CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 16 June 2011
CloudTrust Protocol Orientation and Status
June 2011
Ron Knode
CloudTrust Protocol Orientation Topics
Why is it?
What is it?
CTP transfer to CSA
{Strong} connection to CloudAudit
Existing plans & strategies
Things for the CSA/CloudAudit to “resolve”
… other stuff …
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 26 June 2011
The Value Equation in the Cloud
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 36 June 2011
Security Service + Transparency Service =
Compliance & Trust VALUE Captured
(delivering evidence-based confidence …with compliance-supporting data & artifacts)
Source: CSC
The CTP Transfer
• Nonexclusive, no-cost, royalty-free license to CloudTrust Protocol(CTP Version 2.0 – see reference #2 below)
• Nonexclusive, no-cost, royalty-free license to make derivative works of/for the CTP
• CSC representative as co-chair of CSA’s CTP Working Group
• CSA to include an acknowledgement that CSC is the original developer of the CTP in any published materials (including electronic publication) that mention the CTP
• Free, unrestricted use of CTP derivative works by CSC
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 46 June 2011
References1. See “Digital Trust in the Cloud”, August 2009, www.csc.com/security/insights/32270-
digital_trust_in_the_cloud2. See “Digital Trust in the Cloud: A Precis on the CloudTrust Protocol (V2.0)”, July 2010,
http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 56 June 2011
Research Conclusions SummaryInitial Results – August 2009
• The desire to benefit from the elastic promise of cloud processing is blocked for most enterprise applications because of security and privacy concerns.
• The re-introduction of transparency into the cloud is the single biggest action needed to create digital trust in a cloud and enable the capture of enterprise-scale payoffs in cloud processing.
• Even today there are ways to benefit from cloud processing while technologies and techniques to deliver digital trust in the cloud are evolving.
• CSC has created a definition and an approach to "orchestrate" a trusted cloud and restore needed transparency.
• Resist the temptation to jump into even a so-called “secure” cloud just to save money.
• Aim higher!
• Jump into the right “trusted” cloud to create and capture new enterprise value.
www.csc.com/security/insights/32270-digital_trust_in_the_cloud
Or at
www.csc.com/lefreports
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 66 June 2011
CloudTrust Protocol Revealed(Research extension detailing ‘what’ and ‘how’ – July 2010)
• Transparency in the cloud is the key to capturing digital trust payoffs for both cloud consumers and cloud providers.
• The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.
• The reliable delivery of only a few elements of transparency generate a lot of digital trust, and that digital trust liberates cloud users to bring more and more core enterprise services and data to cloud techniques.
• Transparency-as-a-Service (TaaS) using the CTP provides a flexible, uniform, and simple technique for reclaiming transparency into actual cloud architectures, configurations, services, and status … responding to both cloud user and cloud provider needs.
• Transparency protocols like the CTP must be accompanied by corresponding concepts of operation and contractual conditions to be completely effective. http://www.csc.com/cloud/insights/57785-
into_the_cloud_with_ctp
CTP V2.0(next updates will be published through the Cloud Security Alliance)
Syntax
Semantics
Self-defined response(no insistence on orthodoxy)
Asset model
Scope of response
Implementation/deployment options
Extension
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 76 June 2011
A Complete Cloud Security Governance, Risk, and Compliance (GRC) Stack
CloudTrust Protocol (CTP) Included Within CSA GRC Stack
Government Specs Extensions Commercial
???Continuous monitoring … with
a purpose
• Common technique and nomenclature to request and receive evidence and affirmation of controls from cloud providers
???Claims, offers, and the basis for auditing service delivery
• Common interface and namespace to automate the Audit, Assertion, Assessment, and Assurance (A6) of cloud environments
• FedRAMP
• DIACAP
• Other C&A standards
Pre-audit checklists and questionnaires to inventory
controls
• Industry-accepted ways to document what security controls exist
NIST 800-53, HITRUST CSF, ISO 27001/27002, ISACA COBIT, PCI, HIPAA, SOX, GLBA, STIG, NIST 800-144, SAS 70, …
The recommended foundations for controls
• Fundamental security principles in assessing the overall security risk of a cloud provider
Deliver “continuous
monitoring” required by
A&A methodologies
6 June 2011 Page 8CloudTrust Protocol Orientation | Ron Knode | CTP to CSA
CloudTrust Protocol (CTP) Transparency as a Service (TaaS)Reclaiming Digital Trust Across Security, Privacy, and Compliance
Needs
CSC Trusted Community Cloud
TaaSDashboard
Enterprise
•••
Using reclaimed visibility into the cloud to confirm security and create digital
trust
TaaS
CTP
CTP
CTP
CTP
CTP
CTP
CTPPrivate Trusted Cloud
Responding to all elements of transparency
Responding to all elements of transparency
CloudTrust Agent
TaaS
Cloud Trust Response Manager (CRM)
SAS70, SSAE 16, HIPAA, ITAR, FRCP, HITECH, GLBA, PCI DSS,
CFATS, DIACAP, NIST 800-53, ISO27001, CAG, ENISA, CSA V2.3, …
Downstream compliance processing
6 June 2011 Page 9CloudTrust Protocol Orientation | Ron Knode | CTP to CSA
Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
Transparency-as-a-Service (TaaS)Turn on the lights you need … when you need them
6 June 2011 Page 10CloudTrust Protocol Orientation | Ron Knode | CTP to CSA
Authorized
TaaS Users
CloudTrust Protocol (CTP) Elements of Transparency1 23
• Private Cloud• Other Public Clouds• CSC Trusted Cloud
Transparency-as-a-Service
(TaaS)
CTP
CTPCTP
CTP
CTP
• What does my cloud
computing configuration
look like right now?
• Where are my data and
processing being performed?
• Who has access to my
data now?
• What vulnerabilities exist in
my cloud configuration?
• What audit events have
occurred in my cloud
configuration?• Who has had access
to my data?
. . . . . .
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 116 June 2011
Only 23 in total in
the entire protocol
Elements of Transparency in the CTP
6 Types
Initiation
Policy Introduction
Provider assertions
Provider notifications
Evidence requests
Client extensions
• Elements
• Geographic
• Platform
• Process
• Families
• Configuration
• Vulnerabilities
• Anchoring
• Audit log
• Service Management
• Service Statistics
Anchoring
CloudTrust Protocol PathwaysMapping the Elements of Transparency in Deployment
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 126 June 2011
Admin
& OpsSpecs Transparency Requests Extensions
Assertions Evidence Affirmations
Configuration
definition: 20
Security capabilities
and operations:17
Configuration &
vulnerabilities:
3,4,5,6,7
Anchoring: 8, 9,
10
(geographic,
platform,
process)
Session
start: 1
Session
end: 2
Alerts: 18
Users: 19
Anchors: 21
Quotas: 22
Alert
conditions: 23
Violation: 11
Audit: 12
Access: 13
Incident log: 14
Config/control: 15
Stats: 16
Consumer/provid
er negotiated: 24
CloudAudit.org SCAPSCAP Sign / sealing
23 1
CloudTrust Protocol V2.0 Syntax
Based on XML
Traditional RESTful web service over HTTP
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 136 June 2011
Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 146 June 2011
Elastic Characteristics of the CTP
Transparency-as-a-Service
CT
P
CT
P
Cloud
Consumers
Cloud
Providers
Legend:
Provider dimension
Deployment
dimension Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 156 June 2011
Multiple Styles of ImplementationThe CTP is machine and human readable
• In-band
• Out-of-band
Cloud
Provider
CloudTrustProtocol Service
RESTful
Web
Service
RESTful
Web
Service
Trust Evidence
(elements of transparency)
CTP CTP
CTP
CTP
Cloud
Provider
CloudTrustProtocol Service
RESTful
Web
Service
RESTful
Web
Service
Trust Evidence
(elements of transparency)
CTP
CTP
CTP
CTP
Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 166 June 2011
Scope of TaaSEnterprise or Client-specific
• Enterprise
• Client-specific
Cloud
Provider
CloudTrustPrtocolService
RESTful
Web
Service
RESTful
Web
Service
Trust Evidence
(elements of transparency)
CTP CTP
CTP
CTP
Cloud Provider
CloudTrustProtocol Service
RESTful
Web
Service
Client Trust Evidence
(partial elements of transparency)
CTP CTP
CTP
CTP
Client-
deployed
application
Source: http://www.csc.com/cloud/insights/57785-into_the_cloud_with_ctp
Undecided’s …
Evidence Request category “integrity and liability verification technique”
Attest to the content, provenance, and imputability of the response (with legal import)
Transmission integrity not sufficient; Require legal liability of intent to provide response as delivered
E.g, Surety AbsoluteProof technique
Final namespace
Trust package correlation with all contributing (traditional) security services
Identity store for transparency service authorizations
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 176 June 2011
Undecided’s …
EoT extension technique
Characteristics of specification
Degree of automation
Business constructs and back office issues, e.g.,
SLA foundations
Concepts of operation
Service Terms & Conditions recommendations
Transparency operator training and operations monitoring
CloudTrust Protocol Orientation | Ron Knode | CTP to CSA Page 186 June 2011