Home > Cloud Computing, Cloud Security > Update on the Cloud (Ontology/Taxonomy) Model…

Update on the Cloud (Ontology/Taxonomy) Model…

A couple of months ago I kicked off a community-enabled project to build an infrastructure-centric ontology/taxonomy model of Cloud Computing.

You can see the original work with all the comments here.  Despite the distracting haggling over the use of the words “ontology and taxonomy,”  the model (as I now call it) has been well received by those for whom it was created.

Specifically, my goal was to be able to help a network or security professional do these things:

  1. Settle on a relevant and contextual technology-focused definition of Cloud Computing and its various foundational elements beyond the existing academic & 30,000 foot-view models
  2. Understand how this definition maps to the classical SPI (SaaS, PaaS, IaaS) models with which many people are aware
  3. Deconstruct the SPI model and present it in a layered format similar to the OSI model showing how each of the SPI components interact with and build atop one another
  4. Provide a further relevant mapping of infrastructure, applications, etc. at each model so as to relate well-understood solutions experiences to each
  5. Map a set of generally-available solutions from a catalog of compensating controls (from the security perspective) to each layer
  6. Ultimately map the SPI layers to the compensating controls and in turn to a set of governanance and regulatory requirements (SoX, PCI, HIPAA, etc.)

This is very much, and unapologetically so, a controls-based model.  I assume that there exists no utopic state of proper architectural design, secure development lifecycle, etc. Just like the real world.  So rather than assume that we’re going to have universal goodness thanks to proper architecture, design and execution, I thought it more reasonable to think about plugging the holes (sadly) and going from there.

At the end of the day, I wanted an IT/Security professional to use the model like an “Annie Oakley Secret Decoder Ring” in order to help rapidly assess offerings, map them to the specific model layers, understand what controls they or a vendor needs to have in place by mapping that, in turn, to compliance requirements.  This would allow for a quick and accurate manner by which to perform a gap analysis which in turn can be used to feed into a risk assessment/analysis.

We went through 5 versions in a relatively short period of time and arrived at a solid fundamental model based upon feedback from the target audience:

cloudtaxonomyontology_v15

The model is CLEARLY not complete.  The next three steps for improving it are:

  1. Reference other solution taxonomies to complete the rest of the examples and expand upon the various layers with key elements and offerings from vendors/solutions providers.  See here.
  2. Polish up the catalog of compensating controls
  3. Start mapping to various regulatory/compliance requirements
  4. Find a better way of interactively presenting this whole mess.

For my Frogs presentation, I presented the first stab at the example controls mapping and it seemed to make sense given the uptake/interest in the model. Here’s an example:
frogs-cc_sc0621

Frogs: Cloud Model Aligned to Security Controls Model

This still has a ways to go, but I’ve been able to present this to C-levels, bankers, technologists and lay people (with explanation) and it’s gone over well.

I look forward to making more progress on this shortly and would welcome the help, commentary, critique and collaboration.

I’ll start adding more definition to each of the layers so people can feedback appropriately.

Thanks,

/Hoff

P.S. A couple of days ago I discovered that Kevin Jackson had published an extrapolation of the UCSB/IBM version titled “A Tactical Cloud Computing Ontology.

Kevin’s “ontology” is at the 20,000 foot view compared to the original 30,000 foot UCSB/IBM model but is worth looking at.

Categories: Cloud Computing, Cloud Security Tags:
  1. March 28th, 2009 at 16:12 | #1

    I also did a merge of an old model I did some time ago w/ the UCSB model. Link here: http://www.productionscale.com/home/2009/2/5/clou

    This was an update on other versions from some time back. The diagram has been extremely helpful for me. I've actually take to calling it a map. I use it quite often when explaining how things fit together, where any given offering falls, why something may or may not be cloud, etc. I have a newer version also that I will publish soon with some new info/thoughts. I consider it a work in progress and will try using yours as well. Thanks! Nice work.

    Can you make a link to a bigger version of the image please?

    Kent Langley

  2. June 26th, 2009 at 03:35 | #2

    I really appreciate the work you are doing on this. I am working on a position paper with some colleagues at work. We were caught with our pants down when our R&D group came to us for security guidance. They are planning on moving some of their compute intensive bioinformatics work to the cloud.

    May I have your permission to use your taxonomy and graphics in my documentation (with attribution of course)?

  3. June 26th, 2009 at 10:21 | #3

    <blockquote cite="#commentbody-5203">

    Khürt Williams :

    I really appreciate the work you are doing on this. I am working on a position paper with some colleagues at work. We were caught with our pants down when our R&D group came to us for security guidance. They are planning on moving some of their compute intensive bioinformatics work to the cloud.

    May I have your permission to use your taxonomy and graphics in my documentation (with attribution of course)?

    Absolutely. Please feel free to use anything that is of help to you.

    /Hoff

  1. June 6th, 2009 at 09:15 | #1
  2. June 21st, 2009 at 17:11 | #2
  3. August 21st, 2009 at 05:43 | #3
  4. September 8th, 2009 at 07:36 | #4
  5. September 18th, 2009 at 06:12 | #5