Transitioning to the Cloud in 2022: Recommended Resources from CSA

How can your organization improve how it approaches the cloud? In this blog we put together a list of research created by the Cloud Security Alliance’s working groups and other resources created by our community that will be helpful to you if you are considering transitioning your organization to the cloud, or are in the middle of migrating services to the cloud.

1. First make sure you understand best practices for securing data in the cloud regardless of the vendor

Cloud security best practices

CSA Cloud Security Guidance for Cloud Computing v4.0: This is the first research publication from CSA you should read as it outlines everything you need to know about cloud computing including: why it’s important, how it works, and best practices for staying secure. It will give you an overview of what you don’t yet know about cloud computing and how security changes in the cloud, as well as give you a good foundation to build on as you delve into more specific cloud security issues. This will help you understand the big picture and how all the pieces fit together.

How to securely design, deploy and operate a secure cloud service

Guideline on Effectively Managing Security: provides easy-to-understand guidance for cloud customers on how to design, deploy, and operate a secure cloud service with respect to different cloud service models. There are some standards and best practices, providing useful guidance to cloud customers from different aspects and these are helpful references. While the shared security responsibility model is well recognized, there are many cloud security standards developed for CSPs, but for the cloud customer it is still difficult, this document is meant to help fill that gap.

2. Learn best practices for IAM, data loss prevention, intrusion management and other security services

Securely implementing Identity and Access Management in the cloud

SecaaS Category 1 // Identity and Access Management: This document addresses personnel involved in the identification and implementation of the IAM solution in the cloud. It will be of particular interest to those with the responsibility of designing, implementing and integrating the consumption of services of the IAM function within any cloud application of SecaaS

Data loss prevention in the cloud

SecaaS Category 2 // Data Loss Prevention: Data loss prevention must be considered an essential element for achieving an effective information security strategy for protecting data as it moves to, resides in and departs from the cloud.

Guidelines for cloud-based intrusion management service in the cloud

SecaaS Category 6 // Intrusion Management: Because of the limited market maturity and lack of widely accepted best practices, this document provides implementation guidelines for cloud-based intrusion management service of multiple flavors—in the cloud, through the cloud, or from the cloud—focusing on the basic tenets of service and architecture rather than solutions.

You can download all of CSA’s Security as a Service Implementation Guidance documents here.

3. Know how to assess the level of security offered by a cloud service provider

After you’ve gotten the broader picture we recommend that you understand how to assess risk, since this will impact who you choose as your cloud vendor, and if you’re a cloud vendor it will help you understand the criteria enterprises are using to select a secure provider.

A framework for assessing the risk of SaaS companies

Cloud Octagon Model: The Cloud Octagon Model stems from an approach conceptualized and implemented by the Cloud Security Group within the Technology & Engineering department, Corporate Information Security Office (CISO), ABN AMRO Bank NV (Netherlands). It counts such aspects as procurement, IT governance, architecture, development and engineering, service providers, risk processes, data classification, and country. The model provides practical guidance and structure to all involved risk parties in order to keep pace with rapid changes in privacy and data protection laws and regulations, and changes in technology and its security implications.

Security assessment questionnaire for vendors

Consensus Assessment Initiative Questionnaire (CAIQ) v3.1: The CAIQ is a spreadsheet of Yes or No questions you can use to ask a cloud service provider to ascertain their compliance to the Cloud Controls Matrix (CCM).

Refer to CSA’s registry of cloud service providers when selecting a vendor

As a critical step toward securing the digital foundation of our economy, we recommend that businesses reduce their reliance on proprietary, in-house security assessment programs related to cloud computing. Instead, organizations can leverage the CSA’s Security, Trust & Assurance Registry (STAR) program and its associated assurance tools (CAIQ, CCM, GDPR Code of Conduct) as core components of vetting and procuring cloud providers and services. We believe this emphasis on consistent, uniform cloud security standards will increase the security baseline for all participants in our economy.