Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CSA Cloud Trust Protocol and A4Cloud: Enforcing cloud accountability through security continuous monitoring, Daniele Catteddu, CSA

VERDIKT conference 2013

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

  • Be the first to like this

CSA Cloud Trust Protocol and A4Cloud: Enforcing cloud accountability through security continuous monitoring, Daniele Catteddu, CSA

  1. 1. CSA Cloud Trust Protocol and A4Cloud: Enforcing cloud accountability through security continuous monitoring November 2013, Research Council of Norway Daniele Catteddu, CSA Managing Director EMEA and OCF Project Director Copyright © 2013 CloudSecurity Alliance www.cloudsecurityalliance.org
  2. 2. About the Cloud Security Alliance Global, not-for-profit organisation Over 48,000 individual members, more than 180 corporate members, and 65 chapters Building best practices and a trusted cloud ecosystem Agile philosophy, rapid development of applied research GRC: Balance compliance with risk management Reference models: build using existing standards Identity: a key foundation of a functioning cloud economy Champion interoperability Enable innovation Advocacy of prudent public policy “To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.” Copyright © 2011 Cloud Security Alliance 2013 www.cloudsecurityalliance.org
  3. 3. Copyright © 2011 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org
  4. 4. Copyright © 2011 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org
  5. 5. Copyright © 2011 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org
  6. 6. Security Benefits Copyright © 2011 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org
  7. 7. Economy of Scale Security Benefits Copyright © 2011 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org
  8. 8. RISKS Copyright © 2011 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org
  9. 9. Copyright © 2011 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org
  10. 10. OPENNESS & TRANSPARENCY Copyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.org
  11. 11. NEW GOVERNANCE MODELS Copyright © 2011 Cloud Security Alliance Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org
  12. 12. ACCOUNTABILITY Copyright © 2011 Cloud Security Alliance 2013 www.cloudsecurityalliance.org
  13. 13. Cloud Accountability Project The project focuses on accountability as the most critical prerequisite for effective governance and control of corporate and private data processed by cloud-based IT services. It aims to assist cloud service providers with: • Techniques to make services more trustworthy • Ways to satisfy business policies and demonstrate compliance • Allowing differentiation This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  14. 14. A4Cloud Members Industry Community Research This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  15. 15. Drivers for accountability Globalisation and new technologies • Cloud computing presents a paradigm shift in how IT is deployed and consumed Uncertainty and lack of visibility (for consumers, clients and regulators) • Privacy and trust comes from sound stewardship of information by service providers for which we need to hold them accountable Regulatory complexity in global business environments, especially for cloud • Accountability addresses global interoperability • Clear and consistent framework of data protection rules • Allows avoidance of complex matrix of national laws and reduces unnecessary layers of complexity for cloud providers • New technologies like cloud are straining traditional privacy frameworks This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  16. 16. Context Principles, Regulations and Societal Norms Trying to get organisations to do the right thing What is the right thing? supports Accountability How to do the right thing Design complements Holding them to account if they don’t Facilitating redress This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  17. 17. Context Principles, Regulations and Societal Norms Trying to get organisations to do the right thing What is the right thing? supports How to do the right thing Control over practical aspects of compliance Obligation to prove that principles put into effect Accountability Design complements Holding them to account if they don’t Facilitating redress This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  18. 18. Cloud ecosystem This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  19. 19. Model of Accountability This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  20. 20. Conceptual model of accountability abstract Accountability conceptual organisational operational Attributes What? Practices How? Mechanisms With what? concrete This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  21. 21. Defining accountability Accountability consists of defining Accountability governance to comply in a responsible manner with internal Attributes and external criteria, ensuring implementation Practices of appropriate actions, explaining and justifying those actions and remedying any Mechanisms failure to act properly. This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  22. 22. Accountability attributes • Observabililty Accountability Attributes • Verifiability • Attributability • Transparency Practices Mechanisms • Responsibility • Liability • Remediation This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  23. 23. Accountability practices Accountability Attributes Practices • Define governance • Ensure implementation • Explain & justify actions Mechanisms • Remedy failures This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  24. 24. Accountability mechanisms Accountability Attributes Practices • Business processes contain Mechanisms • Non-technical instruments • Technical tools This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  25. 25. Accountability Mechanisms Auditing, Risk assessment, etc Accountability Attributes Practices • Business processes contain Mechanisms • Non-technical instruments • Technical tools This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  26. 26. Accountability Mechanisms Contracts, Legal means, etc Accountability Attributes Practices • Business processes contain Mechanisms • Non-technical instruments • Technical tools This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  27. 27. Accountability Mechanisms Tracking and transparency tools Notification of policy violation, etc Accountability Attributes Practices • Business processes contain Mechanisms • Non-technical instruments • Technical tools This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  28. 28. A4Cloud project What is needed Trustworthy architecture • User-centric accountability tools • Accountability policy language • Enforcement mechanisms for accountability Transparent security • Reference architecture for accountability • Interoperable mechanisms and tools Privacy assurance Trust assurance Policies • Risk and trust models for accountability • Policy compliance mechanisms and tools Security and trust economics Governance • Accountability metrics • Accountability evidence mechanisms and tools • Auditing mechanisms and tools • Accountability framework This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  29. 29. A4Cloud & CSA A4Cloud results are relevant to a number of number of CSA research, educational activities, as well as in the context of the Open Certification Framework This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).
  30. 30. The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service clients can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust. Copyright © 2011 Cloud Security Alliance 2013 www.cloudsecurityalliance.org
  31. 31. An idea for a consumer/provider protocol Confidentiality level Uptime … consumer provider CTP = Reports + Commitments Copyright © 2011 Cloud Security Alliance 2013 + Alerts www.cloudsecurityalliance.org
  32. 32. Transparency and trust Goal: Transparency and trust OCF level 3: Cloud monitoring based certification OCF level 2: Third-party cloud certification OCF level 1: Cloud self-certification Copyright © 2011 Cloud Security Alliance 2013 www.cloudsecurityalliance.org
  33. 33. What we have today… 1. API & Data Model What is… A report, a commitment, an alert? A security attribute? A resource, a service? 3. 2. Security attribute catalogue “Availability”, “timely incident reporting”, “confidentiality level”… A prototype REST + XML Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org www.cloudsecurityalliance.org
  34. 34. The API is the easy part... Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org
  35. 35. Challenge 1: Standardizing cloud security attributes = 0.06 kWh = 0.06 kWh 0.06 kWh Electricity consumption Cloud availability = 99.95% = 99.95% Copyright © 2013 Cloud Security Alliance 99.95% www.cloudsecurityalliance.org www.cloudsecurityalliance.org
  36. 36. Challenge 2: Finding good security attributes 1 Vulnerability found ? < 5 Vulnerabilities found 100 vulnerabilities published in 2013 (NVD) 9 relevant to our platform 8 tested 1 found exploitable (severity=6.0) Time between discovery and fix = 5 days. Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org www.cloudsecurityalliance.org
  37. 37. Challenge 3: Fitting CTP in OCF level 3 The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers. Copyright © 2013 Cloud Security Alliance www.cloudsecurityalliance.org www.cloudsecurityalliance.org
  38. 38. Challenge 4: Integrating CTP in A4Cloud Copyright © 2011 Cloud Security Alliance 2013 www.cloudsecurityalliance.org
  39. 39. Lessons already learned Good attributes need to be: Well defined - consistently measured Cheap to evaluate – automated Correlated to consumer utility Some interesting but tricky areas: Vulnerability management, data location, staff data access, incident response…. Copyright © 2011 Cloud Security Alliance 2013 www.cloudsecurityalliance.org
  40. 40. Now it’s your turn! Copyright © 2011 Cloud Security Alliance 2013 www.cloudsecurityalliance.org
  41. 41. The CTP working group CSA launches the CTP working group: Objective 1: Define CTP Vision, goals, design principles. Objective 2: Define CTP data model. Objective 3: Specify the CTP API. Objective 4: Specify CTP core security attributes. Objective 5: Implement a CTP pilot. Objective 6: Support OCF monitoring based certification Copyright © 2011 Cloud Security Alliance 2013 www.cloudsecurityalliance.org
  42. 42. Help Us Secure Cloud Computing www.cloudsecurityalliance.org info@cloudsecurityalliance.org dcatteddu@cloudsecurityalliance.org www.linkedin.com/groups?gid=1864210 www.a4cloud.eu Copyright © 2011 Cloud Security Alliance 2013 www.cloudsecurityalliance.org
  43. 43. Copyright © 2011 Cloud Security Alliance 2013 www.cloudsecurityalliance.org

    Be the first to comment

    Login to see the comments

VERDIKT conference 2013

Views

Total views

1,266

On Slideshare

0

From embeds

0

Number of embeds

3

Actions

Downloads

37

Shares

0

Comments

0

Likes

0

×