Comments on: Extending the Concept: A Security API for Cloud Stacks

By: Follow-On: The Audit, Assertion, Assessment, and Assurance API (A6) | Rational Survivability

Thu, 11 Feb 2010 22:57:32 +0000

[...] few weeks ago I penned a blog discussing an idea I presented at a recent Public Sector Cloud gathering that later inherited the [...]

Like or Dislike: 0 0

By: » Blog Archive » LegalCloud and the NIST Cloud Computing Definition

» Blog Archive » LegalCloud and the NIST Cloud Computing Definition — Mon, 21 Dec 2009 21:36:04 +0000

[...] the security aspects. I have seen what is likely to be important and solid work going on around an initiative called A6. It discusses Audit, Assertion, Assessment, and Assurance API. This is also now known as A6. There [...]

Like or Dislike: 0 0

By: NIST Cloud Computing Definitions Final | The Virtualization Practice

NIST Cloud Computing Definitions Final | The Virtualization Practice — Wed, 25 Nov 2009 16:52:30 +0000

[...] within any contract worked with a cloud provider. The answer to these questions is found in the A6 Initiative which is the development of an API to allow for audit and assessment scans within the cloud in an [...]

Like or Dislike: 0 0

By: System Advancements at the Monastery » Blog Archive » Standardization and Interoperability in Security

Mon, 10 Aug 2009 05:44:29 +0000

[...] should also read Christofer Hoff’s rational Survivability blog. In Hoff’s post, “Extending the Concept: A Security API for Cloud Stacks“, he considers building on the capabilities of SCAP to embed a “standardized and open [...]

Like or Dislike: 0 0

By: Inter-Cloud Rock, Paper, Scissors: Service Brokers, Semantic Web or APIs? | Digital Asset Management

Wed, 29 Jul 2009 07:49:38 +0000

[...] In the broadest sense, Cloud is being positioned in the long term to allow for true utility. This means that at a 30,000 foot view, consumers should be able to declare their business and technology requirements for workloads or application needs and TAMO! (then a miracle occurs,) that workload or application presents itself operating somewhere that meets those needs backed up by some form of attestation by the provider. Ultimately, I’d like to see a common way of auditing and validating those attestations. Apropos for this discussion, I bring up the notion of an API [...]

Like or Dislike: 0 0

By: Rational Survivability » Inter-Cloud Rock, Paper, Scissors: Service Brokers, Semantic Web or APIs?

Mon, 27 Jul 2009 18:00:43 +0000

Like or Dislike: 0 0

By: s_crawford

s_crawford — Sun, 26 Jul 2009 17:11:20 +0000

Having just recommend this to a management vendor in the past week, I obviously like this concept very much. I have long advocated greater integration of security and IT management tools and processes, and have highlighted SCAP as a tangible example of this over the past year. This would also address one of the most significant concerns we find in talking with enterprises: if they feel they are giving up control, they would like to have as much visibility as they can afford without trampling all over the fragile and still-evolving balance they are struggling to strike between cloud computing’s values and its risks. This would be one potentially highly effective way to achieve this in a standardized (though still evolving) yet detailed way.

I will be very interested to see how concerns about this play out in this discussion.

-Scott

Like or Dislike: 0 0

By: Arthur

Arthur — Sun, 26 Jul 2009 03:39:41 +0000

Fucking brilliant. Wish I’d thought of it.

Like or Dislike: 0 0

By: Telematique, water and fire.

Telematique, water and fire. — Sat, 25 Jul 2009 17:38:47 +0000

Hoff Kicks Up Dust with a Security API for Cloud…

The sense I get (from Hoff, the comments, and from speaking directly to cloud service providers) is that the RTA clauses have been just that… clauses in a contract, with very little actual planning and preparation by the individual service provider….

Like or Dislike: 0 0

By: Network Security Blog » Saturday morning reading, 07/25/09

Network Security Blog » Saturday morning reading, 07/25/09 — Sat, 25 Jul 2009 14:48:53 +0000

[...] Extending the concept: A security API for Cloud Stacks – Chris Hoff posted this concept last night and caused quite a bruhaha. The basic idea is that the commonality of the various compliance structures should be built into a security control model that’s used to build Cloud infrastructure in a testable, open archetecture. Very interesting concept, I want to see how Chris develops it going forward. [...]

Like or Dislike: 0 0

By: rybolov

rybolov — Sat, 25 Jul 2009 01:12:04 +0000

This is the same problem for a managed service provider. IE, how do I allow you to audit your system and the underlying infrastructure. Actually, a cloud could make this much easier as a customer by providing an API to do this with because I really want to do that in a managed services environment but I’m stuck with putting a scanner in each environment.

So what we have in SCAP is Common Platform Enumeration (CPE) which allows you to specify the hardware and software (ie, how the infrastructure that you don’t know about is built) and eXtensible Configuration Checklist Description (XCCDF) which specifies the audit/compliance checks. Package them together and you have a way of describing what the infrastructure looks like and the technical auditing standard to go along with it.

Like or Dislike: 0 0

By: Christofer Hoff

Christofer Hoff — Sat, 25 Jul 2009 00:51:26 +0000

@Armorguy

1. Everything and anything can be gamed. This is why I mentioned open and standardized API across providers/platforms. The fact is that you trust someone/something to give you this information in non-Cloud environments today, and in Cloud you have sometimes ZERO visibility. This is an improvement.

2. Reduced cost of service to the provider in the long term means lower cost to you. You also get easier audit, compliance and reporting capabilities — that you could also delegate view to the auditor.

3. We already have these standards. They exist in many forms. One of them (as I mentioned) is SCAP. Peter Mell from NIST who is heading up Cloud for them also is one of the father’s of SCAP…

/Hoff

Like or Dislike: 0 0

By: Online Storage Optimization » Blog Archive » It’s Getting Cloudy up There

Fri, 24 Jul 2009 23:50:17 +0000

[...] as “Beaker”) says such a standard is already available, as he sketches out in a recent post on his Rational Survivability [...]

Like or Dislike: 0 0

By: Armorguy

Armorguy — Fri, 24 Jul 2009 23:36:30 +0000

A few thoughts…

1. I don’t know if many auditors/assessors are going to buy off on a scan that scans via an API…too much of a chance for that to be gamed.

2. As a potential cloud user where’s my interest in this? Why am I making this “easier” for the cloud provider? And if I make it easier what do I get? These are the questions that make or break this kind of model.

3. Lastly, this is going to require the different providers of cloud tech to agree on standards, etc. I don’t see this happening until well after the “Cloud Wars” are over and a single tech platform dominates.

I’ll think more…

Like or Dislike: 0 0