Open Data Center Alliance, Part 5--Security Provider Assurance

 
 
Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at cameron.sturdevant@quinstreet.com.
By Cameron Sturdevant  |  Posted 2011-06-20 Email Print this article Print
 
 
 
 
 
 
 
2011-06-20 ODCA security assurance

This ODCA diagram illustrates how the four-tier service model might work to bridge the gap between cloud providers and consumers when it comes to security assurances.

Open Data Center Alliance, Part 5--Security Provider Assurance The Open Data Center Alliance Security Provider Assurance usage model seeks to standardize cloud security definitions. The Provider Assurance (PA) publication is designed for use with the Open Data Center Alliance (ODCA) Security Monitoring usage model that I discussed in Part 4 of this series.

The ODCA Provider Assurance document has three stated purposes that are backed up with a four-category, bronze-to-platinum rating system. The PA model can be used to ensure that a cloud provider meets security standards. The publication also enables cloud consumers to compare security levels from one provider to another and between internally and externally hosted clouds. And finally, the PA should make it easier for cloud consumers to understand and select among various levels of security offered by providers.

The ODCA envisions that the bronze, silver, gold, and platinum ratings will be accredited by third-party certification.

The PA contains fairly specific examples laid out in check-off tables. One table outlines example security concerns, such as data protection, and then specifies at what service level that specific risk should be diminished. In this case, data protection would be assured at the "gold" and "platinum" levels, but not at "bronze" or "silver."

A second, larger table of 25 security requirements goes into some detail about what can be expected of cloud providers. Nearly half of the requirements flow across all four of the metal-named service levels. All but eight are covered by by a silver certification. Only mandatory strong, in-flight data encryption separates gold from platinum.

The balance of the PA then covers all the factors that should be included in a responsible security review. Basic requirements for vulnerability management, network and firewall isolation, identity management, security incident and event monitoring, data retention and deletion, confidentiality, trust and availability are covered.

The one additional point that I would call out specifically is law enforcement search and seizure. For example, a cloud provider should be able to spell out exactly what level of law enforcement action is needed for the provider to turn over your data. In a private data center, there are well understood boundaries. In externally hosted environments data protections from governmental requests are much more murky.

Table of Contents for the Series:

1. IT Users Band Together: a brief introduction to the ODCA 2. Virtual Machine Interoperability 3. Carbon Footprint 4. Security Monitoring 5. Security Provider Assurance 6. Regulatory Framework 7. Standard Units of Measure for IaaS 8. Service Catalog 9. I/O Controls

 
 
 
 
del.icio.us | digg.com
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel