

Scope of response

Implementation/deployment options

Extension


A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack

CloudTrust Protocol (CTP) Included Within CSA GRC Stack

Government Specs Extensions Commercial

???Continuous monitoring … with

a purpose

• Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers

???Claims, offers, and the basis for auditing service delivery

• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments

• FedRAMP

• DIACAP

• Other C&A standards

Pre-audit checklists and questionnaires to inventory

controls

• Industry-accepted ways to document what security controls exist

NIST 800-53, HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST 800-144, SAS 70, …

The recommended foundations for controls

• Fundamental security principles in assessing the overall security risk of a cloud provider

Deliver “continuous

monitoring” required by

A&A methodologies

6 June 2011 CloudTrust Protocol Orientation | Ron Knode | CTP to CSA

http://www.google.com/imgres?imgurl=http://images.unurthed.com/Campbell-Great-Seal-of-the-United-States-129.jpg&imgrefurl=http://unurthed.com/2007/06/03/interlaced-tetractyses-and-the-great-seal-of-the-united-states/&h=405&w=400&sz=41&tbnid=oe7RuTwnB-dKlM:&tbnh=226&tbnw=223&prev=/images?q=seal+of+the+united+states&zoom=1&q=seal+of+the+united+states&hl=en&usg=__b8zQi-HCULwm3jm9Umx07OZTHyc=&sa=X&ei=uE8mTYv-OYP7lwfAk_D5AQ&ved=0CBkQ9QEwAQ

CloudTrust Protocol (CTP) Transparency as a Service (TaaS)Reclaiming Digital Trust Across Security, Privacy, and Compliance

Needs

CSC Trusted Community Cloud

TaaSDashboard

Enterprise

•••

Using reclaimed visibility into the cloud to confirm security and create digital

trust

TaaS

CTP

CTP

CTP

CTP

CTP

CTP

CTPPrivate Trusted Cloud

Responding to all elements of transparency

Responding to all elements of transparency

CloudTrust Agent

TaaS

Cloud Trust Response Manager (CRM)

SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI DSS,

CFATS, DIACAP, NIST 800-53, ISO27001, CAG, ENISA, CSA V2.3, …

Downstream compliance processing


Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp

Transparency-as-a-Service (TaaS)Turn on the lights you need … when you need them


Authorized

TaaS Users

CloudTrust Protocol (CTP) Elements of Transparency1 23

• Private Cloud• Other Public Clouds• CSC Trusted Cloud

Transparency-as-a-Service

(TaaS)

CTP

CTPCTP

CTP

CTP

• What does my cloud

computing configuration

look like right now?

• Where are my data and

processing being performed?

• Who has access to my

data now?

• What vulnerabilities exist in

my cloud configuration?

• What audit events have

occurred in my cloud

configuration?• Who has had access

to my data?

. . . . . .


Only 23 in total in

the entire protocol

Elements of Transparency in the CTP

6 Types

Initiation

Policy Introduction

Provider assertions

Provider notifications

Evidence requests

Client extensions

• Elements

• Geographic

• Platform

• Process

• Families

• Configuration

• Vulnerabilities

• Anchoring

• Audit log

• Service Management

• Service Statistics

Anchoring

CloudTrust Protocol PathwaysMapping the Elements of Transparency in Deployment


Admin

& OpsSpecs Transparency Requests Extensions

Assertions Evidence Affirmations

Configuration

definition: 20

Security capabilities

and operations:17

Configuration &

vulnerabilities:

3,4,5,6,7

Anchoring: 8, 9,

10

(geographic,

platform,

process)

Session

start: 1

Session

end: 2

Alerts: 18

Users: 19

Anchors: 21

Quotas: 22

Alert

conditions: 23

Violation: 11

Audit: 12

Access: 13

Incident log: 14

Config/control: 15

Stats: 16

Consumer/provid

er negotiated: 24

CloudAudit.org SCAPSCAP Sign / sealing

23 1

CloudTrust Protocol V2.0 Syntax

Based on XML

Traditional RESTful web service over HTTP




Elastic Characteristics of the CTP

Transparency-as-a-Service

CT

P

CT

P

Cloud

Consumers

Cloud

Providers

Legend:

Provider dimension

Deployment

dimension Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp


Multiple Styles of ImplementationThe CTP is machine and human readable

• In-band

• Out-of-band

Cloud

Provider

CloudTrustProtocol Service

RESTful

Web

Service

RESTful

Web

Service

Trust Evidence

(elements of transparency)

CTP CTP

CTP

CTP

Cloud

Provider


RESTful

Web

Service

RESTful

Web

Service

Trust Evidence


CTP

CTP

CTP

CTP



Scope of TaaSEnterprise or Client-specific

• Enterprise

• Client-specific

Cloud

Provider

CloudTrustPrtocolService

RESTful

Web

Service

RESTful

Web

Service

Trust Evidence


CTP CTP

CTP

CTP

Cloud Provider


RESTful

Web

Service

Client Trust Evidence

(partial elements of transparency)

CTP CTP

CTP

CTP

Client-

deployed

application


Undecided’s …

Evidence Request category “integrity and liability verification technique”

Attest to the content, provenance, and imputability of the response (with legal import)

Transmission integrity not sufficient; Require legal liability of intent to provide response as delivered

E.g, Surety AbsoluteProof technique

Final namespace

Trust package correlation with all contributing (traditional) security services

Identity store for transparency service authorizations


Undecided’s …

EoT extension technique

Characteristics of specification

Degree of automation

Business constructs and back office issues, e.g.,

SLA foundations

Concepts of operation

Service Terms & Conditions recommendations

Transparency operator training and operations monitoring


cloudtrust protocol orientation and status

Documents