the latest in cloud computing standards
DESCRIPTION
Eric A. Hibbard, CTO Security and Privacy Hitachi - gave this presentation at our API and SOA workshop in conjunction with CSATRANSCRIPT
Latest in Cloud Computing StandardsEric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA, SCSECTO Security & PrivacyHitachi Data systems
1
Standards Alphabet Soup• CSA = Cloud Security Alliance• DMTF = Distributed Management Task Force• ENISA = European Network and Information Security Agency• ETSI = European Telecommunications Standards Institute • IEC = International Electrotechnical Commission• IEEE = Institute of Electrical and Electronics Engineers • INCITS = International Committee for Information Technology
Standards • ISO = International Organization for Standardization• ITU-T = International Telecommunication Union – Telecom• NIST = National Institute for Standards and Technology• OASIS = Organization for the Advancement of Structured
Information Standards• SNIA = Storage Networking Industry Association• TCG = Trusted Computing Group 2
Sample Cloud SDO Relationships
3
ISO/IECSC27
ISO/IECSC38
FormalInformal
IEEE
ITU-T
SNIA DMTF
INCITS/CS1
TCG
CSA
ENISA
NIST
INCITS/DAPS38
CT-CC
Standards & Glaciers…Similar Pace
4
Cloud Computing…
5
cloud computing: paradigm for enabling [ubiquitous, convenient, on-demand] network access to a shared pool of configurable cloud resources (3.2.4) accessed through services (3.1.8), that can be [rapidly] provisioned and released [with minimal management effort or service provider interaction.]
SOURCE: ISO/IEC 2ndCD 17788
ISO/IEC JTC 1/SC 38• SC38 = Information Technology – Distributed Application Platforms &
Services
• ISO/IEC 17788 (Cloud computing – Vocabulary and overview)• Collaborative Team (CT) with ITU-T/SG13 to develop common text• Defines key cloud terminology and provides an overview of cloud computing• Intended to be a foundation document for cloud computing• Stage: 2nd Committee Draft (CD)
• ISO/IEC 17789 (Reference architecture)• Collaborative Team (CT) with ITU-T/SG13 to develop common text• Covers general concepts and characteristics of cloud computing, the
components/functions and roles and their capabilities and inter-relationships• Focused on the requirements of ―what Cloud services provide, not ―how to
design solutions and implementations• Stage: Working Draft (CD)
• Under Consideration:• Service Delivery Principles and Service Level Agreements
6
ITU-T/Study Group 13 (SG13)• Future networks including cloud computing, mobile and next-
generation networks
• Y.ccdef – Cloud computing definition and vocabulary• Y.cceco – Cloud computing: ecosystem, use cases and general
requirements• Y.Cloud-SIDE-Reqts – High level requirements and capabilities for cloud
enabled service environment • Y.ccic – Framework of inter-cloud for network and infrastructure • Y.ccinfra – Cloud computing infrastructure requirements • Y.ccra – Cloud computing reference architecture • Y.e2eccrmr – End-to-end cloud computing resources management
requirements • Y.VNC – Resource control and management for virtual networks for cloud
services (VNCs) 7
ITU-T/Study Group 17 (SG17)• Security
• X.ccsec – High-level security framework for cloud computing• X.goscc – Guidelines of operational security for cloud computing• X.sfcse – Security functional requirements for Software as a
Service (SaaS) application environment• X.idmcc – Requirement of IdM in cloud computing
8
ISO/IEC JTC 1/SC27• SC27 = Information Technology – Security techniques
• ISO/IEC 27017 (Code of practice for information security controls for cloud computing services based on ISO/IEC 27002)• Additional implementation guidance for relevant information security
controls specified in ISO/IEC 27002; and• Additional controls and implementation guidance that specifically relate to
cloud computing services.• Technical Report => International Standard• Stage: 4th Working Draft (WD)
• ISO/IEC 27018 (Code of practice for data protection controls for public cloud computing services)• Applies to organizations providing public cloud computing services
that act as PII processors (possibly PII controllers)• Establishes commonly accepted control objectives, controls and
guidelines for implementing controls to protect• Stage: 2nd Working Draft (WD)
9
ISO/IEC JTC 1/SC27 (cont.)• ISO/IEC 27040 (Storage security)
• Overview of storage security concepts and related definitions• Guidance on the threat, design and control aspects associated with typical
storage scenarios and storage technology areas• Limited coverage for cloud storage (e.g., CDMI)• Stage: 2nd Committee Draft (CD)
• Numerous other security standards that are potentially relevant!
10
11
Standards Setting Organizations (SSO) & Industry Associations
NIST – Information Technology Laboratory• Special Publication 800-144, Guidelines on Security and Privacy in Public
Cloud Computing• Special Publication 800-145, The NIST Definition of Cloud Computing• Special Publication 800-146, Cloud Computing Synopsis and
Recommendations • Special Publication 500-291, NIST Cloud Computing Standards Roadmap• Special Publication 500-292, NIST Cloud Computing Reference
Architecture• Special Publication 500-293, (Draft). US Government Cloud Computing
Technology. • Interagency Report 7904, (Draft) Trusted Geolocation in the Cloud: Proof
of Concept Implementation
12
Cloud Security Alliance (CSA)• Security Guidance for Critical Areas of Focus in Cloud
Computing• Open Certification Framework• Cloud Controls Matrix (CCM)• Trusted Cloud Initiative (TCI) Reference Architecture Model• Top Threats to Cloud Computing• Security as a Service (SecaaS) Implementation Guidance
13
OASIS• Cloud Application Management for Platforms (CAMP)• Identity in the Cloud (IDCloud)• Symptoms Automation Framework (SAF) • Topology and Orchestration Specification for Cloud
Applications (TOSCA) • Cloud Authorization (CloudAuthZ) • Public Administration Cloud Requirements (PACR)
14
Other Cloud Activities of SSOs & IAs• IEEE Standards Association (IEEE-SA)
• P2301 - Guide for Cloud Portability and Interoperability Profiles (CPIP)
• P2302 - Standard for Intercloud Interoperability and Federation (SIIF)
• Internet Engineering Task Force (IETF)• RFC 6208 – Cloud Data Management Interface (CDMI) Media Types• Huge number of RFCs that enable the cloud.
• Trusted Computing Group (TCG)• Trusted Multi-Tenant Infrastructure (TMI) Use Cases• Trusted Multi-tenant Infrastructure (TMI) Specification [Goal]
• Storage Network Industry Association (SNIA)• Cloud Data Management Interface (CDMI) specification• ISO/IEC 17826: 2012, Information technology -- Cloud Data
Management Interface (CDMI) [CDMI v1.0.2] 15
Other Cloud Activities of SSOs & IAs• The Open Group
• Service-oriented Cloud Computing Infrastructure (SOCCI) Framework• Cloud Computing Reference Architecture (CCRA)
• Distributed Management Task Force (DMTF)• DSP0243 Open Virtualization Format (OVF)• ISO/IEC 17203:2011, Information technology -- Open Virtualization
Format (OVF) specification• DSP0263 Cloud Infrastructure Management Interface (CIMI) Model
and REST Interface over HTTP Specification • DSP0264 CIMI-CIM Specification
16
Final Thoughts• A significant number of the cloud computing standards and
specifications are still in draft form
• There are many organization operating in this space, but it does appear there are conscious efforts to avoid duplication and contradiction
• It is unlikely that a single, all-encompassing standard (or source for standards) will emerge for cloud
17
THANK YOU 18