Downloads Arrow to Content

AOSSL and CCM Technote

AOSSL and CCM Technote

Release Date: December 18, 2014

Quantum-Safe Security Working Group Charter

Quantum-Safe Security Working Group Charter

Charter outlining the purpose and operations of the Quantum-Safe Security Working Group.

Release Date: December 12, 2014

Privacy Level Agreement Europe, v.2

Privacy Level Agreement Europe, v.2

An updated PLA for Europe.

Release Date: December 04, 2014

Big Data Taxonomy

Big Data Taxonomy

A research document outlining the six dimensions of big data to help decision makers navigate the myriad choices in compute and storage infrastructures as well as data analytics techniques, and security and privacy frameworks.

Release Date: September 18, 2014

Data Protection Heat Index Survey Report

Data Protection Heat Index Survey Report

Release Date: September 12, 2014

STAR Overview PDF

STAR Overview PDF

The CSA STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is used by customers, providers, industries and governments around the world.

Release Date: July 18, 2014

Consensus Assessments Initiative Questionnaire v3.0.1

Consensus Assessments Initiative Questionnaire v3.0.1

Realigns the CAIQ questions to CCM v3.0.1 control domains and the Cloud Security Alliance “Security Guidance for Critical Areas of Focus in Cloud Computing V3.0″

Release Date: July 11, 2014

Cloud Controls Matrix v3.0.1

Cloud Controls Matrix v3.0.1

New and updated mappings, consolidation of redundant controls, rewritten controls for clarity of intent, STAR enablement, and SDO alignment.

Release Date: July 11, 2014

Big Data, Big Concerns, and What the White House Wants to Do about It

Big Data, Big Concerns, and What the White House Wants to Do about It

Big data tools offer astonishing and powerful opportunities to unlock previously inaccessible insights from new and existing data sets. Large amounts of data are being processed through new techniques and technologies, dissecting the digital footprints individuals leave behind, and revealing a surprising number of personal details.

Release Date: May 29, 2014

STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

There are a number of control areas on the CCM that will each be awarded a management capability score on a scale of 1-15. This 2nd version release includes alignment with the CCM v1.4 and v3.X.

Release Date: May 16, 2014

Guidelines for CPAs Providing CSA STAR Attestation

Guidelines for CPAs Providing CSA STAR Attestation

This document provides guidance for CPAs in conducting a STAR Attestation.

Release Date: May 15, 2014

SDP Specification v1.0

SDP Specification v1.0

This document outlines a Cloud Security Alliance (CSA) initiated protocol for the Software Defined Perimeter specification, and requests discussion and suggestions for improvements.

Release Date: April 30, 2014

SDP Hackathon Whitepaper

SDP Hackathon Whitepaper

The CSA SDP Hackathon challenged hackers to attack a server defended by a software defined perimeter. Of the billions of packets fired at the server, not one attacker penetrated even the first layer of security. The whitepaper outlines how this is possible.

Release Date: April 17, 2014

Comment on Big Data and the Future of Privacy

Comment on Big Data and the Future of Privacy

Responses to questions on the relationship between big data and public policy, government, technology trends, and policy frameworks.

Release Date: April 09, 2014

Research Lifecycle

Research Lifecycle

A step-by-step guide to producing and distributing research artifacts. From inspiration and conception to publication and distribution, it covers the the process for research projects and their typical timeframes. The Research Lifecycle is a tool to provide a framework for the life of a research artifact.

Release Date: March 19, 2014

The Future of Security

The Future of Security

Disruption defines the business of information security. New technologies change how businesses work, as well as what risks people take. Attackers shift their strategies. But the better security professionals predict and prepare for these disruptions, the more effective we can be.

Release Date: February 25, 2014

The Future of Security: Executive Summary

The Future of Security: Executive Summary

Disruption defines the business of information security. New technologies change how businesses work, as well as what risks people take. Attackers shift their strategies. But the better security professionals predict and prepare for these disruptions, the more effective we can be.

Release Date: February 25, 2014

SAFEcode/CSA: Practices for Secure Development of Cloud Applications

SAFEcode/CSA: Practices for Secure Development of Cloud Applications

SAFECode and CSA partnered to determine whether additional software security guidance was needed to address unique threats to the cloud computing, and if so, to identify specific security practices in the context of identified threats.

Release Date: December 04, 2013

Anti-Bot Working Group Charter

Anti-Bot Working Group Charter

Release Date: December 04, 2013

Software Defined Perimeter

Software Defined Perimeter

This document explains the software defined perimeter (SDP) security framework and how it can be deployed to protect application infrastructure from network-based attacks. The SDP incorporates security standards from organizations such as the National Institute of Standards and Technology (NIST) as well as security concepts from organizations such as the U.S. Department of Defense (DoD) into an integrated framework.

Release Date: December 01, 2013

Net+ Initiative CCM v.3 Candidate Mappings

Net+ Initiative CCM v.3 Candidate Mappings

A team of 30 CIOs, CISOs, and other executives from Internet2’s membership (both higher education institutions and industry service providers) developed this extended version of the CCM. This version includes candidate mappings to address higher education security and compliance requirements.

Release Date: December 01, 2013

CCM v3.0 Info Sheet

CCM v3.0 Info Sheet

Release Date: October 07, 2013

Cloud Controls Matrix v3.0

Cloud Controls Matrix v3.0

Cloud Controls Matrix (CCM) Version 3.0, is a comprehensive update to the industry’s gold standard for assessing cloud centric information security risks.

Release Date: September 26, 2013

Big Data Analytics for Security Intelligence

Big Data Analytics for Security Intelligence

Release Date: September 24, 2013

Publicizing Your STAR Certification

Publicizing Your STAR Certification

The following guidelines will help you to apply good practice in publicizing, communicating and promoting your certification to stakeholders, including staff, customers and business partners, and to the general public.

Release Date: September 03, 2013

Requirements for Bodies Providing STAR Certification

Requirements for Bodies Providing STAR Certification

This document outlines how to conduct a STAR certification assessments to the Cloud Controls Matrix (CCM) as part of an ISO 27001 assessment.

Release Date: September 03, 2013

Government Access to Information Survey Results

Government Access to Information Survey Results

The survey received almost 500 responses from CSA members around the world. It found that 56% of non-US residents were now less likely to use US-based cloud providers, in light of recent revelations about government access to customer information.

Release Date: July 23, 2013

Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing

Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing

The purpose of this document is to survey the issues related to forensic investigation in cloud environments, to describe the international standards for cloud forensics, and to summarize the current integration of cloud forensic requirements into service level agreements (SLAs).

Release Date: June 26, 2013

Expanded Top Ten Big Data Security and Privacy Challenges

Expanded Top Ten Big Data Security and Privacy Challenges

Big Data remains one of the most talked about technology trends in 2013. But lost among all the excitement about the potential of Big Data are the very real security and privacy challenges that threaten to slow this momentum.

Release Date: June 16, 2013

Cloud Computing Vulnerability Incidents:  A Statistical Overview

Cloud Computing Vulnerability Incidents: A Statistical Overview

In an attempt to ascertain Cloud Computing reliability, 11,491 news articles on cloud computing-related outages from 39 news sources between Jan 2008 and Feb 2012 – effectively covering the first five years of cloud computing – were reviewed.

Release Date: May 31, 2013

Planning for E-Discovery in the Cloud

Planning for E-Discovery in the Cloud

Release Date: May 21, 2013

Cloud Computing: What Damages in Case of Outages

Cloud Computing: What Damages in Case of Outages

Service interruptions are inevitable regardless of whether the cloud service provider is a small company or a large company. When a cloud service goes down, users lose access to their data; they may also be deprived from the processing capabilities that are provided as part of the cloud offering.

Release Date: May 21, 2013

Small Business Working Group Charter

Small Business Working Group Charter

This working group will focus on providing tailored guidance to small business, will cooperate with other working groups where appropriate, and will help cloud providers understand small business requirements.

Release Date: April 04, 2013

Cloud Controls Matrix v1.4

Cloud Controls Matrix v1.4

Release Date: March 08, 2013

GRC Stack

GRC Stack

Release Date: March 08, 2013

Enterprise Architecture v2.0

Enterprise Architecture v2.0

The Enterprise Architecture is both a methodology and a set of tools that enable security architects, enterprise architects and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.

Release Date: February 25, 2013

CSA Position Paper on AICPA Service Organization Control Reports

CSA Position Paper on AICPA Service Organization Control Reports

The Cloud Security Alliance (CSA) has drafted the CSA Position Paper on AICPA Service Organization Control Reports as a means to educate its members and provide guidance on selecting the most appropriate reporting standard.

Release Date: February 25, 2013

Privacy Level Agreement (PLA) Outline Annex

Privacy Level Agreement (PLA) Outline Annex

Release Date: February 24, 2013

Privacy Level Agreement (PLA) Outline for the Sale of Cloud Services in the European Union

Privacy Level Agreement (PLA) Outline for the Sale of Cloud Services in the European Union

The Outline provides a structure for Cloud Service Providers (CSP) to disclose, in a consistent matter, information about the privacy and data protection policies, procedures and practices used when processing personal data that customers upload or store in the CSP’s servers.

Release Date: February 24, 2013

The Notorious Nine: Cloud Computing Top Threats in 2013

The Notorious Nine: Cloud Computing Top Threats in 2013

Providing organizations with up-to-date, expert-informed understanding of cloud security threats in order to make educated risk-management decisions regarding cloud adoption strategies.

Release Date: February 24, 2013

Article 29 Working Party Cloud Computing Opinion: A Blow to Safe Harbor

Article 29 Working Party Cloud Computing Opinion: A Blow to Safe Harbor

The Article 29 Data Protection Working Party—which includes representatives of the data protection authorities of each of the European Union member states—recently issued an opinion on cloud computing that could impact U.S. cloud providers.

Release Date: February 22, 2013

What Rules Apply to Government Access to Data Held by US Cloud Service Providers

What Rules Apply to Government Access to Data Held by US Cloud Service Providers

What rules regulate government access to data held by US cloud service providers.

Release Date: February 22, 2013

Security Guidance for Critical Areas of Mobile Computing

Security Guidance for Critical Areas of Mobile Computing

Mobile devices empower employees to do what they need to do — whenever and wherever. People can work and collaborate “in the field” with customers, partners, patients or students and each other. But they need to be supported with always current operational processes and information, whether from apps, the Internet, or documents from other people.

Release Date: November 08, 2012

Top Ten Big Data Security and Privacy Challenges

Top Ten Big Data Security and Privacy Challenges

In this paper, we highlight the top ten big data specific security and privacy challenges. We interviewed Cloud Security Alliance members and surveyed security practitioner-oriented trade journals to draft an initial list of high-priority security and privacy problems, studied published research, and arrived at the following top ten challenges…

Release Date: November 07, 2012

CSA Congress 2012 Big Data Overview

CSA Congress 2012 Big Data Overview

Crystallization of best practices for security and privacy in big data.

Release Date: November 06, 2012

SecaaS Category 7 // Security Information and Event Management Implementation Guidance

SecaaS Category 7 // Security Information and Event Management Implementation Guidance

This document provides guidance on how to evaluate, architect, and deploy cloud-based SIEM services to both enterprise and cloud-based networks, infrastructure and applications.

Release Date: October 29, 2012

SecaaS Category 9 // BCDR Implementation Guidance

SecaaS Category 9 // BCDR Implementation Guidance

When using the cloud for operational processes and/or production systems, an organization’s BC/DR requirements must be included in their procurement, planning, design, management, and monitoring of their cloud environments and cloud service providers.

Release Date: October 08, 2012

SecaaS Category 8 // Encryption Implementation Guidance

SecaaS Category 8 // Encryption Implementation Guidance

Encryption is a primary data (and application) protection technique. For encryption to be useful, encryption keys must be properly managed and protected. This document covers both the encryption and key management topics.

Release Date: October 08, 2012

SecaaS Category 6 // Intrusion Management Implementation Guidance

SecaaS Category 6 // Intrusion Management Implementation Guidance

Because of the limited market maturity and lack of widely accepted best practices, this document provides implementation guidelines for cloud-based intrusion management service of multiple flavors—in the cloud, through the cloud, or from the cloud—focusing on the basic tenets of service and architecture rather than solutions.

Release Date: October 08, 2012

SecaaS Category 5 // Security Assessments Implementation Guidance

SecaaS Category 5 // Security Assessments Implementation Guidance

There are many choices for an assessment framework standard and there is no “one size fits all” solution for security assessments. One could reasonably expect that as cloud technology and governance evolves, a much smaller subset will emerge with a cloud focus.

Release Date: October 08, 2012

SecaaS Category 4 // Email Security Implementation Guidance

SecaaS Category 4 // Email Security Implementation Guidance

Due to its ubiquitous use, electronic mail is both the prime target of, and primary vehicle for, attacks, and must be protected on both ends: sending and receiving. Email service is a well defined utility in the enterprise, and securing email in the cloud is similar to securing email in the enterprise. Email Security as a Service (SecaaS) has a few unique aspects, but most responses entail differences of degree, rather than instituting new methods of security.

Release Date: October 08, 2012

SecaaS Category 3 // Web Security Implementation Guidance

SecaaS Category 3 // Web Security Implementation Guidance

The vendor and academic community have come together to form a set of solutions called Security as a Service. This document specifically addresses one element focused on Web Security as a Service (Web SecaaS).

Release Date: October 08, 2012

SecaaS Category 2 // Data Loss Prevention Implementation Guidance

SecaaS Category 2 // Data Loss Prevention Implementation Guidance

DLP must be considered an essential element for achieving an effective information security strategy for protecting data as it moves to, resides in and departs from the cloud. DLP has two facets: one as viewed from the owner’s perspective and one as viewed from the custodian’s perspective.

Release Date: October 08, 2012

SecaaS Category 10 // Network Security Implementation Guidance

SecaaS Category 10 // Network Security Implementation Guidance

In a cloud environment, a major part of network security is likely to be provided by virtual security devices and services, alongside traditional physical network devices. Tight integration with the underlying cloud software layer to ensure full visibility of all traffic on the virtual network layer is important.

Release Date: October 08, 2012

Mobile Top Threats

Mobile Top Threats

Release Date: October 04, 2012

CSA/ISACA Cloud Market Maturity Study Results

CSA/ISACA Cloud Market Maturity Study Results

A collaborative project by ISACA and CSA, the Cloud Market Maturity study provides business and IT leaders with insight into the maturity of cloud computing and will help identify any changes in the market.

Release Date: September 27, 2012

SecaaS Category 1 // Identity and Access Management Implementation Guidance

SecaaS Category 1 // Identity and Access Management Implementation Guidance

This document addresses personnel involved in the identification and implementation of the IAM solution in the cloud. It will be of particular interest to those with the responsibility of designing, implementing and integrating the consumption of services of the IAM function within any cloud application of SecaaS.

Release Date: September 26, 2012

Mobile Device Management: Key Components

Mobile Device Management: Key Components

Release Date: September 20, 2012

Cloud Controls Matrix v1.3

Cloud Controls Matrix v1.3

Release Date: September 20, 2012

OCF Vision Statement

OCF Vision Statement

The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives.

Release Date: August 17, 2012

Big Data Working Group Charter

Big Data Working Group Charter

The Big Data Working Group (BDWG) will be identifying scalable techniques for data-centric security and privacy problems.

Release Date: May 04, 2012

Innovation Initiative Overview Powerpoint

Innovation Initiative Overview Powerpoint

Release Date: February 24, 2012

Innovation Initiative Charter

Innovation Initiative Charter

Release Date: February 24, 2012

Mobile Working Group Charter

Mobile Working Group Charter

Release Date: February 21, 2012

CSA Security Guidance Domain 3: Legal Issues: Contracts and Electronic Discovery

CSA Security Guidance Domain 3: Legal Issues: Contracts and Electronic Discovery

This domain highlights some of the legal aspects raised by cloud computing. It provides general background on legal issues that can be raised by moving data to the cloud, some issues for consideration in a cloud services agreement, and the special issues presented by electronic discovery under Western litigation.

Release Date: November 14, 2011

Security Guidance for Critical Areas of Focus in Cloud Computing V3.0

Security Guidance for Critical Areas of Focus in Cloud Computing V3.0

The CSA guidance as it enters its third edition seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. Domains have been rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment.

Release Date: November 14, 2011

Enterprise Architecture Mapping V1.9

Enterprise Architecture Mapping V1.9

Release Date: November 09, 2011

Enterprise Architecture Model V1.1

Enterprise Architecture Model V1.1

Release Date: October 26, 2011

Defined Categories of Service 2011

Defined Categories of Service 2011

Release Date: October 26, 2011

GRC Stack Courseware

GRC Stack Courseware

Release Date: October 10, 2011

Consensus Assessments Initiative Questionnaire v1.1

Consensus Assessments Initiative Questionnaire v1.1

Questionnaire is organized using CSA 13 governing & operating domains divided into “control areas” within CSA’s Control Matrix structure.

Release Date: September 01, 2011

CloudTrust Protocol Information Overview Powerpoint

CloudTrust Protocol Information Overview Powerpoint

The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.

Release Date: September 01, 2011

Cloud Controls Matrix v1.2

Cloud Controls Matrix v1.2

Release Date: August 26, 2011

CCAQIS Survey v1.2

CCAQIS Survey v1.2

The purpose of this survey is to capture the current state of data governance and data security capabilities offered by leading cloud service providers in the industry. The results of this survey will be aggregated and used for guidance and research conducted by CSA and its affiliates.

Release Date: August 01, 2011

CSA V3 Guideline: Book Excerpts

CSA V3 Guideline: Book Excerpts

Culture‐free, one‐size‐fits‐all English is usually the most efficient way to speak to a large, heterogeneous audience of E2s. In contrast, there are times when our English materials are intended for E2s in a small number of specific countries. In these cases, it might make good business sense to produce more than one English version, sensitive to the first language of the readers.

Release Date: July 02, 2011

CloudTrust Protocol Information Overview

CloudTrust Protocol Information Overview

The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.

Release Date: June 01, 2011

GRC Stack Training Document

GRC Stack Training Document

Release Date: March 06, 2011

Cloud Computing for Business

Cloud Computing for Business

This book is for all these people, and indeed for all executives whose companies are using, or thinking of using, cloud computing.

Release Date: March 02, 2011

CloudCERT Report to CSA Summit 2011

CloudCERT Report to CSA Summit 2011

Release Date: February 14, 2011

Cloud Controls Matrix V1.1

Cloud Controls Matrix V1.1

Release Date: December 17, 2010

Cloud Controls Matrix V1.01

Cloud Controls Matrix V1.01

Release Date: October 20, 2010

A Precis for the CloudTrust Protocol (V2.0)

A Precis for the CloudTrust Protocol (V2.0)

The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.

Release Date: September 01, 2010

Cloud Controls Matrix V1.0

Cloud Controls Matrix V1.0

Release Date: April 27, 2010

Page Dividing Line
This website uses cookies to improve functionality and performance. If you continue browsing the site, you are giving implied consent to the use of cookies on this website. See our Cookie Policy for details.