What cloud services users need is a way to verify that the security they expect is being delivered, and there is an effort underway for an interface that would do just that.
Called A6 (Audit, Assertion, Assessment and Assurance API) the proposal is still in the works, driven by two people: Chris Hoff - who came up with the idea and works for Cisco - and the author of the Iron Fog blog who identifies himself as Ben, an information security consultant in Toronto.
The usefulness of the API would be that cloud providers could offer customers a look into certain aspects of the service without compromising the security of other customers’ assets or the security of the cloud provider’s network itself.
Work on a draft of A6 is posted here http://www.scribd.com/doc/18515297/A6-API-Documentation-Draft-011. It’s incomplete, but offers a sound framework for what is ultimately needed.
According to the draft-in-progress, the broad concepts of what A6 tries to do is as follows:
= Provide external systems with the ability to query a utility computing provider for their security state.
= Provide sufficient information for an evaluation of security state asserted by the provider.
= Assure that the information provided must not expose to third parties information about vulnerabilities or detailed security configurations.
= Assure that the information won’t provide sufficient data to infer the security state of specific elements within the cloud.
= Reuse existing standards, tools and technologies whenever possible.
Ben has suspended work on A6 to focus on related work, but others should chime in to help keep the momentum going because it’s a solid start to something that is badly needed to boost confidence in cloud services.