Trusted Cloud Initiative Reference Architecture

Trusted Cloud Initiative Reference Architecture

Yushi Shen, Yale Li, Ling Wu, Shaofeng Liu, Qian Wen
DOI: 10.4018/978-1-5225-5481-3.ch028
(Individual Chapters)
No Current Special Offers


The Trusted Cloud Initiative helps cloud providers develop industry-recommended, secure, and interoperable identity, access, and compliance management configurations and practices. The Trusted Cloud Initiative is to develop reference models and provide education in a vendor-neutral manner, inclusive of all CSA members and affiliates who wish to participate. The Trusted Cloud Initiative Reference Architecture is both a methodology and a set of tools, enabling security architects, enterprise architects, and risk management professionals to leverage a common set of solutions to fulfill their common needs. It enables them to assess their internal IT service and that of their cloud providers in terms of security capabilities, and to plan a roadmap to meet the security needs of their business. The purpose of this quick guide is to take a user through the Trusted Cloud architecture much like an owner's manual walks a consumer through a product.
Chapter Preview

Overview Of The Reference Architecture

Out of the common needs, there come the common solutions. The Trusted Cloud Initiative Reference Architecture is both a methodology and a set of tools that enable security architects, enterprise architects and risk management professionals to leverage a common set of solutions. These solutions fulfill a set of common requirements, which risk managers must assess regarding the operational status of internal IT security and cloud provider controls. These controls are expressed in terms of security capabilities, and designed to create a common roadmap to meet the security needs of their business.

Architecture must be guided by business requirements. In the case of the Trusted Cloud Initiative, these requirements come from a controls matrix guided by regulations such as Sarbanes-Oxley and Gramm-Leach-Bliley, standard frameworks such as ISO-27002, the Payment Card Industry Data Security Standards, and the IT Audit Frameworks, such as COBIT, all in the context of cloud delivery models, such as Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Services (IaaS).

From these requirements, a set of security capabilities have been defined and organized according to best practice architecture frameworks. The Sherwood Business Security Architecture (SABSA) defines security capabilities from a business perspective. The Information Technology Infrastructure Library (ITIL) defines the capabilities needed to manage the IT services of the company, which includes the security capabilities necessary to securely manage those services. The Jericho Forum defines technical security capabilities, which arises from the reality of the traditional in-the-datacenter technology environments shifting to one where solutions span the internet across multiple datacenters, some owned by the business and some purely used as outsourced services. Lastly, The Open Group Architecture Framework (TOGAF) provides an enterprise architecture framework and methodology for planning, designing and governing information architectures, and thus a common framework to integrate the work of the security architect with the enterprise architecture of an organization.

You can interact with and learn more about the TCI Reference Architecture online at

Figure 1.

TCI Reference Architecture


How To Use The Tci Reference Architecture

The TCI Reference Architecture can be used in multiple enterprise security design phases, from assessing opportunities for improvement and creating road maps for technology adoption, to defining reusable security patterns and assessing various cloud providers and security technology vendors against a common set of capabilities.

Figure 2.

How to Use the TCI Reference Architecture


Security And Risk Management: Protecting Data And Managing Risk

Security and Risk Management includes the passwords, firewalls and encryption that protect computer systems and data. It is the processes that define policies, and audit systems against those policies. It uses ethical hackers and tools to test for weak spots in the systems. These services are what come up in the minds of most people, when they think of cyber security.


The Security and Risk Management domain provides the core components of an organization’s Information Security.

Programs are set in place to safeguard assets, detect, assess and monitor risks inherent in operating activities. Capabilities include Identity and Access Management, GRC (Governance, Risk Management and Compliance), Policies and Standards, Threat and Vulnerability Management, Infrastructure and Data Protection.

Complete Chapter List

Search this Book: