Additionally, cloud providers can't spend all of their time fielding questions about how they manage their infrastructure. And, regrettably, not many public cloud providers offer much transparency into their controls. And no, SAS 70 audits don't really account for much of anything when it comes to security.
To help clear the fog, an organization that just formed this year and is moving fast in the area of cloud management, CloudAudit.org, has emerged with what it hopes will be part of the solution. The group is developing a common way for cloud computing providers to automate how their services can be audited and assessed and assertions provided on their environment for Infrastructure-, Platform-, and Software-as-a-Service providers. Consumers of these services would also have an open, secure, and extensible way to use CloudAudit with their service providers.
The group currently boasts about 250 involved in the effort, from end users, auditors, system integrators, and cloud providers representing companies such as Akamai, Amazon Web Services, enStratus, Google, Microsoft, Rackspace, VMware, and many others.
Last week the group released its first specification to the IETF as a draft, as well as CompliancePacks that map control objectives to common regulatory mandates, such as HIPAA, PCI DSS, and ISO27002 and COBIT compliance frameworks.
As (if) CloudAudit is embraced by cloud providers, businesses should be able to shop and compare services much more intelligently. Also, it could help some cloud business users feel more comfortable moving regulated data (where it's permitted) to a public provider. For cloud service providers, CloudAudit can help them to more cost-effectively handle the number of audit requests each year. And, who knows, such transparency may even be a boost to business.
Building a standard is one thing, getting it adopted, working, and embraced by industry is quite another. Next post I'll will bring you a discussion with a cloud management provider who has already begun putting CloudAudit to use.
For my security and technology observations throughout the day, find me on Twitter.