CSA Creates Open Cloud Security API Working Group

The Cloud Security Alliance (CSA) consortium today announced it has formed a working group spearheaded by CipherCloud, Deloitte, Infosys, Intel and SAP to define best practices and industry standards that ensure API interoperability across data protection and security services delivered via the cloud.

Still in the formative stages, the Cloud Security Open API Working Group will focus on defining a common set of APIs that will be used to create a set of cloud-independent description schema for phone numbers, names, email addresses, etc.; a set of classification schema to define data sensitivity levels; standard specifications of control actions for encryption, masking and data residency; and a specification of monitoring characteristics of cloud applications, says Chenxi Wang, vice president of cloud security and strategy at CipherCloud.

The goal, says Wang, is to enable vendor-neutral data security implementations to help accelerate cloud services adoption using standards-based APIs spanning encryption, tokenization and other data protection technologies across cloud environments.

Wang says the immediate challenge the working group will face is trying to determine the right level of abstraction for the API specifications it intends to foster. Once that is determined, over the next six months the working group will focus on developing a set of open source APIs that will be readily accessible via repositories such as GitHub, says Wang.

Formed in late 2008, CSA is a global nonprofit organization that has more than 40,000 members. As part of the organization's charter, CSA works with companies and government agencies to promote the adoption of open standards that enhance the security of cloud computing environments. Given that secure interoperability across multiple cloud computing environments involves implementing a common set of APIs, CSA is now spearheading the development of the APIs needed to securely access and share data across multiple hybrid cloud computing environments, Wang says.

He says that CSA and the members of the working group are hoping that not only more vendors will join the project, but that individual developers will make contributions as well.

Beyond the de facto standards provided by individual providers of cloud services, there is no standard set of API specifications for providing data protection and security services via the cloud. And yet, backup and recovery is arguably the most widely invoked cloud service, which would suggest a standard set of APIs would expand the size of data protection market in the cloud.

Meanwhile, enterprise IT organizations routinely cite security concerns as the primary reason they are not making greater use of cloud services. Naturally, a standard set of API specifications will not magically eliminate all those security concerns, but it’s clearly a significant step in the right direction.

Michael Vizard