Research Artifacts

Security Position Paper - Network Function Virtualization

Security Position Paper - Network Function Virtualization

This white paper discusses some of the potential security issues and concerns, and offers guidance for securing a Virtual Network Function (NFV) based architecture, whereby security services are provisioned in the form of Virtual Network Functions (VNFs).

Release Date: 02/29/2016
State of Cloud Security 2016

State of Cloud Security 2016

Cloud computing is an incredible innovation. While at its heart a simple concept, the packaging of compute resources as an on demand service is having a fundamental impact on information technology with far reaching consequences. Cloud is disrupting most industries in a rapid fashion and is becoming the back end for all other forms of computing, such as mobile, Internet of Things and future technologies not yet conceived. As governments, businesses and consumers move to adopt cloud computing en masse, the stakes could not be higher to gain assurance that cloud is a safe, secure, transparent, and trusted platform.

This paper seeks to view the cloud computing industry through the lens of the enterprise information security practitioner. By articulating the state of cloud security from this viewpoint, we can better understand the gaps and solutions we must advocate for and help cloud providers better understand the needs of their consumers.

Release Date: 02/27/2016
Consensus Assessments Initiative Questionnaire v3.0.1 (12-5-16 Update)

Consensus Assessments Initiative Questionnaire v3.0.1 (12-5-16 Update)

Realigns the CAIQ questions to CCM v3.0.1 control domains and the Cloud Security Alliance "Security Guidance for Critical Areas of Focus in Cloud Computing V3.0"

Release Date: 02/01/2016
The Cloud Balancing Act for IT: Between Promise and Peril

The Cloud Balancing Act for IT: Between Promise and Peril

Cloud Adoption does not have to mean opening up your organization to increased security risks and threats if the right policies are in place. That’s what the findings from a new Cloud Security Alliance (CSA) survey, titled The Cloud Balancing Act for IT: Between Promise and Peril, indicated when it surveyed executives and IT managers worldwide. Security professionals indicated receiving, on average, 10.6 requests each month for new cloud services. Perhaps that’s why 71.2% of companies now have a formal process for users to request new cloud services.

The Cloud Balancing Act for IT Survey Report includes responses from more than 200 IT and security professionals varying in company size and industries from the Americas, EMEA and APAC regions. Sponsored by Skyhigh Networks, the survey covers several topics ranging from the need to hire CISOs to help curb the likelihood of cyber threats to just how much of the business IT is willing to hand over to cloud services from their legacy on-premises solutions.

Release Date: 01/13/2016
CloudTrust Protocol Prototype Source Code

CloudTrust Protocol Prototype Source Code

The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service customers can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust.

The source code implements a CTP server that acts as a gateway between cloud customers and cloud providers:

  • A cloud provider can push security measurements to the CTP server.
  • A cloud customer can query the CTP server with the CTP API to access these measurements.

The source code is available here on Github.

Release Date: 12/10/2015
International Standardization Council Policies & Procedures

International Standardization Council Policies & Procedures

In today’s technological environment, standards play a critical role in product development and market competitiveness. Every input, behavior, and action has both a contributory and a potential legal consequence. These procedures help protect the International Standardization Council (ISC or Council) participants and the CSA by establishing the necessary framework for a sound process.

Release Date: 10/15/2015
CloudTrust Protocol Data Model and API

CloudTrust Protocol Data Model and API

The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service customers can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust. This document focuses on the definition of the CTP Data Model and Application Programing Interface.

Release Date: 10/09/2015
What is Quantum Key Distribution?

What is Quantum Key Distribution?

The security of QKD relies on fundamental laws of nature, which are invulnerable to increasing computational power, new attack algorithms or quantum computers. It is secure against the most arbitrarily powerful eavesdroppers.

Release Date: 08/05/2015
Cloud Computing Market Maturity

Cloud Computing Market Maturity

This white paper reports the results of a recent study conducted by ISACA and the Cloud Security Alliance to examine cloud market maturity through four lenses: cloud use and satisfaction level, expected growth, cloud-adoption drivers, and limitations to cloud adoption.

Release Date: 07/15/2015
Security Considerations for Private vs. Public Clouds

Security Considerations for Private vs. Public Clouds

The Cloud Security Alliance teamed up with Palo Alto Networks to produce this whitepaper. A public cloud deployment occurs when a cloud’s entire infrastructure is owned, operated and physically housed by an independent Cloud Service Provider. A private cloud deployment consists of a cloud’s entire infrastructure owned, operated and physically housed by the tenant business itself, generally managed by its own IT infrastructure organization.

Release Date: 06/15/2015
The Mandate for Meaningful Cyber Incident Sharing for the Cloud

The Mandate for Meaningful Cyber Incident Sharing for the Cloud

New and increasingly significant cybersecurity breaches are reported practically every day. For most companies, it is no longer a matter of whether they will be attacked, but rather how long ago they were attacked. Enterprises and cloud providers alike need to understand the types of incidents that peers and technology partners are experiencing so that they can better protect themselves and their customers.

Release Date: 06/13/2015
Privacy Level Agreement - Version 2

Privacy Level Agreement - Version 2

PLA [V2] is intended to be used as an appendix to a Cloud Services Agreement, and to describe the level of privacy protection that the CSP will provide. While Service Level Agreements (“SLA”) are generally used to provide metrics and other information on the performance of the services, PLAs will address information privacy and personal data protection practices.

Release Date: 06/02/2015
SME Cloud Security

SME Cloud Security

This 2015 Hong Kong Small and Medium-sized Enterprises (SME) Cloud Adoption, Security and Privacy Readiness Survey was conducted by the Internet Society Hong Kong and the Cloud Security Alliance Hong Kong and Macau Chapter, who commissioned the Hong Kong Productivity Council (Council) to carry out telephone interviews with SMEs (<100 employees) in Hong Kong. The process was carried out over the course of three weeks and reviewed data from the Census and Statistics Bureau. The Council successfully collected 168responses for the survey. The research covered major industry sectors in Hong Kong. The survey questionnaire was developed based on the Cloud Security Alliance Cloud Controls Matrix and international standards with questions adapted to local conditions. The survey was sponsored by Microsoft Hong Kong.

Release Date: 06/01/2015
STAR Overview PDF

STAR Overview PDF

The CSA STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is used by customers, providers, industries and governments around the world.

Release Date: 04/20/2015
Cloud Adoption In The Financial Services Sector

Cloud Adoption In The Financial Services Sector

We circulated the “How Cloud is Being Used in the Financial Sector” survey to IT and security professionals in financial services institutions. The goal was to further the discussion to these topics:

  • Describe your company’s approach to cloud computing.
  • Describe your private cloud policy.
  • What is your corporate risk assessment to cloud computing?
  • What features would you require from cloud providers?

And finally…

What is your primary reason for adopting cloud computing?

Beyond raising awareness around cloud service adoption, the findings of the survey provide insight into how decision makers in the financial services industry take action in their organization – from consolidating and standardizing on the most secure cloud services, to knowing which policies to apply to mitigate risks, and understanding where to focus when educating users.

Release Date: 03/05/2015