The Cloud Security Alliance is kick-starting development of a nascent protocol to standardize and automate requests for security-related data from cloud providers.
Being able to standardize across the many security attributes and properties would be a great benefit for the customer. Providers would all be speaking the same language.
Alain Pennetrat, senior researcher, Cloud Security Alliance
At the 2013 Cloud Security Alliance (CSA) Congress, the CSA announced that a working group has begun an effort to advance the Cloud Trust Protocol, a syntax through which cloud providers might provide real-time data about the security-related aspects of their operations.
The Cloud Trust Protocol was conceived in 2009 by Ron Knode, a director at Computer Sciences Corp. (CSC), as a mechanism for fostering cloud provider transparency and trust. In 2011, Knode and CSC transferred work on the program to the CSA in order to foster its evolution as a vendor-agnostic protocol. Knode passed away in 2012.
The working group's charter is to realize Knode's vision by refining and extending the Cloud Trust Protocol framework and application programming interface specification, standardizing the protocol's security attributes, and eventually implementing a pilot program and fostering its adoption.
In describing the Cloud Trust Protocol, Alain Pennetrat, CSA senior researcher and technical lead of the working group, said it would allow current and prospective cloud security customers to query cloud providers about key information security data points in a standardized manner.
The Cloud Trust Protocol's syntax is XML-based, working as a traditional RESTful Web service over HTTP. Pennetrat said that approach will give enterprises the flexibility to use a variety of systems management dashboards or automated monitoring tools to initiate and manage data queries. These queries would include data points involving configuration data for virtual assets like hypervisors, firewalls and switches, vulnerability assessments, audits, change management, service statistics and notifications to customers.
Pennetrat noted that while cloud providers often inundate customers with reams of reports detailing their security controls, they typically represent the best-case scenario, highlighting a point-in-time snapshot of a provider's security. With the Cloud Trust Protocol, however, customers would be able to validate that information with real-time data on an ongoing basis.
"It's a basic, simple protocol to query the provider and ask about its availability level today, and what it has been in the past month," Pennetrat said. "You can get information about the security performance of a cloud provider on a daily basis instead of every six months."
The intent, Pennetrat said, is for prospective customers to use the Cloud Trust Protocol to evaluate whether providers live up to the security assurances they promise, and for current customers to monitor cloud provider security to an extent not possible today.
More specifically, he indicated the protocol might be used in a variety of cloud risk management scenarios.
"You might have a scenario in which a customer has data stored with several providers, and based on information you get back from a [Cloud Trust Protocol] data request, you might offload some data from one provider to another," Pennetrat said. "So on a daily basis, you could automatically assess and document risk, and make decisions based on the data you get back."
Though the CSA's initiative could benefit cloud consumers greatly, the effort to bring the Cloud Trust Protocol to life is not without challenges. Foremost among them will be fostering adoption among cloud providers, which may prove difficult to overcome. Case in point: Amazon Web Services (AWS), the industry's biggest cloud service provider, has so far declined to undergo certification for CSA STAR, the alliance's program to standardize customer assessments of cloud provider security, and arguably its most significant standards effort to date.
More from CSA Congress 2013
Expert: Security automation can thwart attacks on cloud computing
Cloud incident response planning: Know cloud provider responsibilities
Despite cloud computing security risks, infosec pros know their role
The CSA is optimistic that it will be to providers' benefit to adopt the protocol, according to Pennetrat, who noted that the working group is co-chaired by representatives from cloud providers AWS and Dell Inc.
Another challenge will be ensuring providers offer accurate data. Pennetrat said there's no perfect answer to this problem yet, but the idea is that by combining Cloud Trust Protocol query data with security, certification and compliance documentation from providers, customers will be able to identify potential discrepancies and ultimately paint an accurate picture regarding whether providers successfully secure their environments.
"If a cloud provider cheats and provides false data, the word will get out," Pennetrat said. "There's no incentive for a provider to lie though because it'll lose credibility. If you misreport security information to cloud customers, this in the end will play against you."
An additional benefit, Pennetrat said, will hopefully be the standardization of how security controls are defined and provided to customers. He said his research has yet to uncover two cloud security providers that define key characteristics like security and availability in a uniform fashion.
"Today customers don't have a way to compare providers because every provider has its own definitions," Pennetrat said. "Being able to standardize across the many security attributes and properties would be a great benefit for the customer. Providers would all be speaking the same language."
The ultimate goal of the effort is to foster greater cloud provider security transparency and increase customer trust. The CSA sees the Cloud Trust Protocol as being one of the four pillars of its "GRC Stack," a toolkit for assessing cloud provider security against industry best practices; the other three are the CloudAudit framework, Cloud Controls Matrix and Consensus Assessments Initiative.
The Cloud Trust Protocol working group held its official kick-off meeting at the 2013 CSA Congress, but Pennetrat said the group welcomes contributions from any interested parties that want to get involved.
"This is the right time to join," Pennetrat said, "because it's still possible to have a great influence on the outcome."
The CSA has not committed to a specific timeline, but Pennetrat said it hopes to have a Cloud Trust Protocol beta program underway sometime in 2015.