Embed Size (px)
Citation preview
Supporting transparent and trustworthy cloud services
SPACE: Security and Privacy Assurance Case Environment
RationaleA preliminary design for a Cloud Accountability Assurance Service, which helps to: monitor security and privacy, leading to transparency and assurance, and enhancing accountability for cloud
services understand and contextualize accountability in cloud services capture how services can be accountable in different ways operationally build accountability cases in a systematic way provide dynamic assurance right across cloud service provision chains, for both security and privacy communicate to business stakeholders accountable experience and behaviour of cloud services
Assurance Use Case Different security and privacy controls
are deployed across a cloud supply chain It is challenging to provide transparency
and assurance to cloud customers Security and privacy depend on the operational
effectiveness and appropriateness of deployed controls and their dependencies
It is necessary to provide a systemic support in order to move towards continuous monitoring-based certification
It is challenging to support operational compliance to policies and regulations
Storing meta-data of deployed security and privacy controls in OpenStack Swift containers
Architecture
Managing operational information of security and privacy controls like the ones listed by the CSA Cloud Control Matrix
Assessing deployed controls and their operational dependencies in order to support dynamic assurance cases
Mapping security and privacy objectives (policies) to specific controls
Supporting transparency and assurance towards continuous monitoring-based certification as defined by the CSA OCF Level 3
Maintaining dynamic assurance cases that reflect operational effectiveness and appropriateness of security and privacy controls
Providing Security and Privacy Assurance of the cloud supply chain
Building and maintaining dynamic assurance cases of security and privacy controls
Software Define Storage for meta-data of security and privacy controls
Security and Privacy controls deployed across the cloud supply chain
