Comments on: Follow-On: The Audit, Assertion, Assessment, and Assurance API (A6)

By: The Automated Audit, Assertion, Assessment, and Assurance API (A6) Becomes: CloudAudit | JK Technologies

Sat, 13 Feb 2010 19:26:28 +0000

[...] Follow-On: The Audit, Assertion, Assessment, and Assurance API (A6) (rationalsurvivability.com) [...]

Like or Dislike: 0 0

By: Extending the Concept: A Security API for Cloud Stacks | Rational Survivability

Fri, 12 Feb 2010 22:27:18 +0000

[...] Follow-On: The Audit, Assertion, Assessment, and Assurance API (A6) (rationalsurvivability.com) [...]

Like or Dislike: 0 0

By: Transparency: I Do Not Think That Means What You Think That Means... | Rational Survivability

Tue, 13 Oct 2009 13:06:15 +0000

[...] opportunity to quietly remind folks about the Audit, Assertion, Assessment and Assurance API (A6) API that is being brought to life; there will hopefully be some exciting news here shortly about [...]

Like or Dislike: 0 0

By: Chris

Chris — Fri, 28 Aug 2009 00:27:36 +0000

I guess I am still fuzzy on how can we trust the provider to implement the API correctly. Maybe I am being pessimistic, but what would keep vendors from crafting fake responses? I wouldn’t want a certification process, but would an SLA that says “Yeah, we’re good for it” be enough?

Because they are essentially self-certifying, and the current many compliance frameworks have an independent validation requirement. Many authorizing officials aren’t going to accept output from A6 as a certification artifact.

Just thinking out loud, is there a consideration for providing the control reference as part of the response? You may have already considered that, but it wasn’t discussed and it may conflict with one or more of the design philosophy item 3.

Like or Dislike: 0 0

By: Erik

Erik — Wed, 26 Aug 2009 03:19:10 +0000

I’m a fan of this idea and fully support it but only as a part of the solution, A6 alone won’t solve the problem. In much the same way TV viewers are not the actual customers (the advertisers are) the cloud computing consumers are not going to be the actual users of A6, an intermediary that aggregates information on cloud providers (using A6 and other means) will be the true customer of ideas like A6. The more pressing issue that needs to be addressed is the lack of trusted intermediaries for cloud computing that give consumers the ability to keep watch over their providers and find new services according to terms they define specifically for their business. I coined the term “cloud computing security referee” and talk a little bit about it here: http://silvexis.com/blog/2009/08/24/referee-for-cloud-computing/ I would be interested in what your take is.

Like or Dislike: 0 0

By: A6 Workgroup On The Way Soon | CloudAve

A6 Workgroup On The Way Soon | CloudAve — Wed, 19 Aug 2009 17:58:39 +0000

[...] a security guru with interests in Clouds and want to contribute to A6 Working Group, please contact Christofer Hoff. If you are a Cloud Vendor interested in playing a role in working out the details, you should be [...]

Like or Dislike: 0 0

By: Sam Johnston

Sam Johnston — Wed, 19 Aug 2009 06:31:28 +0000

Sounds interesting. I’m all full up right now but I like to watch…

Sam

Like or Dislike: 0 0

By: I’m really surprised you don’t see mor… « /SAbackchan

I’m really surprised you don’t see mor… « /SAbackchan — Tue, 18 Aug 2009 20:19:34 +0000

[...] http://www.rationalsurvivability.com/blog/?p=1276 [...]

Like or Dislike: 0 0

By: beaker

beaker — Tue, 18 Aug 2009 18:21:08 +0000

@Srijith

That’s what the working group with various provider participants aims to address.

/Hoff

Like or Dislike: 0 0

By: Srijith

Srijith — Tue, 18 Aug 2009 14:42:36 +0000

This question rose out of a discussion which started in a (private) mailing list. While this previous posts explain the need for A6, how to query for one etc., what is left out is the actual way in which the results are produced within the beast.

Without some form of verifiable, non-doctorable mechanism to produce these results, wouldn’t they be only as useful (or useless) as a white paper from the cloud provider?

If the underlying layer within the beast uses the latest and greatest tamper-proof technology like processor powered (like skinit(AMD)/senter (Intel)) guarantee of externally-verifiable code execution that actually performs the audit/compliance tests, then we are talking something.

Like or Dislike: 0 0

By: Doug Neal

Doug Neal — Tue, 18 Aug 2009 14:34:25 +0000

Very cool and very timely. Congrats to you and Ben.

It seems to me that vendors at every layer in the stack will be looking to add new pay per use, on demand services. Why not add various aspects of security to the list? Bring the costs of security monitoring out in the open rather than extort it out of the vendor during contract negotiation.

I really like the idea of a XSRL, a security version of XBRL.

You have commented before about “Right to Audit”. That too, should be available as an extra cost option. It seems to me that requiring companies to pay for the amount of assurance they feel they need is the right way to go.

Like or Dislike: 0 0