Cloud Computing:
Standards Development
for Security, Privacy and
Trust
ISSA Baltimore Chapter
InfoSec Summit -September 13, 2012
John Sabo, Director Global Government Relations, CA Technologies
Chair, OASIS IDtrust Member Section Steering Committee
Abstract
— Security, privacy and trust: major issues impacting the uptake
of cloud computing, particularly in public and hybrid cloud
deployments
— Addressing these barriers will require both policy and technical
interoperability and standardization, particularly in the areas
of security and data privacy
— Work is underway in OASIS (Organization for the Advancement
of Structured Information Standards) where cloud trust issues
are being addressed in several technical committees
Clouds and Public Policy
— Cloud Computing –“transformative” technology with huge
impact on international public policy
— World Economic Forum Research Study – 2009/2010
− Benefits and Barriers
— Major cybersecurity and data privacy implications
— “National” Economic Policies
− EU Data Protection Regulation (January 2012)
− European Commission consultations on cloud computing and Internet of Things
− Related “protectionist” policies such as China’s “Indigenous Innovation,” India’s “Preferential Market Access” (PMA), Brazil
Issues from International Cloud Symposium
— ISCS 1 -- October 10-13, 2011 conference in London
− Hosted by CA Technologies at Ditton Manor
— Focused on unique attributes of Cloud computing, and the
business and policy considerations
− Governance and Legal impediments − Security and Identity
− Privacy and Trust
− Interoperability, Data Portability, and Data Management − Importance of standards development and adoption
— ICS2 – will be held in Bethesda, October 11-12 2012
Governance and Legal Impediments
— Cloud technical challenges are of a lower order of importance than the policy issues - most cloud governance challenges are not new
— The need to address changes to business and operational processes, legal impediments and other non-technical interoperability issues are most relevant for the Cloud
— A workable governance structure necessitates
− understanding and managing effective Cloud computing contracts and Service Level Agreements (SLAs)
− having standards-based metrics and instrumentation in place to ensure compliance.
Governance and Legal Impediments -2
— Areas in which Cloud computing is impacting current legal structures and compliance practices:
− Cloud computing security and cybersecurity − Reliable messaging and transactional patterns − Federated identity (of humans and organizations) − Remote data storage access
— Priorities for future guidance:
− Comparable Quality of Service measures
− Vocabularies for Service Level Agreements (SLAs) and “dashboardability” − Data ownership and access
− Jurisdiction − Identifier rigor
Security
— Three key aspects of security (writ large) need to be addressed - risk management, data classification and the use of open standards
− need to develop and leverage a common understanding of risk
management in Cloud based services, and adopt sound risk mitigation practices
− Granularity required in classifying data so that appropriate risk management strategies can be applied
• Clear principles must be applied to the use of public/shared infrastructure and services such that data may be protected as appropriate to their classification
− standards are NOT optional. The migration of applications to the Cloud should actually lead to the greater adoption of standards
Identity Management, etc.
— Trust in Identity - when services are offered via the Internet how can you trust the identity of the user
− A particular challenge is confirming a user's attributes while protecting privacy.
— Authentication - using the Cloud changes the risk profile and demands a more flexible approach to authentication. The risk may vary depending upon the location of the user, the device they are using, the nature and size of the transaction. – context.
— Authorization - there is no common standard authorization model
adopted by Cloud service providers and yet granular access control is a key requirement
Privacy and Trust
— No common definition of privacy internationally, and many
varied perspectives of what constitutes privacy and personal
information
— Common themes:
− User interests − Context
− “Right to be Forgotten” – user controlled deletion of personal information
− Jurisdiction and location
− Law enforcement and national security access − Effective notice
− Availability
Critical Importance of Standards
— Standards and their adoption are essential for Cloud deployments and are beneficial for the economy as a whole
− they broaden choice, foster the emergence of new markets and provide a tool to speed up the time for innovation to reach consumers
− There is a great deal of work underway within recognized standards bodies applicable to the cloud
— Compelling need to continue the dialogue between public sector officials, industry and Standards Development Organizations (SDOs) on the
deployment of Cloud based services
— Policy and technology convergence – SDO’s provide opportunity for constructive and structured dialogue and useful outcomes
Technology and Policy Convergence: Standards for Managing
Security and Data Privacy Policies
Cloud Computing and Cloud-based infrastructures
− e-identity systems
− Smart Grid systems
− electronic health systems
− government services
Cybersecurity risk management
Data protection, privacy and data retention and law
enforcement issues for international data flows
Example: U.S. National Strategy for Trusted Identities in
Cyberspace (NSTIC)
public and private sector collaboration to raise the level of trust
associated with the identities of individuals, organizations,
networks, services, and devices involved in online transactions
an identity ecosystem that will:
enhance privacy and support of civil liberties
be secure and resilient and part of layered security
ensure policy and technology interoperability among identity
solutions
be built from identity solutions that are cost-effective and easy
to use
NSTIC Policy and Technical Interoperability and Standards
— Technical interoperability (including semantic interoperability)
refers to the ability for different technologies to communicate
and exchange data based upon well-defined and testable
interface standards
— Policy- level interoperability is the ability for organizations to
adopt common business policies and processes (e g , liability,
identity proofing, and vetting) related to the transmission,
receipt, and acceptance of data between systems
— The use of open and collaboratively developed security
standards and the presence of auditable security processes are
critical to an identity solution’s trustworthiness
Policy and Technology Convergence
in OASIS Standards Development
A Sample of OASIS Technical Committees Developing
Standards Supporting Trusted Cloud Computing Services
Topology and Orchestration Specification for Cloud
Applications (TOSCA)
Key Management Interoperability Protocol (KMIP)
Identity in the Cloud (IDCloud)
Privacy Management Reference Model (PMRM)
New: Cloud Authorization (CloudAuthZ)
Topology and Orchestration Specification for Cloud Applications
(TOSCA)
Formed in December 2011
Already one of the largest TCs (> 100 members)
Continues to attract new participants
Listed as one of IBM’s top 10 cloud standards at its Innovate
2012 conference
Co-Chairs:
Paul Lipton, CA Technologies
Simon Moser, IBM
Today's Cloud Services…
— How would you ensure the portability of a complex
cloud service running on complex software and
hardware infrastructure?
− Virtual images do not suffice at all
• They are “just” snapshots of the state of various components
— Another provider might not have a clue how to install,
deploy, run and manage your service
− Need detailed skills and information about the service and
the nature of its underlying hardware/software stack
TOSCA‘s Approach
— Standardizes the language to
describe
− The structure of an IT Service
(its
topology model
)
− How to orchestrate operational
behavior (
plans
such as build,
deploy, patch, shutdown, etc.)
— Declarative model that spans
applications, virtual and
physical infrastructure
Topology Model Orchestration Services (Plans)
Relationship Type
Node Type
Operation Task
TOSCA: Define composite, high-value services – once!
Portability between Cloud providers using the same
Service Templates
TOSCA Top-Level Classes
TOSCA Will Enable
— Service/solution portability without
vendor lock-in
− Model-driven cloud services
− Cloud-to-cloud portability
− Automation with faster deploy,
test, update, etc.
− Easier migration of existing
applications to the cloud
− Cloud bursting with more
consumer choice
− Multi-cloud provider applications
− Cloud service marketplaces
TOSCA Past, Present, and Future
— Initial spec submitted to OASIS in Dec. 2011
− CA Technologies, CapGemini, Cisco, Citrix, EMC, IBM, NetApp, PwC, Red Hat, SAP, Software AG, Virtunomic, WSO2
− Many others have joined the OASIS TC such as ActiveState, CenturyLink, China Internet Network Information Center, Google, Huawei, Nokia, Primeton, Progress, Jericho Systems, Progress Software, rPath, Yaana Technologies, VCE, Zenoss, many more
— Goal is to submit a 1.0 version of the standard for ratification
by the end of 2012 (very aggressive, but possible)
− TOSCA is by design a very thin standard: only a metamodel, some top-level classes, and XML format
− The actual lower-level classes will be defined and submitted for standardization as the industry and use cases continue to mature
Key Management Interoperability Protocol TC (KMIP)
•Chairs:
Robert Griffin, EMC/RSA
Subhash Sankuratripati, NetApp
•The OASIS KMIP TC works to define a single,
comprehensive protocol for communication between
encryption systems and a broad range of new and
legacy enterprise applications, including email,
databases, and storage devices.
•By removing redundant, incompatible key management
processes, KMIP will provide better data security while
at the same time reducing expenditures on multiple
Prior to KMIP each application had to support each
vendor protocol
With KMIP each application only requires support for one
protocol
Prior to KMIP each application had to integrate each
vendor SDK
With KMIP each application only requires one vendor SDK
integration
31 Encrypting Storage Host Enterprise Key Manager @!$%!%!%!%%^& *&^%$#&%$#$%*!^ @*%$*^^^^%$@*) %#*@(*$%%%%#@ Request Header Get Unique Identifier Symmetric Key Response Header Unique Identifier Key Value
KMIP Request / Response Model
Unencrypted data Encrypted data
Name: XYZ SSN: 1234567890 Acct No: 45YT-658 Status: Gold
32
Create
Create Key Pair Register Re-key Derive Key Certify Re-certify Locate Check Get Get Attributes Get Attribute List Add Attribute Modify Attribute Delete Attribute Obtain Lease Get Usage Allocation Activate Revoke Destroy Archive Recover Validate Query Cancel Poll Notify Put Unique Identifier Name Object Type Cryptographic Algorithm Cryptographic Length Cryptographic Parameters
Cryptographic Domain Parameters Certificate Type
Certificate Identifier Certificate Issuer Certificate Subject Digest
Operation Policy Name Cryptographic Usage Mask Lease Time
Usage Limits State Initial Date Activation Date Process Start Date Protect Stop Date Deactivation Date Destroy Date
Compromise Occurrence Date Compromise Date Revocation Reason Archive Date Object Group Link Application Specific ID Contact Information Last Change Date Custom Attribute Certificate Symmetric Key Public Key Private Key Split Key Template Policy Template Secret Data Opaque Object Managed Objects
Protocol Operations Object Attributes
Key Block (for keys) or
Value (for certificates)
KMIP defines a set of Operations that apply to Managed Objects that consist of Attributes and possibly cryptographic material
Cloud Service Provider App Data Enterprise IT Key Server HSM
Cloud Key Management
Application Users CSP Administrators Enterprise Administrators Enterprise App Key DB vSphere
Cloud Service Provider App Data Enterprise IT Key Server HSM
Use Cases for Hybrid Cloud
Application Users CSP Administrators Enterprise Administrators Enterprise App Key DB vSphere Use Case • Tenant administration • Key migration • Policy distribution Implications • Tenant granularity • Key export/import • Policy distribution • Client registration
KMIP Interop at RSA Conference 2012
Interop Network Server Server 2 x Server 2 x Server 3 x Client Server ClientOasis Identity in the Cloud (IDCloud)
Towards standardizing Cloud
Identity
Co-Chairs:
Anil Saldhana Red Hat Tony Nadalin, IBM
Among the Technical Committee are:
Red Hat, IBM, Microsoft, CA Technologies, Cisco Systems, SAP, EBay, Novell, Ping Identity, Safe Net, Symantec, Boeing Corp, US DOD, VeriSign, Akamai, Alfresco, Citrix, Cap
Gemini, Google, Rackspace, Axciom, Huawei, Symplified, Thales, Conformity, Skyworth TTG, MIT, Jericho Systems, PrimeKey, Aveksa, Mellanox, Vanguard Integrity
Cloud Identity Management
TC works to address Identity Management challenges related to Cloud Computing
Cloud Identity Management is considered a top security concern
Identity Management is not completely solved at Enterprise level
Standards are evolving
Cloud is a new paradigm, so the same problems in new packaging
Motivation : Example Use Case
Users have Facebook, Google, LinkedIn and similar Cloud Service accounts
A small manufacturing company requires its employees to use an online benefits system annually, to choose health care benefits for the entire year.
The employees work in workshops/units do not use computers regularly at work. Majority of them have Facebook accounts.
In this use case, employees may be able to use Facebook Connect, for the Benefits system
IDCloud Key Objectives
Identifying detailed Use Cases
Identity deployment, provisioning and management in a cloud context
Gap Analysis of existing Identity Management standards and protocols when applied in the context of Cloud
Based on Use Cases and Interoperability Profiles Feed analysis back to the WG responsible for a
standard
Define Interoperability Profiles for Identity in the Cloud Profiles will be based on use and combinations of
Additional Objectives
Glossary on Cloud Identity
Harmonized set of definitions, terminologies
and vocabulary on Identity in the context of
Cloud
Do not re-invent the wheel
Build on existing standards and specifications
Strong liaison relationships with other
international working groups
ITU-T, DMTF
Status Update
Three stages:
Formalization of Use Cases [Finished]
Oasis Identity In The Cloud Use Case Document v1.0
http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html
Gap Analysis of existing IDM standards using the Use Cases. [In Progress]
Use Cases
Received 35 Cloud Identity Management Use Cases Structure of Use Cases:
Description / user story Goal / Desired outcome Categories covered
Applicable Deployment Models Actors Systems Notable Services Dependencies Assumptions Process Flow
Use Case Categories
Authentication
Single Sign On (SSO)
Multi factor Authentication
Infrastructure Identity Establishment General Identity Management
Infrastructure IdM Federated IdM Authorization
Account & Attribute Management Account & Attribute Provisioning Security Tokens
Highly-Ranked Use Cases
Managing Identities at all levels in the Cloud
Need for Federated Single Sign On across
multiple environments
Enterprise to Cloud SSO
Auditing
Multi-factor Authentication for Privileged User
Access
Mobile Identity authentication using Cloud
Provider
OASIS PRIVACY MANAGEMENT REFERENCE
MODEL (PMRM)
Committee Draft Specification - Overview
— Co-Chairs:
— John Sabo, CA Technologies
— Michael Willett
— Status:
— Committee Specification
— Recently completed public review – now editing revision
9/12/2012 47
Health Information Exchange Functional and Roles Diagram
Business Intelligence
What is the Privacy Management Reference Model
(PMRM)?
— An analytic tool and methodology developed to:
− improve the ability to analyze use cases in which personal information is used, communicated, processed and stored
− understand and implement appropriate operational privacy management functionality and supporting mechanisms − achieve compliance across policy and system boundaries
− support the stakeholders having an interest in the use case service or application
— See www.oasis-open.org for TC information
— Spec at: http://docs.oasis-open.org/pmrm/PMRM/v1.0/csd01/PMRM-v1.0-csd01.pdf
Why is the PMRM Important?
Support for networked, interoperable services, applications and
devices and the complexity of managing personal information across legal, regulatory and policy environments in interconnected domains Applicability to privacy management and compliance in cloud
computing, health IT, smart grid, social networking, federated identity and similarly complex environments
An organizing structure for exposing privacy requirements for specific business systems, organizing privacy management mechanisms, and improving systemic privacy management risk assessment Support for “privacy by design” concepts
PMRM is Not a static or a prescriptive model - implementers have flexibility in determining the level and granularity of analysis
Three Major Components
— A conceptual model of privacy management,
including definitions of terms
— A methodology
— A set of operational services together with the
inter-relationships among these three elements.
Cloud Authorization Technical Committee (CloudAuthZ)
— Issues:
− Address lack of standardized profiles for authorization and entitlements where resources such as bandwidth and memory are constrained and where the
access policy enforcement of a cloud resource needs to be performed as close to the consumer as possible
− This requires availability of attributes, including contextual attributes
— Key Objectives:
− use existing standards, to provide mechanisms for enabling the delivery of cloud contextual attributes as close as possible to Policy Enforcement Points − enable the development of cloud infrastructures that provide in real time a
subset of contextual entitlements sets that a decision point can use to authorize or deny a consumer’s use of a specific resource
− reduce the need to customize the interactions between customer and vendor systems, decrease the overhead needed to support authorization and
Public Administration Cloud Requirements Technical Committee
(PACR)
— TC should be launched in October 2012
— Primary goals:
− capture key findings of ICS2011 into a framework of non-technical requirements for public sector Clouds that can be used in the
procurement, certification and auditing processes of deploying cloud services
− leverage topologies of cloud computing service functionality and service models and integrate them into common, readily-understood rules that inform procurement, auditable assurance and conformance testing and acquisition criteria
− provide a vendor-neutral information mapping of such requirements to the rather large but loosely-organized body of existing ICT standards.
Public Administration Cloud Requirements Technical Committee
(PACR) - 3
— Among Issue areas to be addressed:
− Safety, reliability, and stability
− Legislative and regulatory compliance
− Degree of control and auditability by or on behalf of the responsible public administration
− Reliance on and vulnerability to single sources, vendors, formats, applications or computing protocols
− Usability and extensibility of data and data functions by stakeholders; − Portability of data;
− Portability and composability of data functions across multiple systems and clouds operating in concert
Public Administration Cloud Requirements Technical Committee
(PACR) -3
— Deliverables:
− a set of common required functional elements, and measurable criteria or qualities that should be present in cloud computing services or
installations employed by public administration entities, whether purchased, hired or self-created and self-installed.
− "should be present" refers to aspects of a cloud service or installation that are likely to be necessary to reflect public sector risk profiles in order to satisfy
• public policy
• governmental reliability and stability requirements • responsibility to citizens and constituent stakeholders
• and broad, platform-neutral accessibility that generally are expected and desirable from useful, long-term government ICT resources.
More on OASIS or Joining OASIS Technical Committees:
Carol Geyer
Senior Director, OASIS
[email protected] +1-941-284-0403
