OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

public-sector-cloud-discuss message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [public-sector-cloud-discuss] Certification and audit / Vendors


The latest draft Charter has the overall objective of the TC of producing a
spec that can be used in the procurement and certification of Gov Clouds and
I have auditing in the list of deliverables.  So I agree this needs to be
the prime focus of our work, we just need to get the right set of words into
the draft Charter that cover this and give us some wiggle room to do other
beneficial work on Gov Cloud requirements.  

Getting the vendors involved in our work will be a challenge.  The major
suppliers of Cloud services, mentioning no names, are not regular
contributors to standards work and I'm not sure there are any OASIS members
in the certification and accreditation area.  So we'll need a good marketing
campaign to get them on board and any contacts you have will be valuable.


-----Original Message-----
From: public-sector-cloud-discuss@lists.oasis-open.org
[mailto:public-sector-cloud-discuss@lists.oasis-open.org] On Behalf Of Neil
Sent: 29 June 2012 10:11
To: public-sector-cloud-discuss@lists.oasis-open.org
Subject: [public-sector-cloud-discuss] Certification and audit / Vendors

Hi guys

To build on the last email thread, one key area I would highlight and
suggest is audit and certification.

I.e. If public Cloud providers can be verified to be 'GovCloud Level 3
Secure', meaning they are approved to host government data up to infosec
classification level 3, then this would greatly empower government
procurement process.

It seems most governments have such a classification system, which while the
terminology differs seem much the same, eg. I think the UK calls them IL
levels 1-4, so the question is how might Cloud providers be Approved to this
end? By who? How? etc.

Hosting providers currently go through this type of assessment, such as
SAS70, however this stops at the Cloud layer, only dealing with data-centre
facilities mainly.

So to start answering this I'd highlight:

- Kantara Trust Framework: I've proposed the inclusion of the Kantara
CloudIDsec group because Kantara provides one component part of this, that
could be built on. They have recently been approved by the USA Govt in this
regard for identity systems: http://tinyurl.com/888epe7

Given they are setting up an industry ecosystem for this audit and approvals
mechanism, we could build on this for purposes of certifying Cloud providers
to this overall end.

- Vendors: One question I have is how might vendors be involved into this
process? I mainly work in this area and while they obviously have a bias, a
product to push, they also tend to pioneer capabilities that pave the way
for standards.

Here`s the main group I`m setting up just now:

And one of these I`d highlight is Guardtime, because they have a technology
that can guarantee Cloud environments haven`t been tampered with etc.

see: http://www.guardtime.com/software/for-cloud/

Clearly this could play a pivotal role in achieving these Trusted Cloud
Providers, so how might this help drive associated standards development?


Neil McEvoy
Founder and President
Level 5 Consulting Group

To unsubscribe, e-mail:
For additional commands, e-mail:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]