Agenda:
Monday:
Agenda - Tuesday:
08.30: Start of Meeting: welcome, facilities, host
introduction
09.10: Workshop: Review of CSA Guidelines version 2 and alignment/divergencies
with Jericho Forum
10.15: Workshop: Cloud Computing - Cloud Cube Model, Use Cases,
Abstraction Layers, IAM requirements
12.15: Workshop: Understanding Orchestration
13.00: Lunch & Networking
14.00: Close
Attendees:
There were 15 attendees (6 no-shows) on day-1 and 8
attendees (5 no-shows) on day-2. The attendee list on each day is
available to authorised persons on request.
Presenters were Chris Hoff (Cloud Security Alliance, & CISCO), Adrian
Seccombe (Jericho Forum Board, & Eli Lilly), and Paul Simmonds (Jericho
Forum Board, & Astrazeneca).
Ian Dobson (Director, Jericho Forum, The Open Group) managed the meeting and
recorded the proceedings.
Discussion
1. Opening
After welcoming attendees, and acknowledging the excellent meeting facilities
provided by meeting host Qualys and their representatives present, attendees
introduced themselves.
2. Agenda Review &
Attendee Feedback
The agenda was approved, with the understanding that it may take divergent paths
depending on the attendees' interests in progressing specific agenda
items.
3. Workshop: Self Assessment Review
Clarification on Objectives
Opening discussion addressed the question "How is this Self-Assessment Scheme useful to me? Why would I use it?" The broad answer is that it enables both suppliers and consumers of security products and solutions to assess how well these satisfy the Jericho Commandments (design principles - available at www.jerichoforum.org/publications) for providing effective security in de-perimeterised environments, by enabling suppliers to score their product/solution against each commandment and represent the result as part of their marketing, and by providing consumers (particularly non-experts on security) with those "nasty" (i.e. difficult, testing, awkward-to-answer) questions to ask potential suppliers when deciding which products/solutions to buy. Overall we can hope that this will influence the market to improve the security of products/solutions in the directions we believe are essential for our current and future IT operations. This scheme is not particular to Cloud but remains just as relevant to addressing security of operations in the cloud - understanding how these security requirements evolve as one moves from one type of Cloud to another. We can envision that our self-assessment questions will become part of a supplier's product information, and part of a customer's generic Request for Procurement/Quotation.
Discussing the different type of Cloud brought out the critical importance of user need to understand their business reasons for selecting a particular type of Cloud and what the security implications are that they must reconcile as acceptable risk; this includes understanding how to get out of the Cloud when you want to, and particularly how sure you can be that your information and operations you did in it (or even traces -breadcrumbs) are not left behind for other Cloud users/sniffers to find and use. Users being able to retain control over how they are able or prevented to move to different types of Cloud, or to different Cloud suppliers, is also an important consideration. While a focus for the Jericho Forum is enabling secure global business collaboration, the Cloud also offers major non-collaboration facilities (i.e. none-sharing of information for business operations with other parties) which many businesses will want to use to significant advantage.
The important thing here is to show users how to architect their IT systems to be able to take secure advantage of the Cloud, including how to be able to migrate/move/navigate to different types of Cloud so as to reap the different benefits from using different types of Cloud for different types of business operations. This is especially important for small & medium businesses which often do not have dedicated information security expert resources, so look for good guidance - e.g. from the Cloud Security Alliance. A key part of guidance of this nature is to maintain a clear understanding on where you are in the Cloud (which type of Cloud are you currently operating in) and what are the enablers and constraints in being able to move to other types of Cloud or withdraw from it.
Approach to Identity and Data Access Management (IAM)
The Jericho Forum has formed an approach whereby an authenticated Identity/Entity submits a Claim for Access to perform a specified action on a resource, and an Access Control function uses a contracts-based decision engine to correctly fulfill the contract by granting or otherwise the Claim. Further, we propose a user-centric approach to Identity to enable selection of the appropriate trusted 3rd party (or use of several TTPs) to be used to authenticate the Identity for the role which that identity wishes to submit their Claim for Access.
As an
aside, it was noted how industry momentum over time has demonstrated swings in
centricity on Control/Investment focus between the following limits:
- Host centric
- Application centric
- Information centric
- User centric
- Network centric
and it is interesting that the Information centricity is in the centre of this
swing, according with the Jericho Forum's commandments 9-11 on Access to Data:
Self-Assessment Scheme - Commandment 8 questions
Discussion then turned to completing the final major gap in our set of Self-Assessment Scheme "nasty" questions - to assess how well a product/solution satisfies the requirements for Commandment 8:
This was recognised as one of the hardest commandments to create the searching questions for such that they target the key issues in each of the 5 features listed in this commandment. The document lead editor steered the discussion, and both he and the attendees are to be congratulated in completing this set of questions in the time available. The resulting Commandment 8 Self-Assessment Scheme set of questions is here, and will be incorporated into a new draft of the document.
Action: The Self-Assessment Scheme editor will create
a final draft of this document for members to formally review, resulting in a
Beta-test version in January 2010 for trial by selected vendor members, and
their feedback then incorporated in final version that members can approve in
March for publication.
4. Review of CSA Guidelines version 2
Chris Hoff reviewed the soon-to-be- released Cloud Security Alliance's Cloud Security Guidelines version 2.1, which was targeted for publication in October, but which will now be published before the end of December.
[Editor's note: CSA version 2.1 was published on Dec 17th, and is available from the CSA Web site at http://www.cloudsecurityalliance.org/ ]
Version 1.0 comprised 15 domains. In version 2.1 these have been revised into 9 domains, in 3 areas - architecture, operating cloud, governing cloud. Version 1.0 was developed very quickly and as a result it lacked consistency across the 15 domain descriptions; time has been taken by the contributing authors and the document editors to make v2.1 more consistent. Also, the published v2.1 provides an executive summary of the whole body of work that the CSA working groups have developed into 9 domains since publication of v1.0. The supporting detailed information will be published in separate white papers over the forthcoming months.
Through our Memorandum of Understanding established with the CSA in May 2009, several Jericho Forum members have contributed significantly to several CSA WGs in developing the CSA Guidelines v2.1 - a fact that is very evident in the architecture domain but also clearly represented in other domains.
Discussion on this Jericho Forum contributions to CSA v2.1 highlighted that the collaboration mechanisms/facilities in the CSA WGs that Jericho Forum members were trying to contribute to in submissions, conference calls, and review of successive development of updated drafts, were at best not easy, and in many cases were difficult. Chris observed that improving the collaborative development environment for future CSA development working is high on the CSA agenda now that CSAGuidelines v2.1 is published. Ian suggested that The Open Group is well placed to provide an effective collaborative development environment for the CSA - including email, interactive Web, and WIKI facilities - as it has demonstrated over many years, including for the Jericho Forum.
Action: Hoff will take The Open Group's potential to provide an effective collaborative development environment for the CSA - including email, interactive Web, and WIKI facilities - to the CSA Executive Management, for consideration in their review for improving their development environment.
Action: Ian will alert The Open Group Management to the potential opportunity for offering to provide to the CSA Executive Management TOG's collaborative development environment facilities to the CSA - including email, interactive Web, and WIKI facilities.
A new consideration raised reviewing the CSA Guidelines v2.1 coverage is the "Ceremony" frame - for how users should approach consuming Cloud. This was seen as representing a new opportunity to construct the user's perspective. Some attendees recalled a "ceremonies" presentation given by Carl Ellison in The Open Group's Security Plenary during its October 2007 Conference in Budapest.
Action: Ian will provide access to Carl Ellison's "ceremonies" presentation delivered in The Open Group's Security Plenary during its October 2007 Conference in Budapest, as an introduction to the proposal for a Ceremonies frame for a User Perspective on Cloud.
5. Workshop: Cloud Computing - Jericho Forum development
Adrian led a discussion using presentation slides on the development work achieved to date on
In his presentation, Adrian gave an example of the scale of cost savings that can be achieved by using Cloud resources, and explained his concepts on the evolving maturity of the abstraction layers in the Cloud. He emphasised the business opportunity he perceives for a supplier to develop "compliance as a service" for each level of abstraction, to deliver to Cloud consumers an acceptable level of assurance that their operations in the Cloud are compliant to applicable regulatory/legal regimes.
6. Workshop: Understanding Orchestration
What is involved in "Orchestration"? - the left-hand component in the Abstraction Layers diagram in the Cloud Cube Model published paper. Adrian characterised this as the User Interface to the Cloud. While a Cloud user can develop this for themself, he predicted this as another opportunity for business to develop a "cloud broker" service to provide this User Interface.
Orchestration is currently very immature. The features needed are different ate each level of abstraction. Some Cloud providers (e.g. Amazon) provide some of the features needed, to meet user expectations. Components to be considered include:
It was noted that in this context of orchestration, we also should view Identity as having orchestration components:
7. Close
Ian thanked all attendees for their excellent contributions to this 2-day meeting, and thanked Qualys for their generous hosting of this meeting in the Hotel Sofitel La Defense, Paris.
Report by Ian Dobson
Director, Jericho Forum, The Open Group.