The goal of CloudAudit is to provide cloud service providers with a way to make their performance and security data readily available for potential customers. The specification provides a standard way to present and share detailed, automated statistics about performance and security.
Standardized information makes comparisons among providers easier, reducing the resources required to assemble documentation and analyze the data. CloudAudit is intended to benefit cloud computing providers as well. For example, the cost of responding to a potential customer's compliance controls may be minuscule for a large vendor. However, a small vendor may find it burdensome to provide that information to multiple prospective customers. With CloudAudit, vendors can provide information once and only update when there are changes.
CloudAudit’s development codename was A6 (Automated Audit, Assertion, Assessment, and Assurance API). According to the Internet Engineering Task Force (IETF) draft document, CloudAudit provides “a common interface, naming convention, set of processes and technologies utilizing the HTTP protocol to enable cloud service providers to automate the collection and assertion of operational, security, audit, assessment, and assurance information."
Christofer Hoff, director of cloud and virtualization systems at Cisco Systems Inc., developed the CloudAudit initiative. Others involved in the project include cloud providers, virtualization platform and cloud platform providers, end users, auditors and system integrators. The volunteer, cross-industry effort became an official project of the nonprofit Cloud Security Alliance (CSA) in October 2010.
CSA released CloudAudit as part of a free tool suite for cloud-based Governance, Risk and Compliance (GRC) in November 2010. The tool consists of a directory or common namespace that serves as an organized repository. Cloud computing providers can put whatever they want within the directories (PDF files, text documents, links to websites, etc.) to indicate how they are addressing requirements within various control frameworks. The first set of namespaces is compliance-driven with a focus on PCI-DSS, HIPAA, COBIT, ISO 27002 and NIST 800-53.