Update on the Cloud (Ontology/Taxonomy) Model…
A couple of months ago I kicked off a community-enabled project to build an infrastructure-centric
ontology/taxonomy model of Cloud Computing.
You can see the original work with all the comments here. Despite the distracting haggling over the use of the words “ontology and taxonomy,” the model (as I now call it) has been well received by those for whom it was created.
Specifically, my goal was to be able to help a network or security professional do these things:
- Settle on a relevant and contextual technology-focused definition of Cloud Computing and its various foundational elements beyond the existing academic & 30,000 foot-view models
- Understand how this definition maps to the classical SPI (SaaS, PaaS, IaaS) models with which many people are aware
- Deconstruct the SPI model and present it in a layered format similar to the OSI model showing how each of the SPI components interact with and build atop one another
- Provide a further relevant mapping of infrastructure, applications, etc. at each model so as to relate well-understood solutions experiences to each
- Map a set of generally-available solutions from a catalog of compensating controls (from the security perspective) to each layer
- Ultimately map the SPI layers to the compensating controls and in turn to a set of governanance and regulatory requirements (SoX, PCI, HIPAA, etc.)
This is very much, and unapologetically so, a controls-based model. I assume that there exists no utopic state of proper architectural design, secure development lifecycle, etc. Just like the real world. So rather than assume that we’re going to have universal goodness thanks to proper architecture, design and execution, I thought it more reasonable to think about plugging the holes (sadly) and going from there.
At the end of the day, I wanted an IT/Security professional to use the model like an “Annie Oakley Secret Decoder Ring” in order to help rapidly assess offerings, map them to the specific model layers, understand what controls they or a vendor needs to have in place by mapping that, in turn, to compliance requirements. This would allow for a quick and accurate manner by which to perform a gap analysis which in turn can be used to feed into a risk assessment/analysis.
We went through 5 versions in a relatively short period of time and arrived at a solid fundamental model based upon feedback from the target audience:
The model is CLEARLY not complete. The next three steps for improving it are:
- Reference other solution taxonomies to complete the rest of the examples and expand upon the various layers with key elements and offerings from vendors/solutions providers. See here.
- Polish up the catalog of compensating controls
- Start mapping to various regulatory/compliance requirements
- Find a better way of interactively presenting this whole mess.
For my Frogs presentation, I presented the first stab at the example controls mapping and it seemed to make sense given the uptake/interest in the model. Here’s an example:
This still has a ways to go, but I’ve been able to present this to C-levels, bankers, technologists and lay people (with explanation) and it’s gone over well.
I look forward to making more progress on this shortly and would welcome the help, commentary, critique and collaboration.
I’ll start adding more definition to each of the layers so people can feedback appropriately.
P.S. A couple of days ago I discovered that Kevin Jackson had published an extrapolation of the UCSB/IBM version titled “A Tactical Cloud Computing Ontology.”
Kevin’s “ontology” is at the 20,000 foot view compared to the original 30,000 foot UCSB/IBM model but is worth looking at.