Security Use Cases should cover these Core Security Areas
1 view
Skip to first unread message
drus...@ca.ibm.com
Nov 24, 2009, 1:38:22 PM11/24/09
to Open Cloud Manifesto
On Nov.19th, the first post on the topic for the Cloud Computing Use
Cases White Paper V3 was made. Unfortunately, it appears Google had
problems with the ability of individuals to post their comments from
Nov.17th to Nov. 23rd. If you have any comments related to the initial
post, please go to our discussion group at http://su.pr/7Vdthp .
Our second post is related to the Security Use Cases which should
cover the core areas for Security in the Cloud.
Staying with the "risk-based, audit and compliance perspective", cloud
providers, when creating their security framework, would have to
establish several security controls.
These controls would have to show firstly that the correct control
infrastructure was in place and secondly that manageable processes/
procedures were also in place and that together they were "effective"
in managing their customers' risks.
A cloud provider would need to consider several basic security
infrastructure areas and determine what hardware and software
components they would need for their framework (leaving out for now
the physical and operational security of the datacenter and its
hardware assets for now):
- Asset Management (track hardware, network and software assets that
comprise the cloud IT Infrastructure)
- Service/User Identity, Access Control and Roles/Attributes
(consistent representation of a person's or service's identity,
attributes and entitlements
- Security Policy (Support representation of policies and decision
making rules for access control, in accordance with licenses)
- Cryptography, Key and Certificate Mgmt. (encryption/decryption, key
stores, key/cert. generation, validation, etc.)
- Network Security (internal, switch/router level, IP stack/packet
level protection)
- Data/Storage Security (considerations for isolation/encryption)
- Endpoint Security (this could cover many types of devices and
protocols, depending on how they permit their customers to access
their cloud/services)
- Security Event/Auditing/Reporting (centralized aggregation of
security data, and normalization for analysis)
- Workload/Service Management (secure means to support configuration,
deployment and monitoring in accordance with license/policy)
- Security Service Automation (a means to manage/analyze security
control flows/processes)
Then one would build (repeatable, perhaps automated) processes and
management controls on top of these infrastructure components from
which the "effectiveness" of the security framework could be audited
and analyzed. Now that I think about it, it seems our "Security Use
Cases" should act as a neutral "test suite" for cloud providers to
use
to analyze their security framework.
Our use cases, should both attempt to "cover" or "touch upon" each of
these security areas of the security framework, but also consider both
the perspective of the provider, as well as the cloud user/consumer.
Does this approach seem reasonable? Have I missed any infrastructure
areas?
We look forward to your comments being posted in our discussion group
at http://su.pr/77hrzT .
-Matt
Cases White Paper V3 was made. Unfortunately, it appears Google had
problems with the ability of individuals to post their comments from
Nov.17th to Nov. 23rd. If you have any comments related to the initial
post, please go to our discussion group at http://su.pr/7Vdthp .
Our second post is related to the Security Use Cases which should
cover the core areas for Security in the Cloud.
Staying with the "risk-based, audit and compliance perspective", cloud
providers, when creating their security framework, would have to
establish several security controls.
These controls would have to show firstly that the correct control
infrastructure was in place and secondly that manageable processes/
procedures were also in place and that together they were "effective"
in managing their customers' risks.
A cloud provider would need to consider several basic security
infrastructure areas and determine what hardware and software
components they would need for their framework (leaving out for now
the physical and operational security of the datacenter and its
hardware assets for now):
- Asset Management (track hardware, network and software assets that
comprise the cloud IT Infrastructure)
- Service/User Identity, Access Control and Roles/Attributes
(consistent representation of a person's or service's identity,
attributes and entitlements
- Security Policy (Support representation of policies and decision
making rules for access control, in accordance with licenses)
- Cryptography, Key and Certificate Mgmt. (encryption/decryption, key
stores, key/cert. generation, validation, etc.)
- Network Security (internal, switch/router level, IP stack/packet
level protection)
- Data/Storage Security (considerations for isolation/encryption)
- Endpoint Security (this could cover many types of devices and
protocols, depending on how they permit their customers to access
their cloud/services)
- Security Event/Auditing/Reporting (centralized aggregation of
security data, and normalization for analysis)
- Workload/Service Management (secure means to support configuration,
deployment and monitoring in accordance with license/policy)
- Security Service Automation (a means to manage/analyze security
control flows/processes)
Then one would build (repeatable, perhaps automated) processes and
management controls on top of these infrastructure components from
which the "effectiveness" of the security framework could be audited
and analyzed. Now that I think about it, it seems our "Security Use
Cases" should act as a neutral "test suite" for cloud providers to
use
to analyze their security framework.
Our use cases, should both attempt to "cover" or "touch upon" each of
these security areas of the security framework, but also consider both
the perspective of the provider, as well as the cloud user/consumer.
Does this approach seem reasonable? Have I missed any infrastructure
areas?
We look forward to your comments being posted in our discussion group
at http://su.pr/77hrzT .
-Matt
Reply all
Reply to author
Forward
0 new messages