The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service customers can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust.
The CTP document focuses on the definition of the CTP Data Model and Application Programming Interface (API), including:
- The format of CTP messages exchanged between cloud service customers and providers.
- The modelling of concepts such as “security attributes”, “objectives”, “measurement results” and “triggers” in machine readable format.
- The means to define the scope of the service to which CTP monitoring queries apply.
However, the document does not provide a specification of the “security attributes” (and associated metrics) that are queried by CTP. Such a specification will be provided by the Cloud Security Alliance in a separate document, and will likely be influenced by upcoming standards such as [ISO_19086]. CTP also offers implementers the choice to define and adopt their own set of security attributes and related metrics. This document is organised as follows.
Section 2 provides some key terms and definitions that are used throughout this document, borrowing from relevant key standards.
Section 3 offers a general introductory overview of CTP.
Section 4 describes the CTP data model, defining the main concepts that are used to represent security information related to cloud services in CTP.
Section 5 specifies the RESTful CTP API that implements the model described in section 4. It also specifies the CTPScript language used in “triggers” and “objectives” and describes when they should be evaluated.
Section 6 provides requirements and recommendations for securing the CTP API.