Extending the Concept: A Security API for Cloud Stacks

Please See the follow-on to this post: http://www.rationalsurvivability.com/blog/?p=1276

Update: Wow, did this ever stir up an amazing set of commentary on Twitter. No hash tag, unfortunately, but comments from all angles.  Most of the SecTwits dropped into “fire in the hole” mode, but it’s understandable.  Thank you @rybolov (who was there when I presented this to the gub’mint and @shrdlu who was the voice of, gulp, reason 😉

The Audit, Assertion, Assessment, and Assurance API (A6) (Title credited to @CSOAndy)

It started innocently enough with a post I made on the crushing weight of companies executing “right to audit clauses” in their contracts.  Craig Balding followed that one up with an excellent post of his own.

This lead to Craig’s excellent idea around solving a problem related to not being able to perform network-based vulnerability scans of Cloud-hosted infrastructure due to contractual and technical concerns related to multi-tenancy.  Specifically, Craig lobbied to create an open standard for vulnerability scanning API’s (an example I’ve been using in my talks for quite some time to illustrate challenges in ToS, for example.)  It’s an excellent idea.

So I propose — as I did to a group of concerned government organizations yesterday — that we take this concept a step further, beyond just “vulnerability scanning.”

Let’s solve BOTH of the challenges above with one solution.

Specifically, let’s take the capabilities of something like SCAP and embed a standardized and open API layer into each IaaS, PaaS and SaaS offering (see the API blocks in the diagram below) to provide not only a standardized way of scanning for network vulnerabilities, but also configuration management, asset management, patch remediation, compliance, etc.

Further (HT to @davidoberry who reminded me about my posts on the topic) we could use TCG IF-MAP as a comms. protocol for telemetry.


This way you win two ways: automated audit and security management capability for the customer/consumer and a a streamlined, cost effective, and responsive way of automating the validation of said controls in relation to compliance, SLA and legal requirements for service providers.

Since we just saw a story today titled “Feds May Come Up With Cloud Security Standards” — why not use one they already have in SCAP to suggest we leverage it to get even better bang for the buck from a security perspective.  This concept extends well beyond the Public sector and it doesn’t have to be SCAP, but it seems like a good example.

Of course we would engineer in authentication/authorization to interface via the APIs and then you could essentially get ISV’s who already support things like SCAP, etc. to provide the capability in their offerings — physical or virtual — to enable it.

We’re not reinventing the wheel and we have lots of technology and standardized solutions we can already use to engineer into the stack.

Whaddya thunk?


Reblog this post [with Zemanta]
  1. Armorguy
    July 24th, 2009 at 12:36 | #1

    A few thoughts…

    1. I don't know if many auditors/assessors are going to buy off on a scan that scans via an API…too much of a chance for that to be gamed.

    2. As a potential cloud user where's my interest in this? Why am I making this "easier" for the cloud provider? And if I make it easier what do I get? These are the questions that make or break this kind of model.

    3. Lastly, this is going to require the different providers of cloud tech to agree on standards, etc. I don't see this happening until well after the "Cloud Wars" are over and a single tech platform dominates.

    I'll think more…

  2. July 24th, 2009 at 13:51 | #2


    1. Everything and anything can be gamed. This is why I mentioned open and standardized API across providers/platforms. The fact is that you trust someone/something to give you this information in non-Cloud environments today, and in Cloud you have sometimes ZERO visibility. This is an improvement.

    2. Reduced cost of service to the provider in the long term means lower cost to you. You also get easier audit, compliance and reporting capabilities — that you could also delegate view to the auditor.

    3. We already have these standards. They exist in many forms. One of them (as I mentioned) is SCAP. Peter Mell from NIST who is heading up Cloud for them also is one of the father's of SCAP…


  3. July 24th, 2009 at 14:12 | #3

    This is the same problem for a managed service provider. IE, how do I allow you to audit your system and the underlying infrastructure. Actually, a cloud could make this much easier as a customer by providing an API to do this with because I really want to do that in a managed services environment but I'm stuck with putting a scanner in each environment.

    So what we have in SCAP is Common Platform Enumeration (CPE) which allows you to specify the hardware and software (ie, how the infrastructure that you don't know about is built) and eXtensible Configuration Checklist Description (XCCDF) which specifies the audit/compliance checks. Package them together and you have a way of describing what the infrastructure looks like and the technical auditing standard to go along with it.

  4. Arthur
    July 25th, 2009 at 16:39 | #4

    Fucking brilliant. Wish I'd thought of it.

  5. July 26th, 2009 at 06:11 | #5

    Having just recommend this to a management vendor in the past week, I obviously like this concept very much. I have long advocated greater integration of security and IT management tools and processes, and have highlighted SCAP as a tangible example of this over the past year. This would also address one of the most significant concerns we find in talking with enterprises: if they feel they are giving up control, they would like to have as much visibility as they can afford without trampling all over the fragile and still-evolving balance they are struggling to strike between cloud computing's values and its risks. This would be one potentially highly effective way to achieve this in a standardized (though still evolving) yet detailed way.

    I will be very interested to see how concerns about this play out in this discussion.


  6. Фильм
    September 29th, 2011 at 04:38 | #6

    Хороший материал для статьи.!
    Меня Лукерья зовут а Вас ?

  7. October 20th, 2011 at 17:12 | #7

    hi vous j’aime bien cette facon de voir les chose ce commentaire mais l’ immobilier est mon hobbie.

  1. July 24th, 2009 at 16:50 | #1
  2. July 25th, 2009 at 07:48 | #2
  3. July 25th, 2009 at 10:38 | #3
  4. July 27th, 2009 at 11:00 | #4
  5. July 29th, 2009 at 00:49 | #5
  6. August 9th, 2009 at 22:44 | #6
  7. November 25th, 2009 at 09:52 | #7
  8. December 21st, 2009 at 14:36 | #8
  9. February 11th, 2010 at 15:57 | #9
  10. September 21st, 2011 at 01:30 | #10