Latest News


Registration Opens for Cloud Security Alliance Congress EMEA 2019

Registration has opened for the annual CSA Congress EMEA (Berlin, Nov. 18-21, 2019). This multi-day conference will offer cloud security professionals a unique mixture of compelling presentations and topical discussions on research, technical and policy development, practice, requirements and tools related to cloud security, privacy and emerging technologies.


Cloud Security Alliance Releases Cloud Operating System (OS) 
Security Specification Report

The first international research report to define technical requirements for cloud OS security specifications and to address their importanceSINGAPORE – May 8, 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices ...


Cloud Security Alliance Releases Software-Defined Perimeter Architecture Guide

Produced by the Software-Defined Perimeter Working Group, this Software-Defined Perimeter (SDP) Architecture Guide is designed to help enterprises and practitioners learn more about SDP and the economic and technical benefits it can provide, as well as assist users in implementing SDP in their organizations successfully.


Cloud Security Alliance Announces Federal Summit 2019 Speaker Line-up

Former U.S. CIO Vivek Kundra to share his experience leading change across the U.S. government, the world’s largest consumer of information technology Seattle, WA – April 23, 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising aw...


Cloud Security Alliance Debuts Internet of Things (IoT) 
Controls Framework and Accompanying Guide

Framework introduces base-level security controls required to mitigate numerous risks associated with IoT systems SAN FRANCISCO – March 4, 2019 – RSA CONFERENCE 2019– The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practic...


Cloud Security Alliance Announces Decade of Vision Leadership Award Winners

CSA announced the recipients of its Decade of Vision Leadership award, given to the three founding CEOs, who provided the initial startup funding, plus consistent support, mentoring, and evangelism of the CSA mission on a global basis over the last 10 years. The awards were presented at the CSA Summit at RSA Conference.


Cloud Security Alliance and Internet Security Conference Sign Memorandum of Understanding

As part of the agreement—and at the invitation of the Internet Security Conference (ISC), one of the most insightful high-profile events on network security in Asia-Pacific and worldwide—the CSA will host a CSA Summit co-located with the ISC event in Beijing on Aug. 21-22, 2019. Founded in 2013, the ISC has been successfully held for six years, during which time it has been well recognized, supported and participated by governments, think tanks, business executives, academia, industry influences and technical elites.


Cloud Security Alliance Launches STAR Continuous, a Compliance Assessment Program for Cloud Service Providers

Chance to align security validation capabilities with cloud security compliance gives enterprises a competitive edge SAN FRANCISCO – March 4, 2019 – RSA CONFERENCE 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best pra...


Cloud Security Alliance Debuts the Knowledge Center, a Comprehensive 
E-Learning Platform

Offers individuals, enterprises high-quality flexible training to complement and enhance knowledge, schedules and budgets SAN FRANCISCO – March 4, 2019 – RSA CONFERENCE 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of bes...


CSA and Whistic Unveil Streamlined Consensus Assessments Initiative Questionnaire (CAIQ)

The beta version of CAIQ-Lite released today represents every security control domain from the original questionnaire in a shorter, 73 question format. Citing the increased focus on cloud vendor security and the need for organizations worldwide to perform a significantly higher volume of assessments on a growing population of cloud vendors, Whistic and CSA worked together to develop a Lite version that focused more on accessibility and ease of use for both cloud vendors and the enterprises performing the vendor security risk assessments.

See all news

Press Coverage

ToolBox Tech | May 21, 2019

Cloud Security Alliance and AlgoSec Study Finds out New and Unique Security Challenges in Cloud

Tech Republic | May 21, 2019

How to improve cloud provider security: 4 tips

Security Boulevard | May 21, 2019

Top 4 cloud security certifications | May 14, 2019

Cloud Security Alliance DC Update: Explore The Boundary of Security & Privacy on 13 June Cruise

AS/COA | May 14, 2019

Interview: A Holistic Approach to Corporate Finance

No Jitter | May 13, 2019

Microsoft Teams’ Superpowers Get More Super

Nextgov | May 08, 2019

Former Federal CIO: Artificial Intelligence Will Change the World

FedScoop | May 07, 2019

GSA floats training program to get ‘FedRAMP way out there’

Tech Wire Asia | May 04, 2019

At ConnecTechAsia2019 Summit from the 18

Health Data Management | May 02, 2019

HIT Think How to overcome 5 significant cloud management challenges

TechTarget | May 02, 2019

The top cloud security challenges are ‘people problems’

Dark Reading | April 26, 2019

How to Build a Cloud Security Model

Security Boulevard | April 19, 2019

DevOps Chat: The Rise of the Cloud-First Architect, with Zscaler’s Chris Hines

CTOVision | April 17, 2019

The Cloud Security Alliance Federal Summit 7 May 2019

Economic Times | April 12, 2019

Bracing for a quantum leap

Business 2 Community | April 09, 2019

7 Companies Who “Get” Security, and What We Can Learn From Them

Security Boulevard | April 09, 2019

Top Cloud Security Steps Every Business Needs to Keep up with the Evolution of Security

Tech Wire Asia | April 02, 2019

Why security concerns shouldn’t halt your move to the cloud

BBN Times | April 01, 2019

How to Secure the Internet of Things

CIO | April 01, 2019

Step 1 to Managing Security: Know Thyself

See all press coverage

Recent Blog Posts

May 22, 2019

Happy Birthday GDPR! – Defending Against Illegitimate Complaints

By John DiMaria; CSSBB, HISP, MHISP, AMBCI, CERP, Assurance Investigatory Fellow – Cloud Security Alliance On May 25th we will celebrate the first birthday of GDPR. Yes, one year ago GDPR was sort of a four-letter word (or acronym if you will). People were in a panic of how they were going to comply and […]

May 21, 2019

New and Unique Security Challenges in Native Cloud, Hybrid and Multi-cloud Environments

By Hillary Barron, Research Analyst, Cloud Security Alliance CSA’s latest survey, Cloud Security Complexity: Challenges in Managing Security in Hybrid and Multi-Cloud Environments, examines information security concerns in a complex cloud environment. Commissioned by AlgoSec, the survey of 700 IT and security professionals aims to analyze and better understand the state of adoption and security […]

May 20, 2019

Financial Services: Counting on CASBs

By Will Houcheime, Product Marketing Manager, Bitglass Financial institutions handle a great deal of sensitive data and are highly conscientious of where they store and process it. Nevertheless, they are aware of the many benefits that they can gain by using cloud applications. In order to embrace the cloud’s myriad advantages without compromising the security […]

May 15, 2019

“Collection #1” Data Breach

By Paul Sullivan, Software Engineer, Bitglass News of the 773 million email data breach that Troy Hunt announced for Have I Been Pwned certainly got a lot of coverage a few months ago. Now that the dust has settled, let’s cut through some of the hype and see what this really means for enterprise security. First, let’s clear […]

May 10, 2019

Survey Says: Almost Half of Cloud Workloads Not Controlled by Privileged Access

By Nate Yocom, Chief Technology Officer, Centrify For the past few years, Centrify has been using a statistic from Forrester to demonstrate the importance of protecting privileged accounts, which estimates that 80 percent of data breaches involve privileged credentials. This first showed up in The Forrester Wave: Privileged Identity Management report in Q3 2016, and […]

May 2, 2019

AWS Cloud: Proactive Security and Forensic Readiness – Part 5

By Neha Thethi, Information Security Analyst, BH Consulting Part 5: Incident Response in AWS In the event your organization suffers a data breach or a security incident, it’s crucial to be prepared and conduct timely investigations. Preparation involves having a plan or playbook at hand, along with pre-provisioned tools to effectively respond to and mitigate the potential […]

April 26, 2019

CSA on This Millennium Alliance Podcast

By Cara Bernstein, Manager/Executive Education Partnerships, The Millennium Alliance This podcast episode features The Millennium Alliance partner, The Cloud Security Alliance. We sat down with Vince Campitelli, Enterprise Security Specialist, and Jon-Michael C. Brook, Principal, Guide Holdings, LLC, and co-chair of CSA’s Top Threats Working Group, to discuss the work of CSA, the top threats […]

April 19, 2019

The Many Benefits of a Cloud Access Security Broker

By Will Houcheime, Product Marketing Manager, Bitglass Today, organizations are finding that storing and processing their data in the cloud brings countless benefits. However, without the right tools (such as cloud access security brokers (CASBs), they can put themselves at risk. Organizations’ IT departments understand how vital cybersecurity is, but must be equipped with modern tools […]

April 16, 2019

CCSK Success Stories: From a Data Privacy Consultant

By the CSA Education Team This is the fourth part in a blog series on cloud security training, in which we will be interviewing Satishkumar Tadapalli a certified and seasoned information security and data privacy consultant. Tadapalli has 12+ years of multi-functional IT experience in pre-sales, consulting, risk advisory and business analysis. He has rich […]

April 12, 2019

Prying Eyes Inside the Enterprise: Bitglass’ Insider Threat Report

By Jacob Serpa, Product Marketing Manager, Bitglass When words like cyberattack are used, they typically conjure up images of malicious, external threats. While hackers, malware, and other outside entities pose a risk to enterprise security, they are not the only threats that need to be remediated.  Insider threats, which involve either malicious or careless insiders, are another significant […]

Read the blog


CCSK: Certificate of Cloud Security Knowledge

The Certificate of Cloud Security Knowledge (CCSK) is designed to ensure that a broad range of professionals with a responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud.

Learn more


CSA Training

The Cloud Security Alliance offers training in the following three areas: CCSK training, PCI Cloud training, GRC Stack training.

Learn more

Research Artifacts

Cloud Security Complexity

Cloud Security Complexity

CSA’s latest survey examines information security concerns in complex cloud environment [Link Here]. The survey of 700 IT and security professionals aims to analyze and better understand the state of adoption and security in current hybrid cloud and multi-cloud security environments, including public cloud, private cloud, or use of more than one public cloud platform. Topics covered include: • Types of cloud platforms in use • Proportion of workloads actively in the cloud • New workloads expected to be moved into the cloud • Anticipated risks and concerns about potential migrations to the cloud • Challenges managing security after adopting cloud technologies • Methods for addressing these security challenges • Challenges related to network or application outages • Methods for and results of addressing outages and security incidents

Release Date: 05/21/2019
Cloud OS Security Specification

Cloud OS Security Specification

This document builds on the foundation provided by ISO/IEC 17788, ISO/IEC 19941, ISO/IEC 27000, NIST SP 500-299, and NIST SP 800-144 in the context of cloud computing security.

Release Date: 05/07/2019
SDP Architecture Guide v2

SDP Architecture Guide v2

Network security architectures, tools, and platforms are falling far short of meeting the challenges presented by today’s threat landscape. Whether you’re reading the headlines in mainstream media, working day-to-day as a network defender, or are a security vendor, it’s clear that our commercial enterprises, governmental organizations, and critical infrastructures are unable to successfully contend with the ongoing and persistent attacks from a wide variety of attackers.

Release Date: 05/07/2019
Hybrid Cloud Security Services Charter

Hybrid Cloud Security Services Charter

This initiative aims to develop a security white paper specifying hybrid cloud security risks and countermeasures, helping users identify and reduce the risks. This initiative proposes to provide hybrid cloud security evaluation suggestions, guiding both users and cloud service providers to choose and provide secure hybrid cloud solutions, and promoting security planning and implementation.

Release Date: 04/25/2019
Open Certification Framework Working Group Charter

Open Certification Framework Working Group Charter

The CSA Open Certification Framework (OCF) is an industry initiative to allow global, trusted independent evaluation of cloud providers. It is a program for flexible, incremental and multi-layered cloud provider certification and/or attestation according to the Cloud Security Alliance’s industry leading security guidance and control framework.

Release Date: 04/25/2019
Cloud Key Management Charter

Cloud Key Management Charter

The Cloud Key Management Working Group will facilitate the standards for seamless integration between CSPs and Key Broker vendor platforms. It will ensure that enterprise key policies are standardized and implemented in a consistent manner, and that standardization will take place across key management lifecycle operations and a common set of APIs.

Release Date: 04/09/2019
SecaaS Working Group Charter

SecaaS Working Group Charter

In order to improve understanding, perception, and thus reputation, Security as a Service requires a clear definition and direction to ensure it is understood and to improve the adoption across industry sectors. This will ensure the market has a clear understanding of what SecaaS is, what it means, the services encompassed and how they can be implemented.

Release Date: 04/09/2019
Blockchain Demo

Blockchain Demo

Blockchain Demo - Kurt Seifried, Chief Blockchain Officer, Cloud Security Alliance

Release Date: 03/05/2019
Lessons From the Cloud

Lessons From the Cloud

Lessons from the Cloud - David Cass, Chief Information Security Officer Cloud and SaaS Operations & Global Partner Cloud Security Services, IBM

Release Date: 03/05/2019
Finally! Cloud Security for Unmanaged Devices…for All Apps

Finally! Cloud Security for Unmanaged Devices…for All Apps

Finally! Cloud Security for Unmanaged Devices…for All Apps - Nico Popp, Senior Vice President Information Protection, Symantec

Release Date: 03/05/2019


CSA and Whistic identified the need for a lighter-weight assessment questionnaire in order to accommodate the shift to cloud procurement models, and to enable cybersecurity professionals to more easily engage with cloud vendors. CAIQ-Lite was developed to meet the demands of an increasingly fast-paced cybersecurity environment where adoption is becoming paramount when selecting a vendor security questionnaire. CAIQ-Lite contains 73 questions compared to the 295 found in the CAIQ, while maintaining representation of 100% of the original 16 control domains present in The Cloud Controls Matrix (CCM) 3.0.1.

Release Date: 03/01/2019
Top Threats to Cloud Computing: Deep Dive

Top Threats to Cloud Computing: Deep Dive

This case study attempts to connect all the dots when it comes to security analysis by using nine anecdotes cited in the Top Threats for its foundation. Each of the nine examples are presented in the form of (1) a reference chart and (2) a detailed narrative. The reference chart’s format provides an attack-style synopsis of the actor, spanning from threats and vulnerabilities to end controls and mitigations. We encourage architects and engineers to use this information as a starting point for their own analysis and comparisons.

Release Date: 08/08/2018
Cloud Security Alliance Code of Conduct for GDPR Compliance

Cloud Security Alliance Code of Conduct for GDPR Compliance

The CSA Code of Conduct is designed to offer both a compliance tool for GDPR compliance and transparency guidelines regarding the level of data protection offered by the Cloud Service Provider.

Release Date: 07/10/2018
Consensus Assessments Initiative Questionnaire v3.0.1 (9-1-17 Update)

Consensus Assessments Initiative Questionnaire v3.0.1 (9-1-17 Update)

Description: The CAIQ is based upon the CCM and provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix.

Release Date: 10/12/2017
Cloud Controls Matrix v3.0.1

Cloud Controls Matrix v3.0.1

Description: The CCM, the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. CCM is currently considered a de-facto standard for cloud security assurance and compliance.

Release Date: 10/03/2017
Security Guidance for Critical Areas of Focus in Cloud Computing v4.0

Security Guidance for Critical Areas of Focus in Cloud Computing v4.0

The rise of cloud computing as an ever-evolving technology brings with it a number of opportunities and challenges. With this document, we aim to provide both guidance and inspiration to support business goals while managing and mitigating the risks associated with the adoption of cloud computing technology.

Release Date: 07/26/2017