[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [public-sector-cloud-discuss] Certification and audit / Vendors
Ok John perfect thanks. Yes I think we could do a great job of coordinating this ecosystem as required. I would highlight the distinction between Vendors, as makers of a product e.g. Guardtime, and Cloud Providers, as implementors of managed services, e.g. Savvis. There are also those who do both, e.g. IBM. I agree, typically Cloud Providers are not big on standards or other "academic" work, however they are very comfortable buying product from Vendors to implement Services. Vendors in turn, mostly are quite good at valuing and working with standards, so our most effective leverage would come from targeting to work with them, with the view they will then go sell their product, along with our standards, to Cloud providers to implement to achieve the overall end goals we`re defining here. Yes I`m entirely happy to manage the relationships to these vendors as a group, as said I just need to figure out the dynamics of their inputs to a standards effort given their product bias. Given our topic focus some vendors in particular will be especially useful first candidates to begin with, like Guardtime and also check out these guys: https://www.cloudeassurance.com/ Neil. > Neil > > The latest draft Charter has the overall objective of the TC of producing > a > spec that can be used in the procurement and certification of Gov Clouds > and > I have auditing in the list of deliverables. So I agree this needs to be > the prime focus of our work, we just need to get the right set of words > into > the draft Charter that cover this and give us some wiggle room to do other > beneficial work on Gov Cloud requirements. > > Getting the vendors involved in our work will be a challenge. The major > suppliers of Cloud services, mentioning no names, are not regular > contributors to standards work and I'm not sure there are any OASIS > members > in the certification and accreditation area. So we'll need a good > marketing > campaign to get them on board and any contacts you have will be valuable. > > John > > -----Original Message----- > From: public-sector-cloud-discuss@lists.oasis-open.org > [mailto:public-sector-cloud-discuss@lists.oasis-open.org] On Behalf Of > Neil > McEvoy > Sent: 29 June 2012 10:11 > To: public-sector-cloud-discuss@lists.oasis-open.org > Subject: [public-sector-cloud-discuss] Certification and audit / Vendors > > > Hi guys > > To build on the last email thread, one key area I would highlight and > suggest is audit and certification. > > I.e. If public Cloud providers can be verified to be 'GovCloud Level 3 > Secure', meaning they are approved to host government data up to infosec > classification level 3, then this would greatly empower government > procurement process. > > It seems most governments have such a classification system, which while > the > terminology differs seem much the same, eg. I think the UK calls them IL > levels 1-4, so the question is how might Cloud providers be Approved to > this > end? By who? How? etc. > > Hosting providers currently go through this type of assessment, such as > SAS70, however this stops at the Cloud layer, only dealing with > data-centre > facilities mainly. > > So to start answering this I'd highlight: > > - Kantara Trust Framework: I've proposed the inclusion of the Kantara > CloudIDsec group because Kantara provides one component part of this, that > could be built on. They have recently been approved by the USA Govt in > this > regard for identity systems: http://tinyurl.com/888epe7 > > Given they are setting up an industry ecosystem for this audit and > approvals > mechanism, we could build on this for purposes of certifying Cloud > providers > to this overall end. > > - Vendors: One question I have is how might vendors be involved into this > process? I mainly work in this area and while they obviously have a bias, > a > product to push, they also tend to pioneer capabilities that pave the way > for standards. > > Here`s the main group I`m setting up just now: > http://cloudbestpractices.net/board/ > > And one of these I`d highlight is Guardtime, because they have a > technology > that can guarantee Cloud environments haven`t been tampered with etc. > > see: http://www.guardtime.com/software/for-cloud/ > > Clearly this could play a pivotal role in achieving these Trusted Cloud > Providers, so how might this help drive associated standards development? > > Regards, > > -- > Neil McEvoy > Founder and President > Level 5 Consulting Group > http://L5consulting.net > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > public-sector-cloud-discuss-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: > public-sector-cloud-discuss-help@lists.oasis-open.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > public-sector-cloud-discuss-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: > public-sector-cloud-discuss-help@lists.oasis-open.org > > -- Neil McEvoy Founder and President Level 5 Consulting Group http://L5consulting.net
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]