I'm a lowercase late to this issue, but permit me move by saying I feature Craig Balding's RSA aggregation 2009 Presentation this evening. In it he mentioned something called the A6 Working Group. I scholarly this is attendant to individual journal posts and a Twitter discussion. In brief:
- In May, Chris Hoff posted Incomplete Thought: The Crushing Costs of Complying With Cloud Customer “Right To Audit†Clauses, where Chris wrote Cloud providers I hit uttered to are existence absolutely hammered by customers performing on their “right to audit†clauses in contracts.
- In June, Craig posted Stop the Madness! Cloud Onboarding Audits - An Open Question... where he wondered Is there an existing system/application/protocol whereby I crapper transfer my contract requirements to a provider, they crapper move in real-time with compliance level and any added costs, with less structured/known requirements responded to by a manlike (but transmitted the same way)?
- Later in June, Craig posted in Vulnerability Scanning and Clouds: An Attempt to Move the Dialog On... where he spoke of the requirement for customers to carry vulnerability assessments of darken providers: A “ScanAuth†API call empowers the customer (or their nominated 3rd party) to scan their hosted Cloud infrastructure confident in the noesis they won’t start dishonor of the providers Terms of Service.
- In July, Chris long Craig's intent with Extending the Concept: A Security API for Cloud Stacks, antiquity on the same Twitter discussions. Chris mentioned The Audit, Assertion, Assessment, and Assurance API (A6) (Title credited to @CSOAndy)... Specifically, let’s verify the capabilities of something same SCAP and embed a standard and unstoppered API layer into each IaaS, PaaS and SaaS substance (see the API blocks in the diagram below) to wage not exclusive a standard artefact of scanning for meshwork vulnerabilities, but also plan management, quality management, connector remediation, compliance, etc.
Still with me? In August Network World posted A6 promises a artefact to check up on open darken security, which said:What darken services users requirement is a artefact to
verify that the section they wait is existence delivered, and there is an effort underway for an programme that would do just that.Called A6 (Audit, Assertion, Assessment and Assurance API) the offering is ease in the works, unvoluntary by two people: Chris Hoff - who came up with the intent and entireness for Cisco - and the communicator of the Iron Fog journal who identifies himself as Ben, an aggregation section consultant in Toronto.The usefulness of the API would be that darken providers could offer customers a look into destined aspects of the assist without flexible the section of another customers’ assets or the section of the darken provider’s meshwork itself.Work on a plan of A6 is posted here http://www.scribd.com/doc/18515297/A6-API-Documentation-Draft-011. It’s incomplete, but offers a good support for what is ultimately needed. So let's wager what that says:The A6 API was fashioned with the mass concepts in mind:
The section arrange MUST wage outside systems with the knowledge to query a utility technology bourgeois for their security state. Ok, that's pretty generic. We don't undergo what is meant by "security state," but we're just starting.The arrange MUST wage sufficient aggregation for an assessment of section land asserted by the provider. Same supply as #1.The aggregation exposed via open interfaces MUST NOT wage limited aggregation most vulnerabilities or result in careful section configurations existence exposed to ordinal parties or trusty customers. Hmm, I'm lost. I'm supposed to watch "security state" but without "specific aggregation most vulnerabilities"?The aggregation exposed via open interfaces SHOULD NOT wage ordinal parties or trusty customers with sufficient accumulation as to infer the section land of a limited surroundings within the providers environment. Same supply as #4.The arrange SHOULD reuse existing standards, tools and technologies wherever possible. Neutral, throwaway concern.That's most it, with the mass attending below:In classic outsourcing deals these section policies and controls would be merged into the acquisition contract; with darken technology providers, the knowledge to enter in limited contractual obligations for section or earmark for ordinal band audits is either limited or non-existent. However, this regulating does not reduce the requirement for intense organizations to protect their data.The A6 API is witting to close this notch by providing intense organizations with
near real-time views into the section of their darken technology provider. While this does not earmark for intense organizations to oblige their section policies and controls upon the provider, they module hit aggregation to earmark them to set their venture exposure.Before I drop the discourse you're all inactivity for, permit me say that I conceive it is enthusiastic grouping are intellection most these problems. Much meliorate to hit a communicating than to adopt darken = secure.However, my discourse is this:
how does this wage "consuming organizations with nearby real-time views into the section of their darken technology provider"?Here is what I conceive is happening. Craig started this thread because he wanted a artefact to carry
audit and compliance (remember I highlighted those terms) activities against darken providers without violating their cost of service. I am trusty Craig would concord that
compliance != security. The danger is that someone module conceive that complaince = security, intellection one could conceivably watch
security state by
scanning for meshwork vulnerabilities, but also plan management, quality management, connector remediation, compliance, etc.. This is same
network admittance control all over again. A good "security state" effectuation you're allowed on the meshwork because your grouping is organized "properly," the grouping is "patched," and so on. Never nous that the grouping is 0wned. Never nous that there is no API for quering 0wnage. Don't intend me wrong, this is a rattling difficult problem. It is exceptionally difficult to set true grouping land by asking the system, since you are at the compassionateness of the intruder. It could be worsened with darken and realistic stock if the entrant owns the grouping and the realistic infrastructure. Customer queries the A6 API and the darken returns a healthy response, despite the reality. Shoot, the darken could say it
IS healthy by the definition of patches or plan and ease be 0wned.I conceive there's more thought required here, but that doesn't stingy A6 is a waste of time -- if we are country that it's more most
compliance and rattling null most
security, or especially
trustworthiness of the assets.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)
Google
0 komentar:
Post a Comment