Research Artifacts

Mobile Application Security Testing Initiative Charter

Mobile Application Security Testing Initiative Charter

Mobile applications are becoming an integral part of not just modern enterprises but also of human existence and a huge part of this shift is due to the emergence of cloud computing. The Mobile Application Security Testing initiative will aim to create a safer cloud ecosystem for mobile applications by creating systematic approaches to application testing and vetting that helps integrate and introduce quality control and compliance to mobile application development and management.

Release Date: 02/16/2015
Cloud Adoption Practices & Priorities

Cloud Adoption Practices & Priorities

The benefits for enterprises moving to the cloud are clear: greater business agility, data availability, collaboration, and cost savings. The cloud is also changing how companies consume technology. Employees are more empowered than ever before to find and use cloud applications, often with limited or no involvement from the IT department, creating what’s called “shadow IT.” Despite the benefits of cloud computing, companies face numerous challenges including the security and compliance of corporate data, managing employee-led cloud usage, and even the development of necessary skills needed in the cloud era. By understanding the cloud adoption practices and potential risks, companies can better position themselves to be successful in their transition to the cloud.

In the 2014 Cloud Adoption Practices and Priorities (CAPP) survey, the Cloud Security Alliance sought to understand how IT organizations approach procurement and security for cloud services and how they perceive and manage employee-led cloud adoption. We asked IT and security professionals for their views on “shadow IT,” obstacles preventing cloud adoption, types of cloud services requested and blocked, security priorities, and governance practices. We uncovered stark differences between how companies in North America and Europe approach the cloud, and even how large enterprises differ from their smaller counterparts. As more IT departments look to play a greater role in enabling the safe adoption of cloud services, we hope these findings can provide some guidance.

Release Date: 01/09/2015
Big Data Taxonomy

Big Data Taxonomy

A research document outlining the six dimensions of big data to help decision makers navigate the myriad choices in compute and storage infrastructures as well as data analytics techniques, and security and privacy frameworks.

Release Date: 09/18/2014
Cloud Usage: Risks and Opportunities

Cloud Usage: Risks and Opportunities

This survey was circulated to over 165 IT and security professionals in the U.S. and around the globe representing a variety of industry verticals and enterprise sizes. The goal was to understand their perception of how their enterprises are using cloud apps, what kind of data are moving to and through those apps, and what that means in terms of risks.

Beyond raising awareness around cloud service risk, the findings of this survey are intended to provide usage intelligence that helps IT, security, and business decision-makers take action in their organizations – from consolidating and standardizing on the most secure and enterprise-ready cloud services, to knowing what policies will have the most impact, to understanding where to focus when educating users.

Release Date: 09/15/2014
Data Protection Heat Index

Data Protection Heat Index

The Cloud Security Alliance surveyed a select group of global data privacy experts with the intention to measure attitudes towards data protection areas that tie into technology solutions which enable the exchange of information across the cloud.

Release Date: 09/12/2014
Cloud Controls Matrix v3.0.1 (July 2014)

Cloud Controls Matrix v3.0.1 (July 2014)

New and updated mappings, consolidation of redundant controls, rewritten controls for clarity of intent, STAR enablement, and SDO alignment.

Release Date: 07/11/2014
Big Data, Big Concerns, and What the White House Wants to Do about It

Big Data, Big Concerns, and What the White House Wants to Do about It

Big data tools offer astonishing and powerful opportunities to unlock previously inaccessible insights from new and existing data sets. Large amounts of data are being processed through new techniques and technologies, dissecting the digital footprints individuals leave behind, and revealing a surprising number of personal details.

Release Date: 05/29/2014
STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

There are a number of control areas on the CCM that will each be awarded a management capability score on a scale of 1-15. This 2nd version release includes alignment with the CCM v1.4 and v3.X.

Release Date: 05/16/2014
Guidelines for CPAs Providing CSA STAR Attestation

Guidelines for CPAs Providing CSA STAR Attestation

This document provides guidance for CPAs in conducting a STAR Attestation.

Release Date: 05/15/2014
SDP Specification v1.0

SDP Specification v1.0

This document outlines a Cloud Security Alliance (CSA) initiated protocol for the Software Defined Perimeter specification, and requests discussion and suggestions for improvements.

Release Date: 04/30/2014
SDP Hackathon Whitepaper

SDP Hackathon Whitepaper

The CSA SDP Hackathon challenged hackers to attack a server defended by a software defined perimeter. Of the billions of packets fired at the server, not one attacker penetrated even the first layer of security. The whitepaper outlines how this is possible.

Release Date: 04/17/2014
Comment on Big Data and the Future of Privacy

Comment on Big Data and the Future of Privacy

Responses to questions on the relationship between big data and public policy, government, technology trends, and policy frameworks.

Release Date: 04/09/2014
Research Lifecycle

Research Lifecycle

A step-by-step guide to producing and distributing research artifacts. From inspiration and conception to publication and distribution, it covers the the process for research projects and their typical timeframes. The Research Lifecycle is a tool to provide a framework for the life of a research artifact.

Release Date: 03/19/2014
The Future of Security

The Future of Security

Disruption defines the business of information security. New technologies change how businesses work, as well as what risks people take. Attackers shift their strategies. But the better security professionals predict and prepare for these disruptions, the more effective we can be.

Release Date: 02/25/2014
The Future of Security: Executive Summary

The Future of Security: Executive Summary

Disruption defines the business of information security. New technologies change how businesses work, as well as what risks people take. Attackers shift their strategies. But the better security professionals predict and prepare for these disruptions, the more effective we can be.

Release Date: 02/25/2014
SAFEcode/CSA: Practices for Secure Development of Cloud Applications

SAFEcode/CSA: Practices for Secure Development of Cloud Applications

SAFECode and CSA partnered to determine whether additional software security guidance was needed to address unique threats to the cloud computing, and if so, to identify specific security practices in the context of identified threats.

Release Date: 12/04/2013
Software Defined Perimeter

Software Defined Perimeter

This document explains the software defined perimeter (SDP) security framework and how it can be deployed to protect application infrastructure from network-based attacks. The SDP incorporates security standards from organizations such as the National Institute of Standards and Technology (NIST) as well as security concepts from organizations such as the U.S. Department of Defense (DoD) into an integrated framework.

Release Date: 12/01/2013
Net+ Initiative CCM v.3 Candidate Mappings

Net+ Initiative CCM v.3 Candidate Mappings

A team of 30 CIOs, CISOs, and other executives from Internet2’s membership (both higher education institutions and industry service providers) developed this extended version of the CCM. This version includes candidate mappings to address higher education security and compliance requirements.

Release Date: 12/01/2013