The Automated Audit, Assertion, Assessment, and Assurance API (A6) Becomes: CloudAudit
I’m happy to announce that the Automated Audit, Assertion, Assessment, and Assurance API (A6) working group is organizing under the brand of “CloudAudit.” We’re doing so to enable reaching a broader audience, ensure it is easier to find us in searches and generally better reflect the mission of the group. A6 remains our byline.
We’ve refined how we are describing and approaching solving the problems of compliance, audit, and assurance in the cloud space and part of that is reflected in our re-branding. You can find the original genesis for A6 here in this series of posts. Meanwhile, you can keep track of all things CloudAudit at our new home: http://www.CloudAudit.org.
The goal of CloudAudit is to provide a common interface that allows Cloud providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their environments and allow authorized consumers of their services to do likewise via an open, extensible and secure API. CloudAudit is a volunteer cross-industry effort from the best minds and talent in Cloud, networking, security, audit, assurance, distributed application and system architecture backgrounds.
Our execution mantra is to:
- Keep it simple, lightweight and easy to implement; offer primitive definitions & language structure using HTTP(S)
- Allow for extension and elaboration by providers and choice of trusted assertion validation sources, checklist definitions, etc.
- Not require adoption of other platform-specific APIs
- Provide interfaces to Cloud naming and registry services
The benefits to the cloud provider are clear: a single reference model that allows automation of many functions that today incurs large costs in both manpower and time and costs business. The base implementation is being designed to require little to no programmatic changes in order for implementation. For the consumer and interested/authorized third parties, it allows on-demand examination of the same set of functions.
Mapping to compliance, regulatory, service level, configuration, security and assurance frameworks as well as third party trust brokers is part of what A6 will also deliver. CloudAudit is working closely with other alliance and standards body organizations such as the Cloud Security Alliance and ENISA.
If you want to know who’s working on making this a reality, there are hundreds of interested parties; consumers as well as providers such as: Akamai, Amazon Web Services, Microsoft, NetSuite, Rackspace, Savvis, Terremark, Sun, VMware, and many others.
Here is the slide deck from the 2/12/10 working group call (our second) and a link to the WebEx playback of the call.
rRelated articles by Zemanta
- The Cloud Computing Compliance Conundrum (datacenterknowledge.com)
- Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream) (rationalsurvivability.com)
- Follow-On: The Audit, Assertion, Assessment, and Assurance API (A6) (rationalsurvivability.com)
- A6 Workgroup On The Way Soon (cloudave.com)
- Security vs. Compliance in the Cloud (web2.sys-con.com)
- Recording & Playback of WebEx A6 Working Group Kick-Off Call from 1/8/2010 Available (rationalsurvivability.com)