OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

public-sector-cloud-discuss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Certification and audit / Vendors

Hi guys

To build on the last email thread, one key area I would highlight and
suggest is audit and certification.

I.e. If public Cloud providers can be verified to be 'GovCloud Level 3
Secure', meaning they are approved to host government data up to infosec
classification level 3, then this would greatly empower government
procurement process.

It seems most governments have such a classification system, which while
the terminology differs seem much the same, eg. I think the UK calls them
IL levels 1-4, so the question is how might Cloud providers be Approved to
this end? By who? How? etc.

Hosting providers currently go through this type of assessment, such as
SAS70, however this stops at the Cloud layer, only dealing with
data-centre facilities mainly.

So to start answering this I'd highlight:

- Kantara Trust Framework: I've proposed the inclusion of the Kantara
CloudIDsec group because Kantara provides one component part of this, that
could be built on. They have recently been approved by the USA Govt in
this regard for identity systems: http://tinyurl.com/888epe7

Given they are setting up an industry ecosystem for this audit and
approvals mechanism, we could build on this for purposes of certifying
Cloud providers to this overall end.

- Vendors: One question I have is how might vendors be involved into this
process? I mainly work in this area and while they obviously have a bias,
a product to push, they also tend to pioneer capabilities that pave the
way for standards.

Here`s the main group I`m setting up just now:
http://cloudbestpractices.net/board/

And one of these I`d highlight is Guardtime, because they have a
technology that can guarantee Cloud environments haven`t been tampered
with etc.

see: http://www.guardtime.com/software/for-cloud/

Clearly this could play a pivotal role in achieving these Trusted Cloud
Providers, so how might this help drive associated standards development?

Regards,

-- 
Neil McEvoy
Founder and President
Level 5 Consulting Group
http://L5consulting.net

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]