CloudAudit takes another stab at cloud standards
A group of industry veterans, led by inimitable security wonk Chris Hoff, has announced a working draft for a set of new capabilities for cloud provider application programming interfaces (APIs). CloudAudit 1.0, formerly A6 (or Automated Audit, Assertion, Assessment, and Assurance API), is trying to provide a standard way for cloud users to get detailed, automated stats about performance and security in the same way that they turn servers off and on.
"CloudAudit provides a common interface, naming convention, set of processes and technologies utilizing the HTTP protocol to enable cloud service providers to automate the collection and assertion of operational, security, audit, assessment, and assurance information," reads the opening of the draft, listed under the Individual Submissions section of the Internet Engineering Task Force (IETF) active documents repository.
The individuals involved are part of some pretty big names in the IT world. Hoff works for Cisco, Sam Johnston now works for Google, George Reese founded cross-cloud system manger enStratus and Ben Sapiro is the security research director for TELUS. That's not an industry consortium like the one behind the Cloud Security Alliance (CSA), but guys like those (Reese excepted) don't write IETF documents without some level of company approval.
So cloud providers, read the draft; you might find some very big customers asking which parts of A6 you can provide in the not too distant future, along with competitors already on the move. Amazon has expressed qualified support for the idea, you know.
Amazon S3 adds policy, visibility features
In other news, Amazon Web Services has added another layer of capabilities to its Simple Storage Service (S3) that it's calling Bucket Policies. Users can control access control lists (ACL) and short-term access URLs (the query string authentication mechanism) "using a single unified mechanism," according to the post.
User can also now write complex security policies directly into their applications using the Bucket Policy tools, automating a once limited and tedious task. What an original idea!