www.cloudsecurityalliance.orgCopyright © 2013 CloudSecurity Alliance

CSA Cloud Trust Protocol andA4Cloud:

Enforcing cloud accountabilitythrough security continuous

monitoringNovember 2013, Research Council of Norway

Daniele Catteddu, CSA Managing Director EMEA and OCF Project Director

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

About the Cloud Security Alliance

Global, not-for-profit organisation

Over 48,000 individual members, more than 180corporate members, and 65 chapters

Building best practices and a trusted cloud ecosystem

Agile philosophy, rapid development of applied researchGRC: Balance compliance with risk management

Reference models: build using existing standards

Identity: a key foundation of a functioning cloud economy

Champion interoperability

Enable innovation

Advocacy of prudent public policy

“To promote the use of best practices for providing securityassurance within Cloud Computing, and provide education on the

uses of Cloud Computing to help secure all other forms of

computing.”

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

SecurityBenefits

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

SecurityBenefits

Economy of Scale

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

RISKS

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance

OPENNESS & TRANSPARENCY

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

NEW GOVERNANCE MODELS

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

ACCOUNTABILITY

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

Cloud Accountability Project

The project focuses on accountability as themost critical prerequisite for effectivegovernance and control of corporate and privatedata processed by cloud-based IT services.

It aims to assist cloud service providers with:

• Techniques to make services moretrustworthy

• Ways to satisfy business policies anddemonstrate compliance

• Allowing differentiation

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

A4Cloud Members

Industry

Community

Research

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

Globalisation and new technologies• Cloud computing presents a paradigm shift in how IT is deployed and consumed

Uncertainty and lack of visibility (for consumers, clients andregulators)• Privacy and trust comes from sound stewardship of information by service providers

for which we need to hold them accountable

Regulatory complexity in global business environments,especially for cloud• Accountability addresses global interoperability

• Clear and consistent framework of data protection rules

• Allows avoidance of complex matrix of national laws and reduces unnecessary layersof complexity for cloud providers

• New technologies like cloud are straining traditional privacy frameworks

Drivers for accountability

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

Context

Principles,Regulations andSocietal Norms

DesignAccountability

What is the rightthing?

How to do the rightthing

Trying to getorganisations to do the

right thing

Holding them toaccount if they don’t Facilitating redress

supports

complements

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

Context

Principles,Regulations andSocietal Norms

DesignAccountability

What is the rightthing?

How to do the rightthing

Trying to getorganisations to do the

right thing

Holding them toaccount if they don’t Facilitating redress

supports

complements

Control over practicalaspects of compliance

Obligation to provethat principles put

into effect

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

Cloud ecosystem

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

Model of Accountability

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

Accountability

Attributes

Practices

Mechanisms

organisational

operational

abstract

concrete

conceptual

Conceptual model ofaccountability

With what?

How?

What?

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

Accountability

Attributes

Practices

Mechanisms

Defining accountability

Accountability consists of defining

governance to comply in a

responsible manner with internal

and external criteria, ensuring

implementation of appropriate

actions, explaining and justifying

those actions and remedying any

failure to act properly.

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

• Observabililty

• Verifiability

• Attributability

• Transparency

• Responsibility

• Liability

• Remediation

Accountability attributes

Accountability

Attributes

Practices

Mechanisms

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

• Define governance

• Ensure implementation

• Explain & justify actions

• Remedy failures

Accountability practices

Accountability

Attributes

Practices

Mechanisms

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

Accountability

Attributes

Practices

Mechanisms

• Business processes

• Non-technical

instruments

• Technical tools

Accountability mechanisms

contain

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

• Business processes

• Non-technical

instruments

• Technical tools

Accountability Mechanisms

contain

Auditing,Risk assessment, etc

Accountability

Attributes

Practices

Mechanisms

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

• Business processes

• Non-technical

instruments

• Technical tools

Accountability Mechanisms

contain

Contracts,Legal means, etc

Accountability

Attributes

Practices

Mechanisms

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

• Business processes

• Non-technical

instruments

• Technical tools

Accountability Mechanisms

contain

Tracking andtransparency toolsNotification of policyviolation, etc

Accountability

Attributes

Practices

Mechanisms

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

• Accountability framework

• Accountability metrics• Accountability evidence

mechanisms and tools• Auditing mechanisms

and tools

• Policy compliancemechanisms and tools

• Reference architecturefor accountability

• Interoperablemechanisms and tools

What is needed

A4Cloud project

Trustworthyarchitecture

Privacyassurance

Trustassurance

GovernanceSecurityand trust

economics

Policies

Transparent

security

• Risk and trust models foraccountability

• Accountability policylanguage

• Enforcementmechanisms foraccountability

• User-centricaccountability tools

This project is partly funded from the European Commission’s Seventh Framework Programme (FP7/2007-2013) under grant agreement no: 317550 (A4CLOUD).

A4Cloud & CSA

A4Cloud results are relevant to a number ofnumber of CSA research, educational activities,as well as in the context of the Open CertificationFramework

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

The Cloud Trust Protocol (CTP) is designed to be amechanism by which cloud service clients can ask for andreceive information related to the security of the servicesthey use in the cloud, promoting transparency and trust.

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

An idea for a consumer/provider protocol

+ Commitments= Reports + Alerts

CTPconsumer provider

Confidentialitylevel

Uptime…

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Transparency and trust

OCF level 2: Third-party cloud certification

OCF level 1: Cloud self-certification

OCF level 3: Cloud monitoring based certification

Goal: Transparency and trust

www.cloudsecurityalliance.org

What we have today…

1. API & Data Model1. API & Data Model

2. Security attributecatalogue

2. Security attributecatalogue

3. A prototype3. A prototype

What is…A report, a commitment, an alert?A security attribute?A resource, a service?

“Availability”, “timely incident reporting”,“confidentiality level”…

REST + XML

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

The API is the easy part...

www.cloudsecurityalliance.org

Challenge 1:

Standardizing cloud security attributes

0.06 kWh 0.06 kWh 0.06 kWh

99.95% 99.95% 99.95%

= =

=

Cloud availability

Electricity consumption

=

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.org

Challenge 2:

Finding good security attributes

1Vulnerability found

5Vulnerabilities found

<?

100 vulnerabilities published in 2013 (NVD)9 relevant to our platform8 tested1 found exploitable (severity=6.0)Time between discovery and fix = 5 days.

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

www.cloudsecurityalliance.org

Challenge 3:

Fitting CTP in OCF level 3

www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

The CSA Open Certification Framework is an industry initiative toallow global, accredited, trusted certification of cloud providers.

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Challenge 4:

Integrating CTP in A4Cloud

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Lessons already learned

Well defined - consistently measured

Cheap to evaluate – automated

Correlated to consumer utility

Some interesting but tricky areas:

Vulnerability management, data location, staff data

access, incident response….

Good attributes need to be:

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Now it’s your turn!

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

The CTP working group

Objective 1: Define CTP Vision, goals, design principles.

Objective 2: Define CTP data model.

Objective 3: Specify the CTP API.

Objective 4: Specify CTP core security attributes.

Objective 5: Implement a CTP pilot.

Objective 6: Support OCF monitoring based certification

CSA launches the CTP working group:

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance

Help Us Secure Cloud Computingwww.cloudsecurityalliance.org

info@cloudsecurityalliance.org

dcatteddu@cloudsecurityalliance.org

www.linkedin.com/groups?gid=1864210

www.a4cloud.eu

www.cloudsecurityalliance.orgCopyright © 2011 Cloud Security Alliance www.cloudsecurityalliance.orgCopyright © 2013 Cloud Security Alliance