CloudAudit, the organization whose goal is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology, announced recently that they are joining Cloud Security Alliance (CSA). I was expecting this move to happen for sometime now and it finally happened. In fact, I pinged Chris Hoff in March through Twitter to ask if he expects an alliance to happen and he said he expects an alliance to happen shortly.
What is Cloud Security Alliance?
Cloud Security Alliance (CSA) is organization that has taken upon the task of promoting the best practices for providing security assurance within cloud and, also, to educate users about the secure way to do computing by highlighting the uses of cloud computing. They are a large group of service providers, analysts, academics, thought leaders, security practitioners, etc. and they spend time researching on various areas related to cloud computing security. They have split themselves into various workgroups tackling security issues in wide ranging areas such as Architecture to eDiscovery to Application Security to key Management to Storage and more. Each working group consists of professionals whose expertise lies within that domain.
This has resulted in a series publications that identifies threats to establishing good controls to advisories. Some of the publications are listed below:
- Security Guidance for Critical Areas of Focus in Cloud Computing
- Guidance for Identity and Access Management (Domain 12)
- Guidance for Application Security (Domain 10)
- Top threats to cloud computing
In fact, you can get more resources by visiting their website.
Gotcha, what is CloudAudit then?
As stated in their goal, the idea behind this project is to establish a framework which can help service providers to offer some transparency into their service. For example, the service providers could use this framework to offer a programatic access to users who can query their service to get information about operational policies, security and other regulatory compliance validations.
Right now, the biggest problem facing the cloud computing industry is the lack of transparency. Enterprises, with their high security and compliance needs, want to have a peek into the cloud service providers’ infrastructure. But, it is just not possible for the the service providers to agree to these demands because of the associated costs and IP issues. No service provider wants to handout the entire blueprint of their operations to outsiders. Similarly, no service provider wants to open up their network for daily vulnerability testing of all their customers. In fact, it is just too expensive to even consider doing it for select customers. In order to solve this stalemate, thought leaders in this space decided that there should be a way for the service providers to programmatically offer this information to the right person (valid customers) without their nose entering the perimeter of the service providers’ infrastructure.
The result is the formation of CloudAudit which aims to find a framework that will help provide the cloud service providers to offer an automated programatic access to their customers so that their security and compliance needs are taken care off. Recently, this group submitted their first specification to IETF along with the CompliancePacks needed to meet the mandated regulations like HIPAA, PCI-DSS, etc.. In fact, one of the cloud vendors I follow, enStratus, immediately added support for CloudAudit in their offering.
CSA – CloudAudit Alliance, how does it help?
Chris Hoff in his email to CloudAudit members explained how this alliance can be useful for CloudAudit. I will just share it here for the readers.
The reason for moving CloudAudit under the CSA are simple:
- The CSA enjoys a well-balanced membership of volunteers from the enterprise, service providers and industry
- Most of the CloudAudit leadership are also key team members of the CSA
- CloudAudit’s namespaces & CompliancePacks are all derived from the CSA’s Cloud Control Matrix
- A single licensing scheme and roadmap simplifies both organizations’ needs
- The CSA’s other initiatives (CAI, TCI, etc) all align with CloudAudit and will enjoy a tighter coupling
- The CSA has the infrastructure and organizational membership needed to drive CloudAudit
He further added that the working group’s objectives and structure will likely not change
and CloudAudit will enjoy greater coverage, exposure, involvement and focus from the community.
A framework for Cloud users to audit their providers is crucial for the very success of Cloud Computing. I long felt that CloudAudit under CSA will be more focussed in their efforts than doing it outside of CSA. This was the reason I queried Hoff on Twitter about possible alliance with CSA. I am happy that this has finally come through and it will prove crucial in ensuring faster adoption of cloud computing in the enterprise. Kudos to both CSA and CloudAudit for their willingness to work together.
PS: There is no relationship between this news and the picture. I found it funny and hence added it for more exposure
- CloudAudit Now Under Cloud Security Alliance Umbrella (informationweek.com)
- An industry template for trust in the cloud (enterpriseirregulars.com)
- CSA gives CoC (certificate of competency) (flyingpenguin.com)
- Talking with George Reese about Cloud Security, CloudAudit, and enStratus (cloudofdata.com)