Event Recording

Mario Hoffmann - Dynamic Certification of Cloud Ecosystems

Name: Mario Hoffmann - Dynamic Certification of Cloud Ecosystems
Uploaded: 2015-05-17T12:00:00+02:00
Duration: 10 min 42 s

Posted on May 17, 2015

Cloud ecosystems are dynamic and flexible enablers for innovative business models. Some business models, especially for the European cloud market, however, still face challenges in security, privacy, and trust. A common approach among cloud providers addressing these challenges is proving one's reliability and trustworthyness by audit certificates. Basically, audit certificates are based on national and/or international as well as business and/or governmental compliance rules. The most prominent certifications in cloud computing are the "Open Certification Framework (OCF)" of Cloud Security Alliance, EuroCloud's "Star Audit", and "Certified Cloud Service" provided by TÜV Rheinland as well as more general certifications following ISO 27001, BSI Grundschutz, ENISA, and NIST.

This session discusses the state of the art of auditing and certifying cloud ecosystems and how current certification catalogues and schemes have to be enhanced to meet future requirements - requirements such as dynamic certification, on-demand-audits, and automatic monitoring and evaluations.

Show description

Speaker

Head of Department "Service & Application Security"
Fraunhofer AISEC

Mario Hoffmann

View profile

Show Transcript

Let me, let me please welcome with you Mario Hoffman from F HofA. That will speak on dynamic certification of cloud ecosystems.
Yeah. Thank you. That's remote.
That's remote.
Okay. Good afternoon everybody. Yes. It's a scientific approach, but not a theistic approach. So you can be sure there are some practical insights. Also there. I would like to share with you the first experiences with one of our latest research projects that started in October last year, and basically it's about dynamic certification of cloud ecosystems. Probably you're asking, oh, what, what the hell is dynamic certification? The thing is currently we realize that certifications well, always happens. Let's say once a year or even only every two years, or you have even longer periods that your infrastructure, your services are certified by audits.
So let's go into some details how we can rise the trustworthiness of such cloud infrastructures, cloud ecosystems by dynamic certification. So now I try to squeeze the research project last three years into 10 minutes, I guess. Okay. Quickly. So what do we have? We have those kinds of control lists of certifications. So you have from, from ISO, you have some from the cloud security lines, also from governmental bodies, like the PSI in and so forth. There are some other business oriented certification authorities around there, like Euro cloud. And here's just an example of the Euro cloud star audit. You have kind of the, the aspects and the first bullet point, what can be tested there? And I just give you three examples of typical controls that you find in this criteria list, but also in others. So to get a three star audit from those people certification from those people you have, for example, the provider allows the choice of the place of jurisdiction, which is just one measure.
One control that you might reach that you might meet or not. And this just part of more than 150 different example, criterias the four, four star you need. In addition, for example, that direct access by admins is restricted. And before getting single access transaction data will be anonymized. This is just another criteria for the five stars you even need at least once a year, a app test. So those examples are just that yeah. Examples of criteria that you need to get this certification. And now the next question is which of those can be automatically tested. Cause this is one of the foremost requirements that we need for dynamic certification. You can imagine that certifications typically are by hand there's audit team that comes to your company and tests your infrastructure across all those different criterias. If you'd like to make this more dynamic, that means on demand, then you need of course, more automatic kinds of tests and monitoring systems in your backend, for example, in your cloud infrastructure. And we are also aware of that. Not all of those more than 150 criteria can be automatically tested and monitored, but this is just one of the research questions that we try to figure out how many are possible. And there maybe certifications that can be a hundred percent automatically monitored and tested.
So this is actually the basic problem that I've talking about. You have those manual evaluations of a certificates requirements, and this is once a year, maybe only every two years. And what happens in between, especially in cloud infrastructures is not really clear, including infrastructures. You have those dynamic changes in your infrastructure, in your services. This can be on a one by one day basis, and this might violate requirements of a certificate. So from one day to the other, your certification maybe is not valid any longer, but how can you prove your customers that it's still a trustworthy cloud infrastructure? I mean, those other certifications good for, so what you need is some kind of dynamic update of your certificate, which might be supported. And this is our approach can be supported by automatic measures and monitoring systems. Well, this means that you then have the chance just by, on demand, check your system. Is it still green or are there any problems or is your certification already violated?
So this is actually then the overview, right? You have on the left side, cloud computing characteristics, cloud service certifications, attempt to assure a high level of security and compliance. Yes, cloud services are part of an ever-changing environment. I think everybody would agree. A challenge is security, data, privacy, service level objectives, legal compliance. And on the other side, you have your certifications. Multi-year ability periods, many widespread certificates already existed before cloud. So they are not tailored to your cloud requirements mostly and important is transparency and trustworthiness. That means our overall research goal is to summarize this, the continuous auditing of selected certification criteria assure continuously reliable and secure cloud services and thereby, oh, I cannot read this in. This is embarrassing. The trustworthiness of certification. Sorry for that.
Just to give you a little overview about what are the major building blocks in our research project. So you have those certificates, you have your catalogs of criteria. This is very high level. You can imagine. So just the examples that I gave on the first, slide's just like kind of pros are description. What is to be controlled and monitoring checked. On the other hand, you have from your cloud ecosystem, those monitoring measures your status information and so forth. That comes from the infrastructure from, well, there are already a lot of different monitoring systems that we would like to take advantage of. Okay, we have our monitoring information. How does it fit? And to which criteria does they fit? Do they fit in terms of to support the validity of certificates, according to the catalogs of criteria and we have different approaches. There, one is complex event processing. If you are familiar with those technologies, we need the data and process, model monitoring, testing tools. Maybe we have to implement additional ones if the existing ones on its sufficient and a little aspect on machine learning and data mining. So that means on the left side, you have aggregation and interpretation of the cloud sensor data, according to your high level goals that have to be broken down into some kind of automatically technically monitored and analyzed measures and means,
And everything is underpinned by legal implications. So we have a specific legal partner in our consortium. Who's covering those aspects. I haven't got any signs yet by, I'm pretty sure that I've consumed already my 10 minutes.
I think you're
About hurting it. Okay. In this sense, I would skip this little excursion here on the legal implications. Maybe you're familiar with this monitoring obligation, which by the way includes that you actually have to go to Emerson's data center to check by yourself whether those people do it securely and trustworthy. Nobody does this. So that's our, where the certificates are good for. So, but again, here's of course this relationship again to the dynamic certification, to be sure on demand that those infrastructures are still operating in the way they promise. So,
Yeah. Well, I think in the afternoon, I don't want to bother anybody with any architectural slide. So just go to the project called section two, the conclusion here. So what are the major things that we are going to implement and realize? So we have those design principles for develop this town certification framework that we are heading for. We need appropriate metrics, maybe new methods for assuring requirements, such as security, privacy, what have you match those monitoring results as appropriate evidence for common compliance controls? So we are open to any kind of different kinds of certifications that come from top. And we'd like to have certification framework and tool chain at the end to support the continuous semi-automated auditing. So those are the goals we are, let's say six, seven months in a three years project. So it's very exciting and challenging down here, you see the different partners that are involved there. So besides Ron Hofer, it's the Euro cloud Fujitsu as a cloud provider, a KDB, we have different universities, university of castle is covering the legal stuff. So pretty interesting and worth checking our website from time to time. So thank you
Very much.

Playlist

European Identity & Cloud Conference 2015