Latest News

06/24/2019

Cloud Security Alliance Congress EMEA 2019 Call for Papers 
Deadline Extended

Papers examining new frontiers accelerating change in information security are sought Berlin, Germany – June 26, 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing...

06/24/2019

Cloud Security Alliance Releases Cloud Octagon Model to Facilitate Cloud Computing Risk Assessment

Innovative model challenges enterprises to investigate risk from perspective other than that of the cloud service provider SEATTLE – June 24, 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help en...

05/21/2019

Cloud Security Alliance Study Identifies New and Unique Security Challenges in Native Cloud, Hybrid and Multi-cloud Environments

Holistic cloud visibility and control over increasingly complex environments are essential for successful deployments in various cloud scenarios SEATTLE – May 21, 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of b...

05/13/2019

Registration Opens for Cloud Security Alliance Congress EMEA 2019

Registration has opened for the annual CSA Congress EMEA (Berlin, Nov. 18-21, 2019). This multi-day conference will offer cloud security professionals a unique mixture of compelling presentations and topical discussions on research, technical and policy development, practice, requirements and tools related to cloud security, privacy and emerging technologies.

05/07/2019

Cloud Security Alliance Releases Cloud Operating System (OS) 
Security Specification Report

The first international research report to define technical requirements for cloud OS security specifications and to address their importanceSINGAPORE – May 8, 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices ...

05/07/2019

Cloud Security Alliance Releases Software-Defined Perimeter Architecture Guide

Produced by the Software-Defined Perimeter Working Group, this Software-Defined Perimeter (SDP) Architecture Guide is designed to help enterprises and practitioners learn more about SDP and the economic and technical benefits it can provide, as well as assist users in implementing SDP in their organizations successfully.

04/23/2019

Cloud Security Alliance Announces Federal Summit 2019 Speaker Line-up

Former U.S. CIO Vivek Kundra to share his experience leading change across the U.S. government, the world’s largest consumer of information technology Seattle, WA – April 23, 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising aw...

03/05/2019

Cloud Security Alliance Debuts Internet of Things (IoT) 
Controls Framework and Accompanying Guide

Framework introduces base-level security controls required to mitigate numerous risks associated with IoT systems SAN FRANCISCO – March 4, 2019 – RSA CONFERENCE 2019– The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practic...

03/04/2019

Cloud Security Alliance Announces Decade of Vision Leadership Award Winners

CSA announced the recipients of its Decade of Vision Leadership award, given to the three founding CEOs, who provided the initial startup funding, plus consistent support, mentoring, and evangelism of the CSA mission on a global basis over the last 10 years. The awards were presented at the CSA Summit at RSA Conference.

03/04/2019

Cloud Security Alliance and Internet Security Conference Sign Memorandum of Understanding

As part of the agreement—and at the invitation of the Internet Security Conference (ISC), one of the most insightful high-profile events on network security in Asia-Pacific and worldwide—the CSA will host a CSA Summit co-located with the ISC event in Beijing on Aug. 21-22, 2019. Founded in 2013, the ISC has been successfully held for six years, during which time it has been well recognized, supported and participated by governments, think tanks, business executives, academia, industry influences and technical elites.

See all news

Press Coverage

Analytics Insight | June 22, 2019

Here is the Secret Behind Getting that Cloud Computing Job

Network World | June 21, 2019

Software Defined Perimeter (SDP): The deployment

TechTarget | June 21, 2019

As cloud complexities increase, cybersecurity skills gap worsens

Saudi Gazette | June 20, 2019

Saudi Arabia’s NIC obtains star certification in cloud computing

FedTech Magazine | June 20, 2019

How Federal Agencies Manage Their Risk in the Cloud

Security Boulevard | June 20, 2019

Who’s Responsible for a Cloud Breach? It Depends

Digital Insurance | June 19, 2019

Cloud adoptions are obscuring data visibility, says new study

IDG Connect | June 13, 2019

The Secret CSO: Nils Puhlmann, Twilio

Security Boulevard | June 12, 2019

Poor Cloud Security Practices Put Data at Risk; A Detailed Look at How Hackers Target Employees

Network World | June 12, 2019

Software Defined Perimeter (SDP): Creating a new network perimeter

CSO Online | June 11, 2019

The dirty dozen: 12 top cloud security threats

CRN | June 11, 2019

7 Must-Have Cloud Security Certifications In 2019

Health Data Management | June 06, 2019

HIT Think Security challenges in native cloud, hybrid and multi-cloud environments

CISO MAG | June 06, 2019

With cloud expanding, users need umbrella the most

MeriTalk | June 06, 2019

Study Finds Cloud Still Faces Security Concerns Amid Migrations

Enterprise Security | June 04, 2019

Tips to Improve Cloud Provider’s Security

Trojaner | May 31, 2019

Studie der Cloud Security Alliance identifiziert neue und einzigartige Sicherheitsprobleme in nativen, hybriden und Multi-Cloud-Umgebungen

APAC CIO | May 30, 2019

Security and Agility in the Cloud

GovernmentCIO Media | May 28, 2019

Closing the Cyber Workforce Gap by Improving the Pipeline

Security Boulevard | May 28, 2019

Is Third-Party Risk Assessment Getting Better?

See all press coverage

Recent Blog Posts

June 24, 2019

How to Improve the Accuracy and Completeness of Cloud Computing Risk Assessments?

By Jim de Haas, cloud security expert, ABN AMRO Bank This whitepaper aims to draw upon the security challenges in cloud computing environments and suggests a logical approach to dealing with the security aspects in a holistic way by introducing a Cloud Octagon model. This model makes it easier for organizations to identify, represent and […]


June 17, 2019

Will Hybrid Cryptography Protect Us from the Quantum Threat?

By Roberta Faux, Director of Advance Cryptography, BlackHorse Solutions Our new white paper explains the pros and cons of hybrid cryptography. The CSA Quantum-Safe Security Working Group has produced a new primer on hybrid cryptography. This paper, “Mitigating the Quantum Threat with Hybrid Cryptography,” is aimed at helping non-technical corporate executives understand how to potentially […]


June 10, 2019

CSA Issues Top 20 Critical Controls for Cloud Enterprise Resource Planning Customers

By Victor Chin, Research Analyst, Cloud Security Alliance Cloud technologies are being increasingly adopted by organizations, regardless of their size, location or industry. And it’s no different when it comes to business-critical applications, typically known as enterprise resource planning (ERP) applications. Most organizations are migrating business-critical applications to a hybrid architecture of ERP applications. To […]


June 6, 2019

Security Spotlight: G Suite User Passwords Stored in Plaintext

By Will Houcheime, Product Marketing Manager, Bitglass Here are the top cybersecurity stories of recent weeks:   G Suite User Passwords Stored in Plaintext Since 2005 Contact Data of Millions of Instagram Influencers Exposed Rogue Iframe Phishing Used to Steal Payment Card Information London Commuters to be Tracked Through the Use of Wi-Fi Hotspots Thousands of […]


May 28, 2019

Roadmap to Earning Your Certificate in Cloud Security Knowledge (CCSK)

By Ryan Bergsma, Training Program Director, Cloud Security Alliance In this blog we’ll be taking a look at how to earn your Certificate of Cloud Security Knowledge (CCSK), from study materials, to how to prepare, to the details of the exam, including a module breakdown, passing rates, format etc. If you’re considering earning your CCSK, […]


May 23, 2019

What Will Happen If Encryption Used to Protect Data in Corporations Can Be Broken?

By Edward Chiu, Emerging Cybersecurity Technologist, Chevron While the development of quantum computers is still at a nascent stage, its potential in solving problems not feasible with classical computers draws interest from many industries. On one hand, Volkswagen is researching using quantum computers to help optimize traffic, and researchers at Roche are investigating the use […]


May 22, 2019

Happy Birthday GDPR! – Defending Against Illegitimate Complaints

By John DiMaria; CSSBB, HISP, MHISP, AMBCI, CERP, Assurance Investigatory Fellow – Cloud Security Alliance On May 25th we will celebrate the first birthday of GDPR. Yes, one year ago GDPR was sort of a four-letter word (or acronym if you will). People were in a panic of how they were going to comply and […]


May 21, 2019

New and Unique Security Challenges in Native Cloud, Hybrid and Multi-cloud Environments

By Hillary Baron, Research Analyst, Cloud Security Alliance CSA’s latest survey, Cloud Security Complexity: Challenges in Managing Security in Hybrid and Multi-Cloud Environments, examines information security concerns in a complex cloud environment. Commissioned by AlgoSec, the survey of 700 IT and security professionals aims to analyze and better understand the state of adoption and security […]


May 20, 2019

Financial Services: Counting on CASBs

By Will Houcheime, Product Marketing Manager, Bitglass Financial institutions handle a great deal of sensitive data and are highly conscientious of where they store and process it. Nevertheless, they are aware of the many benefits that they can gain by using cloud applications. In order to embrace the cloud’s myriad advantages without compromising the security […]


May 15, 2019

“Collection #1” Data Breach

By Paul Sullivan, Software Engineer, Bitglass News of the 773 million email data breach that Troy Hunt announced for Have I Been Pwned certainly got a lot of coverage a few months ago. Now that the dust has settled, let’s cut through some of the hype and see what this really means for enterprise security. First, let’s clear […]


Read the blog

Certification

CCSK: Certificate of Cloud Security Knowledge

The Certificate of Cloud Security Knowledge (CCSK) is designed to ensure that a broad range of professionals with a responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud.

Learn more

Training

CSA Training

The Cloud Security Alliance offers training in the following three areas: CCSK training, PCI Cloud training, GRC Stack training.

Learn more

Research Artifacts

Cloud Octagon Model

Cloud Octagon Model

Approach to assess risk in SaaS cloud computing.

Release Date: 06/24/2019
Mitigating the Quantum Threat with Hybrid Cryptography

Mitigating the Quantum Threat with Hybrid Cryptography

Focus of this document is on four hybrid cryptographic schemes which provide both classical security of classical crypto and the quantum security of a quantum-safe system. This document will also provide a background on quantum security and an overview of hybrid schemes.

Release Date: 06/17/2019
Top 20 Critical Controls for Cloud ERP Customers

Top 20 Critical Controls for Cloud ERP Customers

This document aims to be a guide for assessing and prioritizing the most critical controls that organizations should take into account when trying to secure their business-critical applications in the cloud. The document also contains an overview of cloud ERP security, control details and associated threats and risks.

Release Date: 06/10/2019
Cloud Security Alliance Code of Conduct for GDPR Compliance (Updated - May 2019)

Cloud Security Alliance Code of Conduct for GDPR Compliance (Updated - May 2019)

The CSA Code of Conduct is designed to offer both a compliance tool for GDPR compliance and transparency guidelines regarding the level of data protection offered by the Cloud Service Provider.

Release Date: 06/03/2019
PLA Code of Practice Template Annex 1 (Updated - May 2019)

PLA Code of Practice Template Annex 1 (Updated - May 2019)

CSA PLA Code of Conduct for GDPR Compliance provides a consistent and comprehensive framework for complying with the EU’s GDPR. The CSA PLA Code of Conduct for GDPR Compliance is designed to be an appendix to a Cloud Services Agreement to describe the level of privacy protection that a Cloud Service Provider will provide.

Note: The current version of of the CSA Code of Practice is 3.2 (which replaces 3.1), the updates were to be in compliance and align with the Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 adopted February 12, 2019.

Release Date: 06/03/2019
Preparing Enterprises for the Quantum Computing Cybersecurity Threats

Preparing Enterprises for the Quantum Computing Cybersecurity Threats

Quantum computing, while expected to help make many advancements, will also break the existing asymmetric-key cryptosystems, thus endangering our security infrastructure. While it is uncertain whether such a computer will live up to the hype, the emerging cybersecurity threats it brings should be addressed now even though such a machine may not emerge for another decade or so. This document describes an overview of quantum computing, the impact on cryptography, and steps to start preparing for the quantum threat today.

Release Date: 05/23/2019
Cloud Security Complexity

Cloud Security Complexity

CSA’s latest survey examines information security concerns in complex cloud environment. The survey of 700 IT and security professionals aims to analyze and better understand the state of adoption and security in current hybrid cloud and multi-cloud security environments, including public cloud, private cloud, or use of more than one public cloud platform. Topics covered include: • Types of cloud platforms in use • Proportion of workloads actively in the cloud • New workloads expected to be moved into the cloud • Anticipated risks and concerns about potential migrations to the cloud • Challenges managing security after adopting cloud technologies • Methods for addressing these security challenges • Challenges related to network or application outages • Methods for and results of addressing outages and security incidents

Release Date: 05/21/2019
Cloud OS Security Specification

Cloud OS Security Specification

This document builds on the foundation provided by ISO/IEC 17788, ISO/IEC 19941, ISO/IEC 27000, NIST SP 500-299, and NIST SP 800-144 in the context of cloud computing security.

Release Date: 05/07/2019
SDP Architecture Guide v2

SDP Architecture Guide v2

Software Defined Perimeter (SDP) Architecture Guide is designed to leverage proven, standards-based components to stop network attacks against application infrastructure. The architecture guide will help increase awareness and adoption SDP, improve understanding of how SDP can be used in different environments, and help enterprises successfully deploy SDP solutions based on the architecture recommendations.

Release Date: 05/07/2019
Hybrid Cloud Security Services Charter

Hybrid Cloud Security Services Charter

This initiative aims to develop a security white paper specifying hybrid cloud security risks and countermeasures, helping users identify and reduce the risks. This initiative proposes to provide hybrid cloud security evaluation suggestions, guiding both users and cloud service providers to choose and provide secure hybrid cloud solutions, and promoting security planning and implementation.

Release Date: 04/25/2019
Cloud Security Alliance Code of Conduct for GDPR Compliance (Updated - May 2019)

Cloud Security Alliance Code of Conduct for GDPR Compliance (Updated - May 2019)

The CSA Code of Conduct is designed to offer both a compliance tool for GDPR compliance and transparency guidelines regarding the level of data protection offered by the Cloud Service Provider.

Release Date: 06/03/2019
CAIQ-Lite

CAIQ-Lite

CSA and Whistic identified the need for a lighter-weight assessment questionnaire in order to accommodate the shift to cloud procurement models, and to enable cybersecurity professionals to more easily engage with cloud vendors. CAIQ-Lite was developed to meet the demands of an increasingly fast-paced cybersecurity environment where adoption is becoming paramount when selecting a vendor security questionnaire. CAIQ-Lite contains 73 questions compared to the 295 found in the CAIQ, while maintaining representation of 100% of the original 16 control domains present in The Cloud Controls Matrix (CCM) 3.0.1.

Release Date: 03/01/2019
Top Threats to Cloud Computing: Deep Dive

Top Threats to Cloud Computing: Deep Dive

This case study attempts to connect all the dots when it comes to security analysis by using nine anecdotes cited in the Top Threats for its foundation. Each of the nine examples are presented in the form of (1) a reference chart and (2) a detailed narrative. The reference chart’s format provides an attack-style synopsis of the actor, spanning from threats and vulnerabilities to end controls and mitigations. We encourage architects and engineers to use this information as a starting point for their own analysis and comparisons.

Release Date: 08/08/2018
Consensus Assessments Initiative Questionnaire v3.0.1 (9-1-17 Update)

Consensus Assessments Initiative Questionnaire v3.0.1 (9-1-17 Update)

Description: The CAIQ is based upon the CCM and provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix.

Release Date: 10/12/2017
Cloud Controls Matrix v3.0.1

Cloud Controls Matrix v3.0.1

Description: The CCM, the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. CCM is currently considered a de-facto standard for cloud security assurance and compliance.

Release Date: 10/03/2017
Security Guidance for Critical Areas of Focus in Cloud Computing v4.0

Security Guidance for Critical Areas of Focus in Cloud Computing v4.0

The rise of cloud computing as an ever-evolving technology brings with it a number of opportunities and challenges. With this document, we aim to provide both guidance and inspiration to support business goals while managing and mitigating the risks associated with the adoption of cloud computing technology.

Release Date: 07/26/2017