I’ve just joined one of the Cloud Audit working groups – focused on developing controls for cloud computing. Over 400 other keen GRC and Security professionals are part of this growing group. Don’t know about Cloud Audit? Let me share with you a bit about this and why it is important. First of all, governance, risk, security and compliance management is becoming increasingly critical in the cloud – I’ve blogged on this previously. What has been holding us back are consistent and standardized frameworks, open standards and interfaces that address not only controls but also easy to implement processes to provide assurances on levels of GRC and security in cloud environments. Enter Cloud Audit, designed to smash down the roadblocks and getting us flying in the cloud.
Cloud
Audit began in January of this year, driven by Christopher Hoff (CISCO), and
others from many organizations including Telus, CSC, VMware, Microsoft, EMC,
Unisy and Terremark. It is a volunteer
cross-industry effort from the best minds and talent in Cloud, networking,
security, audit, assurance and architecture backgrounds – specifically focused
on developing
and providing a common interface that allows Cloud providers to automate Cloud
Audits.
Central to the groups’ work is something called A6 – which stands
for Automated Audit, Assertion, Assessment, and Assurance API. The idea is that cloud providers and
consumers of their services should be able to leverage an open, extensible and
secure set of interfaces for Cloud GRC and Security.
The mantra of the group is to:
- Keep it simple, lightweight
and easy to implement; offer primitive definitions & language
structure using HTTP(S)
- Allow for extension and
elaboration by providers and choice of trusted assertion validation
sources, checklist definitions, etc.
- Not require adoption of
other platform-specific APIs
- Provide interfaces to Cloud naming and registry services
You can get involved in these working groups or simply follow the discussions
held every Monday at 1 pm est. Join the Google group for
Cloud Audit here.
Cloud
Audit of course is not the only group looking at the Cloud Security and GRC -
Many
of you may know about the Cloud
Security Alliance (focused on best practices and education in cloud computing),
the Trusted Cloud Initiative(focused
on certification for various cloud environments) and the European Network and
Information Security Agency (ENISA)’s work on this topic – there have been some
important documents produced over the past 6 months that are worth diving into.
We’ll
have more about these orgs in future posts, but for now - two good overview documents are Cloud
Security Alliance – Security Guidance for
Critical Areas of Focus in Cloud Computing and ENISA – Cloud
Computing Information Assurance Framework.
If you haven't dug into cloud GRC - now is the time to do it. It's important for career and good for your company - there aren't many organizations today that don't see their future apps portfolio moving more and more into the cloud.
Recent Comments