Standard-based, layered approach to a Cloud Security Framework / Use Cases
4 views
Skip to first unread message
Drussell4881
Dec 2, 2009, 8:07:33 AM12/2/09
to BigCloud
This is the third post on Security in the Cloud for the Cloud
Computing Use Cases White Paper V3 – http://groups.google.com/group/cloud-computing-use-cases
.
In an earlier post ( http://su.pr/77hrzT ), the suggestion was that
several security infrastructure areas would need to exist in the
"cloud" security framework and an approach to constructing security
use cases that sought to "touch" each of these areas. Hopefully, such
an approach would lead to a set of use cases that would reflect many
of the security concerns cited as barriers to cloud adoption. These
barriers would be called "Infrastructural Security Areas".
In the same post, there is a reference to "Security Management
Controls" which can now be expanded upon. This would include the
processes that enforce security policy (perhaps against an SLA) and
assure governance of the IT infrastructure and in turn use and connect
the Infrastructure areas together. These controls in turn imply needed
management APIs which also would be born out from use cases.
It is important to view how "the cloud" is managed in terms of an
internal (provider) view to assure that they can maintain an "audit
ready" posture for compliance assessments, as well as an external view
of how a cloud customer wishes to manage the security around their
specific cloud deployed applications/workloads, data and resources. So
the key feature to reflect in uses cases internally would be
operational audit and compliance and externally security information
transparency. There are Service and Federation patterns that already
exist in some areas of enterprise security that lend themselves to
cloud and others that seem to be evolving that could help us (e.g.
DMTF Open Cloud Standards Incubator).
If we assume that we are describing use cases that can be applied to
an open cloud marketplace and that assure customer investments into
cloud are preserved, we of course should suggest open standards as a
means to construct data, interfaces and patterns.
So what is evolving is a "layering" process where uses cases are built
upon patterns, which are in turn built upon a cloud security framework
that provides security management controls supported by
infrastructural security:
- Cloud Security Use Cases
- Standards-based Security Services and Patterns
- Security Management Controls (based upon standard protocols, APIs
and data formats)
- Infrastructural Security Areas (based upon low level data schemas /
protocol standards)
Does this layering approach create a view that can meet your use case
requirements?
Are there any additional layers or additional parts to the suggested
layers that need to be considered?
Does anyone have any security use cases that would map onto this
layered approach?
You can either respond directly to this post or to consolidate all
responses, please enter your post at ( http://su.pr/7EtRTa ).
Computing Use Cases White Paper V3 – http://groups.google.com/group/cloud-computing-use-cases
.
In an earlier post ( http://su.pr/77hrzT ), the suggestion was that
several security infrastructure areas would need to exist in the
"cloud" security framework and an approach to constructing security
use cases that sought to "touch" each of these areas. Hopefully, such
an approach would lead to a set of use cases that would reflect many
of the security concerns cited as barriers to cloud adoption. These
barriers would be called "Infrastructural Security Areas".
In the same post, there is a reference to "Security Management
Controls" which can now be expanded upon. This would include the
processes that enforce security policy (perhaps against an SLA) and
assure governance of the IT infrastructure and in turn use and connect
the Infrastructure areas together. These controls in turn imply needed
management APIs which also would be born out from use cases.
It is important to view how "the cloud" is managed in terms of an
internal (provider) view to assure that they can maintain an "audit
ready" posture for compliance assessments, as well as an external view
of how a cloud customer wishes to manage the security around their
specific cloud deployed applications/workloads, data and resources. So
the key feature to reflect in uses cases internally would be
operational audit and compliance and externally security information
transparency. There are Service and Federation patterns that already
exist in some areas of enterprise security that lend themselves to
cloud and others that seem to be evolving that could help us (e.g.
DMTF Open Cloud Standards Incubator).
If we assume that we are describing use cases that can be applied to
an open cloud marketplace and that assure customer investments into
cloud are preserved, we of course should suggest open standards as a
means to construct data, interfaces and patterns.
So what is evolving is a "layering" process where uses cases are built
upon patterns, which are in turn built upon a cloud security framework
that provides security management controls supported by
infrastructural security:
- Cloud Security Use Cases
- Standards-based Security Services and Patterns
- Security Management Controls (based upon standard protocols, APIs
and data formats)
- Infrastructural Security Areas (based upon low level data schemas /
protocol standards)
Does this layering approach create a view that can meet your use case
requirements?
Are there any additional layers or additional parts to the suggested
layers that need to be considered?
Does anyone have any security use cases that would map onto this
layered approach?
You can either respond directly to this post or to consolidate all
responses, please enter your post at ( http://su.pr/7EtRTa ).
Reply all
Reply to author
Forward
0 new messages