Focus area for V3
0 views
Skip to first unread message
Doug Tidwell
Nov 13, 2009, 3:20:21 PM11/13/09
to Cloud Computing Use Cases
Based on your feedback, I think the consensus is that we focus on
security issues for V3, discussing SLAs as needed. Clearly any
security policies will use an SLA to spell out the responsibilities of
the cloud provider and the rights of the consumer, but I don't think
we should try to put everything SLA-related into V3.
It's also important that we figure out where we can add value to the
cloud security papers and work that has been done already. As you
probably saw in Nils Puhlmann's post here, the Cloud Security Alliance
is in the process of publishing a second version of their paper.
Obviously we don't want to repeat work that's already been done
elsewhere.
So, to get the discussion going, some questions:
* How does the cloud change your approach to security? One security
expert I know says the cloud doesn't introduce any new security
challenges, but it makes it more important than ever that you address
them appropriately.
* What are the security issues for transporting data between consumers
and the cloud? Does SSL address them? (I would say no.)
* What are the security issues for storing data in the cloud, whether
it's in a cloud storage system or a cloud database?
* What are the security issues for processing data in the cloud,
whether it's using a cloud-based application or running in a cloud-
based VM?
Looking forward to your thoughts!
Cheers,
-Doug
security issues for V3, discussing SLAs as needed. Clearly any
security policies will use an SLA to spell out the responsibilities of
the cloud provider and the rights of the consumer, but I don't think
we should try to put everything SLA-related into V3.
It's also important that we figure out where we can add value to the
cloud security papers and work that has been done already. As you
probably saw in Nils Puhlmann's post here, the Cloud Security Alliance
is in the process of publishing a second version of their paper.
Obviously we don't want to repeat work that's already been done
elsewhere.
So, to get the discussion going, some questions:
* How does the cloud change your approach to security? One security
expert I know says the cloud doesn't introduce any new security
challenges, but it makes it more important than ever that you address
them appropriately.
* What are the security issues for transporting data between consumers
and the cloud? Does SSL address them? (I would say no.)
* What are the security issues for storing data in the cloud, whether
it's in a cloud storage system or a cloud database?
* What are the security issues for processing data in the cloud,
whether it's using a cloud-based application or running in a cloud-
based VM?
Looking forward to your thoughts!
Cheers,
-Doug
gary mazzaferro
Nov 13, 2009, 4:55:51 PM11/13/09
to cloud-comput...@googlegroups.com
Hi Doug,
There has been some work done in this area by the SLA@SOI http://sla-at-soi.eu/ as part of the RESERVOIR project http://www.reservoir-fp7.eu/
cheers,
gary
There has been some work done in this area by the SLA@SOI http://sla-at-soi.eu/ as part of the RESERVOIR project http://www.reservoir-fp7.eu/
cheers,
gary
--
You received this message because you are subscribed to the Google Groups "Cloud Computing Use Cases" group.
To post to this group, send email to cloud-comput...@googlegroups.com.
To unsubscribe from this group, send email to cloud-computing-us...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cloud-computing-use-cases?hl=.
drus...@ca.ibm.com
Nov 16, 2009, 2:36:19 PM11/16/09
to Cloud Computing Use Cases
Reposting a comment taken from the CCIF Google Group in response to
the start of the V3 work being initiated.
Original post was made by Craig A Lee.
___________________
All,
I would certainly like to see new revision of both of the white
papers, but one thing I would like to mention is that the CSA paper
identifies many security issues that are, in fact, regulatory, legal,
or policy/governance issues, rather than technical issues, e.g., if
you have a legal requirement for 20-year data retention, will your
cloud storage provider sign-up to that? I would like us to make a
clear distinction between the two, and identify what technical
solutions/capabilities, can be/must be brought to bear to address
specific security issues. Much of this will probably revolve around
identity management and organization management, but some of it will
involve understanding any threat scenarios opened by virtualization,
multi-tenancy, etc. On a practical note, we might also want to make a
distinction between security for public vs. private clouds, and then
understand the security implications when they hybridize or federate.
For many reasons, organizations will start with their own private
cloud where many security issues can be addressed in traditional ways,
but they will ultimatelywant to know how to securely interact with
external resources.
--Craig
______________
the start of the V3 work being initiated.
Original post was made by Craig A Lee.
___________________
All,
I would certainly like to see new revision of both of the white
papers, but one thing I would like to mention is that the CSA paper
identifies many security issues that are, in fact, regulatory, legal,
or policy/governance issues, rather than technical issues, e.g., if
you have a legal requirement for 20-year data retention, will your
cloud storage provider sign-up to that? I would like us to make a
clear distinction between the two, and identify what technical
solutions/capabilities, can be/must be brought to bear to address
specific security issues. Much of this will probably revolve around
identity management and organization management, but some of it will
involve understanding any threat scenarios opened by virtualization,
multi-tenancy, etc. On a practical note, we might also want to make a
distinction between security for public vs. private clouds, and then
understand the security implications when they hybridize or federate.
For many reasons, organizations will start with their own private
cloud where many security issues can be addressed in traditional ways,
but they will ultimatelywant to know how to securely interact with
external resources.
--Craig
______________
drus...@ca.ibm.com
Nov 16, 2009, 10:28:22 PM11/16/09
to Cloud Computing Use Cases
Sam Johnston posted in the CCIF Google Group
_______________
Another task worth considering (with all the talk about SAS 70
auditing) is
a set of sensible controls that one might want to see in their cloud
provider:
- password complexity requirements
- multiple copies at geographically redundant sites
- 99.9% SLA
- availability of open formats & interfaces
- etc
Sam
__________________
_______________
Another task worth considering (with all the talk about SAS 70
auditing) is
a set of sensible controls that one might want to see in their cloud
provider:
- password complexity requirements
- multiple copies at geographically redundant sites
- 99.9% SLA
- availability of open formats & interfaces
- etc
Sam
__________________
Vikas Deolaliker
Nov 22, 2009, 12:29:19 PM11/22/09
to cloud-comput...@googlegroups.com
A critical missing element in cloud security is lack of events reporting as
related to CLBA, HIPPA & SOX. 20 year storage is for audit and not as big a
head ache as knowing that last week there was a non-compliant event.
Vikas
related to CLBA, HIPPA & SOX. 20 year storage is for audit and not as big a
head ache as knowing that last week there was a non-compliant event.
Vikas
Paulo Calcada
Nov 24, 2009, 12:11:43 PM11/24/09
to cloud-comput...@googlegroups.com
For those interested in this field, the Kuppingercole is promoting a free webinar about it. More information can be found here:
http://www.kuppingercole.com/virtual/accessgovernance
Paulo
--
http://pcalcada.name
--
http://www.kuppingercole.com/virtual/accessgovernance
Paulo
2009/11/24 Paulo Calcada <pcal...@gmail.com>
First I have to congratulate everyone involved in this project. It's moving in the right direction and giving a very important contribute to the Cloud Computing community and evangelists.
Regarding the issues discussed above, I think that security is definitely the next subject to be discussed. In my opinion, and having the thoughts presented above in mind, I think that one very importante subject is missing. I think that we should focus our work on subjects related with Governence and Access Control. This is something tightly related to the Identity Technologies but it is something that the Cloud Computing guys are not giving the necessary attention.
Despite this lack of attention the work done in this field, especially the one done under the umbrella of SOA, is very important and we already have a large set of products that could easily be adapted and readjusted to the CC paradigm. We definitely should start with the XACML specification and then we should take a look on the work developed by companies such as, Software AG (Webmethods product); Intel (SOA Expressway); Axiomatics (Risk Intelligent Access Control), and more recently the work introduced by Microsoft and its .Net RIA Services.
Paulo
--
You received this message because you are subscribed to the Google Groups "Cloud Computing Use Cases" group.
To post to this group, send email to cloud-comput...@googlegroups.com.
To unsubscribe from this group, send email to cloud-computing-us...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cloud-computing-use-cases?hl=.
--
http://pcalcada.name
--
--
http://pcalcada.name
--
Paulo Calcada
Nov 24, 2009, 12:07:12 PM11/24/09
to cloud-comput...@googlegroups.com
First I have to congratulate everyone involved in this project. It's moving in the right direction and giving a very important contribute to the Cloud Computing community and evangelists.
Regarding the issues discussed above, I think that security is definitely the next subject to be discussed. In my opinion, and having the thoughts presented above in mind, I think that one very importante subject is missing. I think that we should focus our work on subjects related with Governence and Access Control. This is something tightly related to the Identity Technologies but it is something that the Cloud Computing guys are not giving the necessary attention.
Despite this lack of attention the work done in this field, especially the one done under the umbrella of SOA, is very important and we already have a large set of products that could easily be adapted and readjusted to the CC paradigm. We definitely should start with the XACML specification and then we should take a look on the work developed by companies such as, Software AG (Webmethods product); Intel (SOA Expressway); Axiomatics (Risk Intelligent Access Control), and more recently the work introduced by Microsoft and its .Net RIA Services.
Paulo
Regarding the issues discussed above, I think that security is definitely the next subject to be discussed. In my opinion, and having the thoughts presented above in mind, I think that one very importante subject is missing. I think that we should focus our work on subjects related with Governence and Access Control. This is something tightly related to the Identity Technologies but it is something that the Cloud Computing guys are not giving the necessary attention.
Despite this lack of attention the work done in this field, especially the one done under the umbrella of SOA, is very important and we already have a large set of products that could easily be adapted and readjusted to the CC paradigm. We definitely should start with the XACML specification and then we should take a look on the work developed by companies such as, Software AG (Webmethods product); Intel (SOA Expressway); Axiomatics (Risk Intelligent Access Control), and more recently the work introduced by Microsoft and its .Net RIA Services.
Paulo
--
You received this message because you are subscribed to the Google Groups "Cloud Computing Use Cases" group.
To post to this group, send email to cloud-comput...@googlegroups.com.
To unsubscribe from this group, send email to cloud-computing-us...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/cloud-computing-use-cases?hl=.
--
http://pcalcada.name
--
Matt Rutkowski
Dec 1, 2009, 10:30:18 AM12/1/09
to Cloud Computing Use Cases
In my post "Security Use Cases should cover these areas", I described
the common notion of a security framework for cloud (as opposed to a
single enterprise) and suggested several security infrastructure areas
that would comprise it. This approach directly is meant to create a
cloud security framework that is auditable for the purposes of
compliance certification.
Specifically for security events, logging and reports this would be
covered under the infrastructure area:
- Security Event/Auditing/Reporting (centralized aggregation of
security data, and normalization for analysis)
Of course, we need to construct use cases that highlight the needs for
aggregating and disseminating security events for "a compliance audit"
of some type (e.g. HIPAA or CDISC for a healthcare scenario, PCI-DSS
for a retail scenario, COBIT for a SOX-based financial scneario, etc.)
My thoughts...
-Matt
On Nov 22, 11:29 am, "Vikas Deolaliker" <vikas.deolali...@gmail.com>
wrote:
the common notion of a security framework for cloud (as opposed to a
single enterprise) and suggested several security infrastructure areas
that would comprise it. This approach directly is meant to create a
cloud security framework that is auditable for the purposes of
compliance certification.
Specifically for security events, logging and reports this would be
covered under the infrastructure area:
- Security Event/Auditing/Reporting (centralized aggregation of
security data, and normalization for analysis)
Of course, we need to construct use cases that highlight the needs for
aggregating and disseminating security events for "a compliance audit"
of some type (e.g. HIPAA or CDISC for a healthcare scenario, PCI-DSS
for a retail scenario, COBIT for a SOX-based financial scneario, etc.)
My thoughts...
-Matt
On Nov 22, 11:29 am, "Vikas Deolaliker" <vikas.deolali...@gmail.com>
wrote:
Reply all
Reply to author
Forward
Message has been deleted
0 new messages