New consortium forming (in the UK) to provide "Common Assurance Metric" for Cloud Security...

2 views
Skip to first unread message

Hoff

unread,
Feb 9, 2010, 11:25:28 AM2/9/10
to A6 (Automated Audit, Assertion, Assessment, and Assurance API) Working Group
Check this out. Many of the same participating companies as are being
announced for A6. Be good to try and integrate these efforts with CSA
and A6 rather than reinvent yet another wheel...plus comparison is one
aspect, actionable capabilities are another...

http://news.zdnet.co.uk/itmanagement/0,1000000308,40032011,00.htm

A 24-strong consortium of service providers, vendors, government
organisations and consultants has begun work on a set of measurements
designed to make it easier for businesses to compare the security
features offered by cloud-computing providers.

The project, launched on Monday, aims to provide a Common Assurance
Metric (CAM) that will consist of objective, quantifiable
measurements, the as-yet unnamed consortium said in a statement. It
will draw from existing standards, which are often industry specific.

Overall, it will provide an international, cross-sector approach that
"allows cloud providers the opportunity to demonstrate their
information security maturity in an open and constructive manner," the
consortium said.

Participants include Amazon, Google, Microsoft, the European Network
and Information Security Agency (Enisa), the Cabinet Office, HM
Revenue & Customs, KPMG, McAfee and Oracle.

"Existing mechanisms to measure security are often subjective and in
many cases are bespoke solutions. This makes quantifiable measurement
of security profiles difficult," the consortium said. In addition,
customised services typically cost more in time and money than a those
based on standards, it noted.

The consortium said the benefits of the CAM are that it will allow
businesses to compare security features via a standardised information
format, to help service providers differentiate their offerings, to
build trust among end users and to develop a standard across industry
and international borders. A key business benefit will be the ability
to link information risk management with business objectives.

Alex Hutton

unread,
Feb 9, 2010, 11:51:38 AM2/9/10
to a6...@googlegroups.com
Hoff-

Got a contact there?

AH

--
Sent from my mobile device

Christofer Hoff

unread,
Feb 9, 2010, 3:13:16 PM2/9/10
to a6...@googlegroups.com
No, I am desperately looking for one. I want to work on a coordinated effort here, not fragmented views on the same topics.

When I get a contact, I shall invite them to participate...perhaps they will, perhaps they won't. ;)

/Hoff

Anton Chuvakin

unread,
Feb 9, 2010, 3:19:05 PM2/9/10
to a6...@googlegroups.com
> No, I am desperately looking for one. I want to work on a coordinated effort
> here, not fragmented views on the same topics.

I might be able to dig an ENISA contact... if it works, will send to Chris.

BTW, notice this:

"The consortium said the CAM project team is scheduled to deliver the
framework in late 2010, and that it expects global adoption to
follow." <- feels like 4/1/2010 already.

--
Dr. Anton Chuvakin
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
LinkedIn: http://www.linkedin.com/in/chuvakin
Consulting: http://www.securitywarriorconsulting.com
Twitter: @anton_chuvakin
Google Voice: +1-510-771-7106

Reply all
Reply to author
Forward
0 new messages