Re: Draft of Table of Contents for Cloud Computing Use Cases White Paper V3

[tluk...@exnihilum.com]

>> "There appears to be some amount of overlap here with the Cloud Security Alliance (CSA) work"

Unfortunately, it's broad enough to "overlap" pretty much any Cloud Security initiative out there, don't you think?

TJL

-----Original Message-----
From: "Sam Johnston" [sa...@samj.net]
Date: 01/12/2010 10:35 AM
To: cloud...@googlegroups.com
Subject: Re: Draft of Table of Contents for Cloud Computing Use Cases White
Paper V3

There appears to be some amount of overlap here with the Cloud Security Alliance (CSA) work - I trust youre aware of that?

Sam

On Mon, Jan 11, 2010 at 12:17 PM, DCR <drus...@ca.ibm.com> wrote:
This is a copy of the post that was just made today to the Cloud
Computing Use Cases White Paper (http://groups.google.com/group/cloud-
computing-use-cases).

We look forward to your comments to the original post at http://su.pr/2Be9pA

or directly to this post.

__________________________

Friends, heres a proposed ToC for Version 3. As always, this is an
attempt to organize our discussions of the last couple of months.

Introduction & Motivation

 A general discussion of the importance of security

Security Controls

 A short discussion of the requirements weve discussed here:
 - Asset Management
 - Service/User Identity, Access Control and Roles/Attributes
 - Security Policy
 - Cryptography, Key and Certificate Management
 - Network Security
 - Data/Storage Security
 - Endpoint Security
 - Security Event/Auditing/Reporting
 - Workload/Service Management
 - Security Service Automation

Security Patterns & Federation

Cloud Security Roles

 I think patterns and roles are a great way to organize the
discussion as it relates to the security controls mentioned above.

Security Use Cases

 - The use cases weve discussed. Some use cases were discussed in
broad terms (supply chain and healthcare), it would be great if we
could flesh those out here.

Cross-references

- These were useful ways of summarizing the information in earlier
versions. Security Controls vs. Service Models (*aaS), Security

Controls vs. Deployment Models and Security Controls vs. Security

Patterns could be useful tables.

Let me know what you think.

As for a schedule, I plan to have a first draft posted by next Friday
(the 15th), a second draft the following Friday (the 22nd), with a
final Version 3 ready by the end of the month.

Cheers,

Doug

--
You received this message because you are subscribed to the Google
Groups "Cloud Computing Interoperability Forum (CCIF)" group.
To post to this group, send email to cloud...@googlegroups.com
To unsubscribe from this group, send email to
cloudforum+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cloudforum?hl=en

-----
Join our Twitter Group at www.twitter.com/cloudforum
Or Our Linkedin Group at http://www.linkedin.com/e/gis/927567

[Paulo Calcada]

Yes,

But as any other work developed using as its bases the Cloud Computing paradigm, the security analisis tends to be as broader as the players (speciallist, evangelists, etc...) can do it.

I don't think this is a problem, on the contrary, I think that at this point this is very interesting. As a deployment or business model, Cloud Computing could only move forward if all the players are able to understand in what way the work developed until know could help and how it should be integrated and articulated with the work developed by the "neighbour" technology, paradigm, product, etc. And in order to be able to accomplish this, a broader study is need...

Paulo

2010/1/12 tluk...@exnihilum.com <tluk...@exnihilum.com>

--
http://pcalcada.name
--              

[tluk...@exnihilum.com]

>> "I dont think this is a problem, on the contrary,"

I apologize if my comment seemed too negative -- I didn't mean it to be a case of "hit and run". The concern that I have is that (in an "elephant in the room" way) everyone seems to be overlooking the fact that "Security in the Cloud" is a superset of "Security on the ground", and behaving as if it's somehow possible to "solve" the Cloud Security problem when it has yet to be "solved" outside of the Cloud.

TJL

-----Original Message-----
From: "Paulo Calcada" [pcal...@gmail.com]
Date: 01/12/2010 11:24 AM
To: cloud...@googlegroups.com
Subject: Re: Draft of Table of Contents for Cloud Computing Use Cases White
Paper V3

Yes,

But as any other work developed using as its bases the Cloud Computing paradigm, the security analisis tends to be as broader as the players (speciallist, evangelists, etc...) can do it.

I dont think this is a problem, on the contrary, I think that at this point this is very interesting. As a deployment or business model, Cloud Computing could only move forward if all the players are able to understand in what way the work developed until know could help and how it should be integrated and articulated with the work developed by the "neighbour" technology, paradigm, product, etc. And in order to be able to accomplish this, a broader study is need...

Paulo

2010/1/12 tluk...@exnihilum.com <tluk...@exnihilum.com>

>> "There appears to be some amount of overlap here with the Cloud Security Alliance (CSA) work"

Unfortunately, its broad enough to "overlap" pretty much any Cloud Security initiative out there, dont you think?

[Paulo Calcada]

I think this is happening because we are talking about security, and if something fails in this field the whole business could be compromised.

Paulo

2010/1/12 tluk...@exnihilum.com <tluk...@exnihilum.com>

--
http://pcalcada.name
--              

[Gary Mazz]

This sounds like we may be fitting too much in a "security" model and we
actually needed a broader cloud governance use model(s) that includes
security as a set of governance priorities.

gary

[Paulo Calcada]

I completely agree, Governance is the word. But is very difficult to deploy governance policies if we don't have a well defined set of security policies, methodologies, technologies, etc...

2010/1/12 Gary Mazz <garymaz...@gmail.com>

--
http://pcalcada.name
--              

[tluk...@exnihilum.com]

>> "This sounds like we may be fitting too much in a "security" model.."

The "S" word is literally unbounded at any level -- from a 'macro' to a 'micro' scope.

Even when discussing something as "simple" as a single message between point 'A' and point 'B', and the requirements state that it must be "secure", does this mean 'confidentiality' (needs to be encrypted).. 'integrity' (needs a checksum).. 'privacy' (needs access control).. all of these?

So when trying to address Security for something as (arguably) ill-defined as "Cloud Computing" we can end up lost in a swamp very quickly.

TJL

[gary mazzaferro]

I think we are swimming in it, neck height right now.

I prefer to use the term governance, although its misnomer and not applicable to point solutions or technologies. Governance does give us a broader framework to define entities (assets and actors), relationships, activities and roles. At the least it can provide a way for us to discuss ideas & expectations, document mandates and abstract complexities to simpler terms. Specifying technologies is a practice (implementation) which, IMO, exceeds the scope of a use case. 

-g

[Sam Johnston]

On Tue, Jan 12, 2010 at 12:47 PM, tluk...@exnihilum.com <tluk...@exnihilum.com> wrote:

So when trying to address Security for something as (arguably) ill-defined as "Cloud Computing" we can end up lost in a swamp very quickly.

Cloud computing is adequately defined, though to the chagrin of many its' definition (while accurate) lacks precision. You don't see anyone bitching about the definition of "client-server" now do you, and yet that applies to pretty much everything we use computers for today. Let's leave definition discussions in 2007 where they belong.

Anyway it wasn't my intention to post to the peanut gallery - I inadvertently responded to the copy here rather than the original thread in the cloud- computing-use-cases group. Apologies.

Sam