CSA Security Guidance for Critical Areas of Focus in Cloud Computing v.4

A Stable, Secure baseline for Cloud Operations

The Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing acts as a practical, actionable roadmap to individuals looking to safely and securely adopt the cloud paradigm.

Since it’s last revision in 2011, the cloud landscape, tools and technologies have changed and so we want to reflect that in an updated version of the CSA Guidance (which would be version 4). New CSA Guidance Domains are now available for review. Domains will be updated frequently, so come back to the site to see the latest domains available for review.

Experts are needed that can invest their time in providing feedback. Although we have a dedicated writing team, this is still a community project. All feedback and edits will be managed via GitHub so that all parts of the process are open and public.

We need your feedback!

The idea is to generate a cleaner and more consistent document than possible by solely relying on working groups to do their own writing, while still reflecting the collective wisdom of the community.

Feedback and edits will be managed via GitHub and Google Docs so that all parts of the process are open and public. Feedback submitted via Google Docs follows the CSA standard operating procedure for review periods.

You don't need to use any special command-line GitHub tools for this project. GitHub's web interface will allow you to read documents, provide feedback, and participate. But feel free to use git tools if you know how.

How to use GitHub to provide feedback

  • Issues are the best way to add comments. The authors can read and respond to them directly. When leaving an issue. please list the line number for the start of any specific section you are commenting on.
  • Pull requests are for edits. We can't respond to all pull requests because our only options are to ignore a pull or merge the changes. For consistency's sake, it is very hard to accept pull requests directly. All pull requests will be reviewed, some will be merged, and those we cannot directly merge will be treated as an issue/comment and closed. This is just a practical necessity, considering how many people will eventually be providing feedback.

For writing we are using the Markdown text format. If you want to edit and send pull requests you will need to learn Markdown (fortunately it's incredibly simple). GitHub renders Markdown directly, so unless you are actually editing content you won't need to learn it.

All feedback will be public. This is essential for maintaining the independence and objectivity of this project. Even if you know any of the authors or CSA staff, please don't email private feedback, which will be ignored.

We will do our absolute best to respond to all feedback (with the exception of pull requests, which we will review), but depending on volume we may need to combine feedback (and we understand some feedback will be contradictory).

Contribute Now

For questions or feedback, contact [email protected].

The project process

We will have a separate file for each domain in the Guidance.

For each domain, we will first publish a detailed outline with expected changes, and then drafts. Domains will be open for feedback the entire time, but may be closed temporarily during specific writing phases (e.g., after we collect comments on the outline, the author may close feedback as they develop the first draft).

For each domain, there will be an outline, first draft, and near-final draft.

The exception is Domain 1. We skipped the outline for that and went straight to the first draft to set a writing tone for the rest of the project.

The near-final drafts will be pulled from GitHub and converted into Word, with updated graphics, for final publication.

If you have any questions or general comments, please let us know either here or through email to [email protected], and thank you for your help.

Editing and style notes

All images should be placed in /images and named with the section they appear in, followed by a dash, followed by an enumerator. e.g. "1.1.2-1.png" for the first image in the directory. Please use standard Markdown image embedding.

Links should be referenced, not inline. Each link should be sequentially ordered. This makes things easier to read (look at Domain 1 for formatting examples -- it's easy). If links start getting out of order, feel free to use "1.1" or similar to neaten things up.

Images will be redone by a graphics team before publication, so don't worry about having them look consistent.

Peer Review Guidance v4

Initiative Details Date Opened

Guidance v4 – Domain 01: Cloud Computing Concepts and Architectures

Description: This domain provides the conceptual framework for the rest of the Cloud Security Alliance’s guidance. It describes and defines cloud computing, sets our baseline terminology, and details the overall logical and architectural frameworks used in the rest of the document.

December 09, 2016 Contribute now

Guidance v4 – Domain 02: Governance and Enterprise Risk Management

Description: Governance and risk management are incredibly large topics. This guidance will focus on how they change in cloud computing, and is not and should not be considered a primer or comprehensive exploration of those topics outside of cloud.

December 14, 2016 Contribute now

Guidance v4 – Domain 03: Legal Issues, Contracts and Electronic Discovery

This domain highlights some of the legal aspects raised by cloud computing. It provides a general background on legal issues that can be raised by moving data to the cloud, some issues for consideration in a cloud services agreement, and the special issues presented by electronic discovery in litigation.

December 08, 2016 Contribute now

Guidance v4 – Domain 04: Compliance and Audit Management

Description: Organizations face new challenges as they migrate from traditional data centers to the cloud. Delivering, measuring, and communicating compliance with a multitude of regulations across multiple jurisdictions is one of the largest challenges. Customers and providers alike need to understand and appreciate the differences and implications on existing compliance and audit standards, processes, and practices. The distributed and virtualized nature of cloud requires significant framework adjustment from approaches based on definite and physical instantiations of information and processes.

December 10, 2016 Contribute now

Guidance v4 – Domain 05: Data Governance

Description: Definition of data/information governance. Ensuring use of data and information complies with organizational requirements, including regulatory, contractual, and organizational requirements and objectives.

December 14, 2016 Contribute now

Guidance v4 – Domain 06: Management Plane and Business Continuity

Description: The importance of the management plane (metastructure).

  • The management plane is the single most significant security difference between traditional infrastructure and cloud computing.

  • We always have a management plane, but cloud abstracts and centralizes administrative management of resources. Instead of controlling a data center configuration with boxes and wires, it is now controlled with API calls and web consoles.

  • Thus gaining access to the management plane is like gaining unfettered access to your data center, unless you put the proper security controls in place.

December 11, 2016 Contribute now

Guidance v4 – Domain 07: Infrastructure Security

Description: Core cloud infrastructure security, including networking, workload security, and hybrid cloud considerations. This domain also includes security fundamentals for private clouds.

December 14, 2016 Contribute now

Guidance v4 – Domain 08: Virtualization and Containers

January 18, 2017 Contribute now

Guidance v4 – Domain 09: Incident Response

Incident Response (IR) is a critical facet of any information security program. Preventive security controls have proven unable to completely eliminate the possibility of a compromise of critical data. Most organizations have some sort of IR plan to govern how they will investigate an attack, but with the distinct differences in both access to forensic data and governance in the cloud, organizations must consider how their IR processes will change.

December 08, 2016 Contribute now

Guidance v4 – Domain 10: Application Security

Description: This section of the guidance is for software development and IT teams who want to securely build — and deploy — applications in cloud computing environments, specifically PaaS and IaaS. How application security is different in cloud. Review of secure software development basics and how those change in the cloud. Leveraging cloud capabilities for more secure cloud applications

December 14, 2016 Contribute now

Guidance v4 – Domain 11: Data Security and Encryption

Description: Data security is the enforcement of data governance.

Must take a risk-based approach, not appropriate to secure everything equally. Must account for the cloud provider’s security controls and trust. Cloud security is a shared responsibility. You lose the economic benefits if you don’t understand or trust the cloud provider. The focus is on implementing controls that are either outside the cloud provider’s domain, or when, after a risk assessment, you need additional security to manage a provider risk. For example, encrypting everything in SaaS because you don’t trust that provider at all likely means you shouldn’t be using it in the first place.

December 12, 2016 Contribute now

Guidance v4 – Domain 12: Identity, Entitlement, and Access Management

Description: This section of the guidance is for Security, Identity and IT teams who want to deploy strong identity systems for SaaS, PaaS and IaaS Cloud environments.

December 14, 2016 Contribute now

Guidance v4 – Domain 13: Security as a Service

Description: Security as a Service (SecaaS) providers offer security capabilities as a cloud service. Are typically SaaS or PaaS. Not limited to dedicated SecaaS providers, can include packaged security features from generalized cloud providers.

December 14, 2016 Contribute now

Guidance v4 – Domain 14: Related Technologies

January 18, 2017 Contribute now