CSA + CTP = Nebula Nova A Commentary and Essay
There are no good two-legged stools. Try sitting on one! Three-legged stools are better, but even those can tip over unexpectedly if you are not careful about just how you arrange the load. But, four-legged stools … Now, we’re talking! This is the sturdiest, most reliable kind of platform for sitting, climbing, or just supporting a valuable package.
The same reality holds true for cloud processing. If we are to reap the benefits promised to cloud consumers through the global computing utility model offered by “the cloud”, then the “valuable packages” of enterprise workloads and important data sets also need the most sturdy and comprehensive form of cloud security. That’s one reason why the addition of the CloudTrust Protocol (CTP) to the governance, risk, and compliance (GRC) model of the Cloud Security Alliance (CSA) is so important. The CTP now becomes the fourth leg (the fourth “pillar”) of the CSA GRC stack, completing the framework for the standard specification and examination of cloud security control claims and capabilities. With the ultimate integration of these four CSA initiatives, we will at last have a standard and reliable technique for describing and investigating cloud security needs that does not depend on some difficult translation or complicated extrapolation of older, more conventional information technology schemes, and which can be conveniently used by cloud consumers and providers alike.
However, that’s not the only reason that the incorporation of the CTP by the CSA is so exciting. Having a comprehensive GRC model that is specifically shaped for the needs of the cloud lifts a stubborn obstacle to using cloud computing for important and valuable enterprise workloads. But the CTP does more than just remove friction in the enterprise regarding the worthiness of cloud processing to support ever more valuable workloads. The CTP actually liberates enterprises to once again “own” their information risk management decision process by offering a dynamic mechanism to help reclaim important bits of security information that are typically lost when workloads are moved to the cloud. This ability to reclaim transparency into cloud processing without destroying the technology or business fabric of cloud service providers brings not only “sturdier security”, but also fresh sources of digital trust in cloud processing. This restores the enterprise focus to payoffs in cloud processing rather than endless worry about security and control characteristics.
It is this dual benefit of the CTP through the CSA that leads to a Nebula Nova – a New Cloud. Through the CSA, the “new cloud” puts cloud consumers and cloud providers on the same side of the conversation about such cloud security topics as configurations, processes, operating status, and access history. As these conversations manifest themselves in CSA GRC implementations, the cloud looks less and less opaque and offers pathways for faster and more comprehensive (and more payoff oriented) adoption of the cloud processing model. In the best outcome, our clouds are empowered to operate as “glass clouds” with full transparency of both claims and actual service delivery, supporting not only the compliance community but also the enterprise service consumer community.
To be sure there are still analyses, and experiments, and decisions to be made in the integration of the CTP within the other three legs of the CSA GRC stack. Such topics as the final namespace, the safe use of an existing internet protocol to carry CTP requests and responses, the extension technique for CTP elements-of-transparency, an enriched use of the SCAP standard, and the direct and indirect links to the CSA Cloud Controls Matrix (CCM) are all on the list of actions to be pursued by the new CTP project within the CSA.
And, that’s one of the beauties of the CSA itself. Like the entire CSA GRC, the value of the CTP lies not in a single cloud. Its value is accelerated and magnified many times over with the participation of cloud consumers and cloud providers alike in the protocol details and operational accompaniments of the CTP (now within the context of the whole CSA GRC stack). Only the CSA can bring the practical, “bottoms-up” research teams and collaborations that are essential to the successful evolution of this integration to full velocity. Only the CSA has the global reach to include the widest possible thinking from the most inventive and experienced technologists and business operators around the world. And, only the CSA operates with an independence that gives fair voice and attention to all responsible points of view so that the results offer common sense and value to the widest possible audience.
The opportunity for a nebula nova is a match (with four sturdy legs) between the CTP and the CSA that is made in a heaven where clouds (and cloud security) live. Standby for nebula nova …
Posted by Ron Knode
Ron Knode is the Director of Security and Trust architectures for the CSC Trusted Cloud and Hosting business unit, and a researcher with the CSC Leading Edge Forum. He is also the creator of the CloudTrust Protocol.