Introduction to the A6 Working Group - A Brief History

3 views
Skip to first unread message

Hoff

unread,
Nov 16, 2009, 11:42:25 PM11/16/09
to A6 (Audit, Assertion, Assessment, and Assurance API) Working Group
Hi.

The A6 API (Audit, Assertion, Assessment, and Assurance API) is an
idea that a few of us in the Cloud and Security community have been
working on for the last few months. I've spent those months
socializing the concept and getting buy-in from some notable
individuals and companies interested in supporting the initiative.

You'll hear from some of them here shortly, no doubt. I'm excited to
have their committed participation.

If you're unfamiliar with the A6 concept, initial ramblings on the
topic can be found here on my blog here:

http://www.rationalsurvivability.com/blog/?p=1276 which features some
initial heady work done by Ben Sapiro on a RESTful interface for the
A6 API given a challenge I unwisely issued ;)

There's been some additional work being done in parallel recently --
albeit not directly tied to A6 -- by the folks at CSC with their
CloudTrust Protocol (http://www.csc.com/security/insights/32270-
digital_trust_in_the_cloud) and by the fine folks at NIST.

The OCCI team and Cloud Computing Use Cases folks are also working on
similar elements. It may turn out that the work that comes out of
this group finds a home with an existing group. I don't have any
problem discussing or considering those choices.

The goal of A6 is simple: to provide a common interface that allows
providers to automate the Audit, Assertion, Assessment, and Assurance
of their environments and allow authorized consumers of their services
to do likewise via and open, extensible and secure API across SaaS,
PaaS, and IaaS offerings.

The goal would be to utilize security automation capabilities with
things tools/protocols/frameworks like SCAP (Security Content
Automation Protocol) interfacing with a standard set of APIs/
interfaces.

The natural comments that extend from this simple description is "how
can you do that?" and "how can you trust what the provider asserts?"

Suffice it to say that we "trust" many things today without validation
or through third parties. We have protocols, technologies and even
some standards that would go a long way toward at automating these
activities.

I'm sure this has created more questions than it has answered, but I
do hope you'll join this effort and help leverage our collective
experience and knowledge to move forward and make cloud computing as
secure and successful as it can be.

I'll be setting up an initial call and the working group structure
shortly.

/Hoff
ch...@packetfilter.com
+1.978.631.0302
Reply all
Reply to author
Forward
0 new messages