A month ago we wrote about the OpenStack announcement as a potential game changer for cloud security. This week the CloudAudit effort released their first set of deliverables, which did not generate nearly as much fanfare, but has significant potential for impacting cloud security.
The objective of the CloudAudit effort is to give cloud providers a way to assert their compliance through a standards based interface and namespace. CloudAudit employs an elegant model in that it maintains a common namespace for a fairly wide range of regulations and standards, including PCI DSS, COBIT, ISO 27002, HIPAA and others. It also provides a mapping to controls developed by the Cloud Security Alliance.
In plain English this means that a customer using a product that supports CloudAudit could assess the compliance of multiple providers automatically, without having to spend months torturing each cloud provider’s staff with redundant questions. Industry-wide adoption of CloudAudit eliminates the need for "right to audit’ clauses in service agreements and allows service providers of all types to achieve/maintain an efficiency edge over traditional IT providers through automation and programmable interfaces.
If any of this sounds entirely too futuristic and detached from reality, it’s worth your time to read through the example of how enStratus became the first provider to assert their compliance through CloudAudit. While security products that support CloudAudit assessments are not yet available, enStratus immediately gains the advantage of responding to customer audit requests by publishing their compliance assertions in a standard format that can be easily consumed in any manual audit.
The first public release of CloudAudit deliverables this week is a real milestone for showing the potential for cloud computing and open standards to change the way we assess and assert compliance. Read more about it here, here and here.
{ 2 trackbacks }