[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [public-sector-cloud-discuss] Certification and audit / Vendors
Neil The latest draft Charter has the overall objective of the TC of producing a spec that can be used in the procurement and certification of Gov Clouds and I have auditing in the list of deliverables. So I agree this needs to be the prime focus of our work, we just need to get the right set of words into the draft Charter that cover this and give us some wiggle room to do other beneficial work on Gov Cloud requirements. Getting the vendors involved in our work will be a challenge. The major suppliers of Cloud services, mentioning no names, are not regular contributors to standards work and I'm not sure there are any OASIS members in the certification and accreditation area. So we'll need a good marketing campaign to get them on board and any contacts you have will be valuable. John -----Original Message----- From: public-sector-cloud-discuss@lists.oasis-open.org [mailto:public-sector-cloud-discuss@lists.oasis-open.org] On Behalf Of Neil McEvoy Sent: 29 June 2012 10:11 To: public-sector-cloud-discuss@lists.oasis-open.org Subject: [public-sector-cloud-discuss] Certification and audit / Vendors Hi guys To build on the last email thread, one key area I would highlight and suggest is audit and certification. I.e. If public Cloud providers can be verified to be 'GovCloud Level 3 Secure', meaning they are approved to host government data up to infosec classification level 3, then this would greatly empower government procurement process. It seems most governments have such a classification system, which while the terminology differs seem much the same, eg. I think the UK calls them IL levels 1-4, so the question is how might Cloud providers be Approved to this end? By who? How? etc. Hosting providers currently go through this type of assessment, such as SAS70, however this stops at the Cloud layer, only dealing with data-centre facilities mainly. So to start answering this I'd highlight: - Kantara Trust Framework: I've proposed the inclusion of the Kantara CloudIDsec group because Kantara provides one component part of this, that could be built on. They have recently been approved by the USA Govt in this regard for identity systems: http://tinyurl.com/888epe7 Given they are setting up an industry ecosystem for this audit and approvals mechanism, we could build on this for purposes of certifying Cloud providers to this overall end. - Vendors: One question I have is how might vendors be involved into this process? I mainly work in this area and while they obviously have a bias, a product to push, they also tend to pioneer capabilities that pave the way for standards. Here`s the main group I`m setting up just now: http://cloudbestpractices.net/board/ And one of these I`d highlight is Guardtime, because they have a technology that can guarantee Cloud environments haven`t been tampered with etc. see: http://www.guardtime.com/software/for-cloud/ Clearly this could play a pivotal role in achieving these Trusted Cloud Providers, so how might this help drive associated standards development? Regards, -- Neil McEvoy Founder and President Level 5 Consulting Group http://L5consulting.net --------------------------------------------------------------------- To unsubscribe, e-mail: public-sector-cloud-discuss-unsubscribe@lists.oasis-open.org For additional commands, e-mail: public-sector-cloud-discuss-help@lists.oasis-open.org
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]