The Open Data Center Alliance (ODCA) Security Monitoring Usage Model supports and depends heavily on work being done at the Cloud Security Alliance and CloudAudit. Both of these groups are made up primarily of vendors or vendor employees who supply security services and products or who have a vested interest in promoting the idea that the public cloud is safe and secure.
In the words of CloudAudit, "The goal of CloudAudit is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology." Security monitoring definitely takes two to tango, and it seems that the vendor organizations and the ODCA are listening to the same tune. If Bob want to rent cloud resources from Alice that are protected from a malicious man-in-the-middle, then they need a common framework that enables private communication about the security of the compute environment.
One of the main goals of the ODCA Security Monitoring usage model is the creation of standard reporting from the cloud provider to the cloud consumer that enables convenient integration with enterprise reporting systems.
Among the more interesting usage requirements is the ability of the cloud provider to supply "dedicated capabilities with specific resources and reserved for specific customers." Ouch. The ODCA acknowledges that this would likely be a premium service that would cost more and at the same time likely limit some of the key benefits of cloud computing including scalability.
The ODCA Security Monitoring usage model is worth reading in depth. Organizations that work with regulated data will likely find some very good questions to ask their cloud suitors in the pages of this slim, but densely packed document.
Table of Contents for the Series:
1. IT Users Band Together: a brief introduction to the ODCA 2. Virtual Machine Interoperability 3. Carbon Footprint 4. Security Monitoring 5. Security Provider Assurance 6. Regulatory Framework 7. Standard Units of Measure for IaaS 8. Service Catalog 9. I/O Controls