Open Cloud Security Framework Backed by Microsoft, Google, IBM

A New Standard for Cloud Security Notifications

Currently, each major cloud platform employs a unique method for conveying security information to logging and security systems. This necessitates that vendors develop proprietary solutions to translate this data into a compatible format for their tools.

To address this challenge, the Cloud Security Notification Framework (CSNF) has been established. This new working group, comprising Microsoft, Google, and IBM, aims to create an open and standardized approach to delivering security information.

The Driving Force Behind CSNF

Nick Lippis, co-founder and co-chairman of ONUG – an open enterprise cloud community – explains that CSNF is focused on automating cloud governance. Security was identified as a key area where immediate value could be provided to the community.

The initiative involves not only major cloud vendors but also large cloud service consumers, including FedEx, Pfizer, and Goldman Sachs.

AWS Absence and Future Prospects

Notably absent from the group is Amazon Web Services (AWS), the leading cloud infrastructure provider. However, Lippis expresses optimism that AWS will join the project as it matures.

He acknowledges that some companies prefer to assess the framework’s effectiveness before committing, but anticipates Amazon will eventually recognize the benefits and participate.

Core Objectives and Methodology

The primary goal is to establish a common format for security alerts, mirroring the systems companies utilize in their data centers for tracking cloud security events.

This will be achieved through open communication between cloud vendors and participating companies.

Governance and Collaboration

The CSNF is structured with a steering committee, chaired by CISOs from major cloud consumers and cloud providers, responsible for voting and providing direction.

A dedicated working group handles the practical implementation of the framework, fostering collaboration between consumers and providers.

A Data Management Approach

Don Duet, CEO and co-founder of Concourse Labs and a member of ONUG, emphasizes that the project is being approached as a data management problem.

The focus is on establishing a common vocabulary that all stakeholders can agree upon, providing a foundation for cloud service providers to map their data to these standards.

Organizational Challenges and Testing

Duet highlights that the primary challenge is organizational – achieving consensus among diverse stakeholders. A process for building this consensus is now in place.

The next phase involves rigorous testing by participating companies in the coming months.

Demonstration and Future Expansion

In October, the group plans to demonstrate the framework’s impact through a before-and-after scenario. This will showcase the improvements achieved with the new standardized approach.

The long-term vision is for the framework to become widely adopted, establishing a standard for sharing security alerts and potentially incorporating other types of security information over time.