Security as a Use Case
Thomas Lukasik
to just "shoot from the hip".
The "Use Cases" project is starting to feel like a car that just slid
off the road into a swamp. It's just my own personal POV, but since
Security entered the conversation it feels like we've just been
spinning our wheels, and getting further and further from being able
to create any tangible deliverables.
IMHO Security can't be shoe-horned into a Use Case -- it is too vast
and unbounded for us (as a group) to have any hope of adding to the
current body of knowledge or generating any meaningful and practical
work products within the scope of the project as presently
understood.
Of course it's entirely possible that I've underestimated the scope
(or time frame) of the project, but if not, then I think we're heading
straight into the bog.
TJL
Matt Rutkowski
address it at that level it will indeed be an imposing task especially
for people who are not typically in the role of a security architect.
However, security is the preeminent concerns for business/enterprise
IT architects when considering adopting cloud deployment models.
Security simply cannot be ignored when it comes to use cases; to me,
this would be akin to trying to sell a car simply by showing its
exterior features ignoring providing any information or guarantees on
the chassis, engine, transmission and other critical operational parts
(where the true value lies).
What I hope, from contributing in other posts to this group, is simply
leveraging security architecture/framework principles that are well
established in similar forms across many industry and government
security compliance standards. Using such a framework along with use
cases we can highlight areas of security that the scenarios "touch"
upon and will, I believe, resonate well with security architects (as
well as have the higher level description which will demonstrate
business value for non security persons).
The indication I am getting from others' posts and responses is that
such an approach is reasonable and I am confident we can succeed and
would rather give it a chance than to give up simply because
"security" seems "swampy". In fact, I will attempt to post a tangible
use case today and fully expect to see others appear over the next few
weeks; that such use cases will helpin turn help us better see how to
structure the use cases and group them in order to prepare them for a
deliverable.
Delivering something quicky IMHO does nothing if it does not provide
value and ignores what an open cloud marketplace needs for success/
adoption. Precisely what IT executives and analysts are requiring of
us is exactly shine a clear light on all areas of security just as
each enterprise is expected to for their internal operations. How
would a retailer, bank, insurance company, ... , etc. ever be able to
use cloud resources without having some set of scenarios/use cases to
present to a potential provider to inquire about processes, policies
and implementation details?
What time frame and scope do you think we should be working towards
(and why)? What value would any use case document have to an business/
enterprise and their IT staff if it does not help them evaluate
security in a cloud deployment model?
-Matt
Thomas Lukasik
I'm not saying that Security doesn't have to be addressed in the Cloud. I stated that Security needs to be addressed in every non-trivial computing solution. There does however seem to be an underlying suggestion or implication that the Cloud introduces significant new and/or unique Security issues and challenges.
The perception that the Cloud is inherently riskier reminds me of the early days of E-commerce, when folks were reluctant to enter their credit card information into a secure Web page but never thought twice about handing it over to a stranger in a restaurant when the check had to be paid -- despite the risk of fraud presented by unscrupulous waiters and merchants.
My concern is that (based on the postings that I have seen so far) it's beginning to look as if there are no practical bounds on the gamut of individual Use Cases that could be defined and documented by us. So while I don't have any hard figures regarding the "time frame and scope .. we should be working towards", I'm pretty sure that it's not as much time as we would need to address it in all of the areas that have been mentioned thus far.
TJL
--
You received this message because you are subscribed to the Google Groups "Cloud Computing Use Cases" group.
To post to this group, send email to cloud-comput...@googlegroups.com.
To unsubscribe from this group, send email to cloud-computing-us...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cloud-computing-use-cases?hl=en.
Thomas Lukasik
I'm not saying that Security doesn't have to be addressed in the
Cloud. I stated that Security needs to be addressed in every non-
trivial computing solution. There does however seem to be an
underlying suggestion or implication that the Cloud introduces
significant new and/or unique Security issues and challenges.
The perception that the Cloud is inherently riskier reminds me of the
early days of E-commerce, when folks were reluctant to enter their
credit card information into a secure Web page but never thought twice
about handing it over to a stranger in a restaurant when the check had
to be paid -- despite the risk of fraud presented by unscrupulous
waiters and merchants.
My concern is that (based on the postings that I have seen so far)
it's beginning to look as if there are no practical bounds on the
gamut of individual Use Cases that could be defined and documented by
us. So while I don't have any hard figures regarding the "time frame
and scope .. we should be working towards", I'm pretty sure that it's
not as much time as we would need to address it in all of the areas
that have been mentioned thus far.
TJL
Matt Rutkowski
Yes, the scope of use cases can get out of hand regardless of the
topic. This could have happened for v1 or v2 of the use case
documents, but in the end a reasonable/representative set was
selecetd.
In order to contain the scope of security use cases, I proposed that
we build a matrix (see ToC posted in another thread) of both security
infrastructure and management controls that we can reference to assure
"coverage" of as many of these security areas with the smallest set of
use cases.
Additionally, I believe that even though many security use cases
appear to be different at fist glance they really are variants of some
core use case. This will hopefully get a reasonable set of "core" use
cases for the purposes of a v3 document that highlight security over a
defined set of security infra/mgmt controls.
I am hopeful that if people begin posting use cases we can select/
refine those that provide the matric coverage we need for v3. The
timeframe selected is reasonable if people start posting use case
suggestions that we can discuss and refine.
So let's start posting use cases and begin the work in earnest to see
how we can do against the proscribed soft deadlline.
Regards,
Matt
On Dec 10 2009, 5:13 pm, Thomas Lukasik <lukasik.tho...@gmail.com>
wrote:
KLC...@aol.com
Email: klc...@aol.com
LinkedIn: http://linkedIn.com/in/kencameron
Twitter: http://twitter.com/itklcameron
michael versace
A financial
investment company is about to internally
announce a new investment products to its agents
and affiliates. This
will involve include creation of several videos to
explain the
benefits and features new product to its staff and
agents, as well as
to train/instruct them on when to recommend these products
to their
customers. These videos are quite large and need
to be made available
(on-demand) as secure, confidential data to
appropriately certified
company agents worldwide. There are federal
regulations and industry
obligations that need to be enforced (policy) to
assure that this new
product announce and the videos are kept
confidential during a
restricted period. The financial company decides
to utilize a Public
Storage Cloud to elastically scale to handle the
secure hosting
(storage) and streaming for these new videos while
using security
features in the cloud to auditable access control
to the videos in
accordance with security policies when employees
and agents access the
videos.
Is this the right place to start? Who wants to help build the u/c out? Actors, pre-conditions, etc?
--
Matt Rutkowski
me) right before disappearing over the holidays )
On Jan 11, 12:44 pm, michael versace <versace.mich...@gmail.com>
wrote:
> The goal of this security discussion should be to apply security thinking to
> a small set of directional use cases and to then capture the security
> thinking for the document in the form of defacto practices. Here's a use
> case to start with (this may have come from a previous post:
>
> Use Case Description
>
> A financial investment company is about to internally
> announce a new investment products to its agents and affiliates. This
> will involve include creation of several videos to explain the
> benefits and features new product to its staff and agents, as well as
> to train/instruct them on when to recommend these products to their
> customers. These videos are quite large and need to be made available
> (on-demand) as secure, confidential data to appropriately certified
> company agents worldwide. There are federal regulations and industry
> obligations that need to be enforced (policy) to assure that this new
> product announce and the videos are kept confidential during a
> restricted period. The financial company decides to utilize a Public
> Storage Cloud to elastically scale to handle the secure hosting
> (storage) and streaming for these new videos while using security
> features in the cloud to auditable access control to the videos in
> accordance with security policies when employees and agents access the
> videos.
>
> Is this the right place to start? Who wants to help build the u/c out?
> Actors, pre-conditions, etc?
>
> On Thu, Dec 10, 2009 at 11:16 AM, Thomas Lukasik
> <lukasik.tho...@gmail.com>wrote:
>
> > I'm not sure how to express *exactly* what I'm feeling, so I'm going
> > to just "shoot from the hip".
>
> > The "Use Cases" project is starting to feel like a car that just slid
> > off the road into a swamp. It's just my own personal POV, but since
> > Security entered the conversation it feels like we've just been
> > spinning our wheels, and getting further and further from being able
> > to create any tangible deliverables.
>
> > IMHO Security can't be shoe-horned into a Use Case -- it is too vast
> > and unbounded for us (as a group) to have any hope of adding to the
> > current body of knowledge or generating any meaningful and practical
> > work products within the scope of the project as presently
> > understood.
>
> > Of course it's entirely possible that I've underestimated the scope
> > (or time frame) of the project, but if not, then I think we're heading
> > straight into the bog.
>
> > TJL
>
> > --
>
> > You received this message because you are subscribed to the Google Groups
> > "Cloud Computing Use Cases" group.
> > To post to this group, send email to
> > cloud-comput...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > cloud-computing-us...@googlegroups.com<cloud-computing-use-cases%2Bunsu...@googlegroups.com>
Thomas Lukasik
Does(n't) someone need first-hand, in depth knowledge and understanding of such industry specific rules and regulations in order to effectively contribute any help -- at least within the available time frame?
TJL
michael versace
To unsubscribe from this group, send email to cloud-computing-us...@googlegroups.com.
Doug Tidwell
could contribute a use case that included the regulations for a
specific industry (PCI-DSS, HIPAA, etc.). If that use case included
more general regulations and standards (ISO-270xx), that would be even
better.
Even if we could document all of the regulations out there, hundreds
of legislators around the world (some more clue-enabled than others)
are trying to figure out how to regulate the cloud, so new laws will
be coming at us fast and furious. The regulations will be coming fast,
and many of us will be furious.
Anybody out there with that knowledge, please jump in here. As always,
if you want to just send me some notes, talk over the phone, etc., I'm
happy to write things up if it'll help.
I think the most achievable goal is to give architects and engineers
an idea of what they need to consider as they look to the cloud. My
assumption all along has been that an architect evaluating the cloud
would start with an understanding of the rules and regulations that
apply to their industry. Anybody dealing with sensitive data without
understanding the regulations for it is a disaster waiting to happen,
whether they look at the cloud or not.
That's my 2¢; what do you think?
-Doug
Thomas Lukasik
An analogy might be that if we were trying to explain a leaf to a child, we wouldn't inundate them with 10's, 100's or 1,000's of illustrations depicting all the different leaves in existence, nor would we use "biologically correct" illustrations showing every pore and vein in the illustrations that we did use. We would likely present a "stylized" leaf to introduces the concept of a leaf accurately, but without the myriad details that are eventually needed to explore photosynthesis.
Getting back to our current Use Case examples, when I read through them I'm literally stopped by the details and immediately have to work to get past them to discover the underlying general problems (an initial work product), which can then be reduced to general requirements (another work product) that can be transformed into a design (yet another work product) and then realized on at least a "proof-of-concept" level (still another work product).
To summarize, (IMHO) while we need to start the process based on complete (or incomplete) details surrounding one or more specific scenarios that may be highly regulated or constrained (Banking, Insurance, Healthcare, etc.) we should maintain them as internal documents (available on demand) but not (necessarily) directly expose those (potentially distracting) details in the work products that we generate and eventually publish.
Now, I'm not sure if that's 1, 2, or 3 cents -- but I'm throwing it into the collection basket.
TJL
Michael Versace
via iPhone
deepak mane
I like to contribute some sample use cases for security in cloud
computing , Can you give me your personal email id . so i can share
details with you , in case can you share rough draft for security use
cases in cloud computing
Waiting for favorable reply
Thanks
Deepak
> > > cloud-computing-us...@googlegroups.com<cloud-computing-use-cases%2Bunsu...@googlegroups.com>
> > > .
> > > For more options, visit this group at
> > >http://groups.google.com/group/cloud-computing-use-cases?hl=en.- Hide quoted text -
>
> - Show quoted text -
drus...@ca.ibm.com
The current draft of the Security section of the White Paper, with the
security Use Cases, can be found at http://su.pr/25f8DP and version 2
of the paper can be found at http://opencloudmanifesto.org/Cloud_Computing_Use_Cases_Whitepaper-2_0.pdf.
I trust this helps.
Dave
On Jan 15, 10:28 am, Michael Versace <versace.mich...@gmail.com>
wrote:
> Would someone please post a link to the use case materials. Tnx
>
> via iPhone
>
> On Jan 11, 2010, at 12:33 PM, KLC5...@aol.com wrote:
>
> > Looks like Matt and I had similar thoughts....sorry for redundancy
> > of my post...
>
> > Ken Cameron
> > Email: klc5...@aol.com
> > LinkedIn:http://linkedIn.com/in/kencameron
> > Twitter:http://twitter.com/itklcameron
>
> > In a message dated 1/11/2010 11:07:32 A.M. Eastern Standard Time, mrutkowsk...@gmail.com