Extending the Concept: A Security API for Cloud Stacks
Please See the follow-on to this post: http://www.rationalsurvivability.com/blog/?p=1276
Update: Wow, did this ever stir up an amazing set of commentary on Twitter. No hash tag, unfortunately, but comments from all angles. Most of the SecTwits dropped into “fire in the hole” mode, but it’s understandable. Thank you @rybolov (who was there when I presented this to the gub’mint and @shrdlu who was the voice of, gulp, reason
The Audit, Assertion, Assessment, and Assurance API (A6) (Title credited to @CSOAndy)
It started innocently enough with a post I made on the crushing weight of companies executing “right to audit clauses” in their contracts. Craig Balding followed that one up with an excellent post of his own.
This lead to Craig’s excellent idea around solving a problem related to not being able to perform network-based vulnerability scans of Cloud-hosted infrastructure due to contractual and technical concerns related to multi-tenancy. Specifically, Craig lobbied to create an open standard for vulnerability scanning API’s (an example I’ve been using in my talks for quite some time to illustrate challenges in ToS, for example.) It’s an excellent idea.
So I propose — as I did to a group of concerned government organizations yesterday — that we take this concept a step further, beyond just “vulnerability scanning.”
Let’s solve BOTH of the challenges above with one solution.
Specifically, let’s take the capabilities of something like SCAP and embed a standardized and open API layer into each IaaS, PaaS and SaaS offering (see the API blocks in the diagram below) to provide not only a standardized way of scanning for network vulnerabilities, but also configuration management, asset management, patch remediation, compliance, etc.
Further (HT to @davidoberry who reminded me about my posts on the topic) we could use TCG IF-MAP as a comms. protocol for telemetry.
This way you win two ways: automated audit and security management capability for the customer/consumer and a a streamlined, cost effective, and responsive way of automating the validation of said controls in relation to compliance, SLA and legal requirements for service providers.
Since we just saw a story today titled “Feds May Come Up With Cloud Security Standards” — why not use one they already have in SCAP to suggest we leverage it to get even better bang for the buck from a security perspective. This concept extends well beyond the Public sector and it doesn’t have to be SCAP, but it seems like a good example.
Of course we would engineer in authentication/authorization to interface via the APIs and then you could essentially get ISV’s who already support things like SCAP, etc. to provide the capability in their offerings — physical or virtual — to enable it.
We’re not reinventing the wheel and we have lots of technology and standardized solutions we can already use to engineer into the stack.
Related articles by Zemanta
- Extending the Concept: A Security API for Cloud Stacks (rationalsurvivability.com)
- Follow-On: The Audit, Assertion, Assessment, and Assurance API (A6) (rationalsurvivability.com)
- A6 Workgroup On The Way Soon (cloudave.com)
- Cloud Security (slideshare.net)