Security Guidance Working Group

Current Initiatives

No open initiatives at this time.

Introduction to the Security Guidance Working Group

The CSA guidance, currently in its third edition, seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. Domains have been rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment.

CSA Security Guidance Version 3

Document Version Release Date Download
Security Guidance 3 11/14/2011 Download (pdf)

CSA Guidance v3 is the third version of the Cloud Security Alliance document, “Security Guidance for Critical Areas of Focus in Cloud Computing”, which was originally released in April 2009.

In a departure from the second version of our guidance, each domain was assigned its own editor and peer reviewed by industry experts. The structure and numbering of the domains align with industry standards and best practices. We encourage the adoption of this guidance as a good operating practice in strategic management of cloud services.

These white papers and their release schedule are located at:

https://cloudsecurityalliance.org/guidance/

In another change from the second version, there are some updated domain names. We have these changes: Domain 3: Legal Issues: Contracts and Electronic Discovery and Domain 5: Information Management and Data Security. We now have added another domain, which is Domain 14: Security as a Service

Version 3 Acknowledgments

Editors

  • Archie Reed
  • Chris Rezek
  • Paul Simmonds

Domain Authors/Contributors

  • Domain 1: Chris Hoff, Paul Simmonds
  • Domain 2: Marlin Pohlman, Becky Swain, Laura Posey, Bhavesh Bhagat
  • Domain 3: Francoise Gilbert, Pamela Jones Harbour, David Kessler, Sue Ross, Thomas Trappler
  • Domain 4: Marlin Pohlman, Said Tabet
  • Domain 5: Rich Mogull, Jesus Luna
  • Domain 6: Aradhna Chetal, Balaji Ramamoorthy, Jim Peterson, Joe Wallace, Michele Drgon, Tushar Bhavsar
  • Domain 7: Randolph Barr, Ram Kumar, Michael Machado, Marlin Pohlman
  • Domain 8: Liam Lynch
  • Domain 9: Michael Panico, Bernd Grobauer, Carlo Espiritu, Kathleen Moriarty, Lee Newcombe, Dominik Birk, Jeff Reed
  • Domain 10: Aradhna Chetal, Balaji Ramamoorthy, John Kinsella, Josey V. George, Sundararajan N., Devesh Bhatt, Tushar Bhavsar
  • Domain 11: Liam Lynch
  • Domain 12: Paul Simmonds, Andrew Yeomans, Ian Dobson, John Arnold, Adrian Secombe, Peter Johnson, Shane Tully
  • Domain 13: Dave Asprey, Richard Zhao, Kanchanna Ramasamy Balraj, Abhik Chaudhuri, Melvin M. Rodriguez
  • Domain 14: Jens Laundrup, Marlin Pohlman, Kevin Fielder

Peer Reviewers

Valmiki Mukherjee, Bernd Jaeger, Ulrich Lang, Hassan Takabi, Pw Carey, Xavier Guerin, Troy D. Casey, James Beadel, Anton Chuvakin, Tushar Jain, M S Prasad, Damir Savanovic, Eiji Sasahara, Chad Woolf, Stefan Pettersson, M S Prasad, Nrupak Shah, Kimberley Laris, Henry St. Andre, Jim Peterson, Ariel Litvin, Tatsuya Kamimura, George Ferguson, Andrew Hay, Danielito Vizcayno, K.S. Abhiraj, Liam Lynch, Michael Marks, JP Morgenthal, Amol Godbole, Damu Kuttikrishnan, Rajiv Mishra, Dennis F. Poindexter, Neil Fryer, Andrea Bilobrk, Balaji Ramamoorthy, Damir Savanovic

CSA Staff

  • Jim Reavis: Executive Director
  • Technical Writer/Editor: Amy L. Van Antwerp
  • Graphic Designer: Kendall Scoboria
  • Research Director: J.R. Santos

CSA Security Guidance Version 2

Document Version Release Date Download
Security Guidance 2.1 12/01/2009 Download (pdf)

Guidance v2 is the second version of the Cloud Security Alliance document, “Security Guidance for Critical Areas of Focus in Cloud Computing”, which was originally released in April 2009. In a departure from the first version of our guidance, a decision was made to separate the key guidance from the core domain research. Each domain’s core research is being released as its own white paper.

These white papers and their release schedule are located at:

https://cloudsecurityalliance.org/guidance/

In another change from the first version, Domain 3: Legal and Domain 4: Electronic Discovery were combined into a single domain. Additionally, Domain 6: Information Lifecycle Management and Domain 14: Storage were combined into a single domain, renamed Data Lifecycle Management. This has caused a renumbering of our (now 13) domains.

Version 2 Acknowledgments

Editors

  • Glenn Brunette
  • Rich Mogull

Contributors

  • Adrian Seccombe
  • Alex Hutton
  • Alexander Meisel
  • Alexander Windel
  • Anish Mohammed
  • Anthony Licciardi
  • Anton Chuvakin
  • Aradhna Chetal
  • Arthur J. Hedge III
  • Beau Monday
  • Beth Cohen
  • Bikram Barman
  • Brian O’Higgins
  • Carlo Espiritu
  • Christofer Hoff
  • Colin Watson
  • David Jackson
  • David Lingenfelter
  • David Mortman
  • David Sherry
  • David Tyson
  • Dennis Hurst
  • Don Blumenthal
  • Dov Yoran
  • Erick Dahan
  • Erik Peterson
  • Ernie Hayden
  • Francoise Gilbert
  • Geir Arild Engh-Hellesvik
  • Georg Hess
  • Gerhard Eschelbeck
  • Girish Bhat
  • Glenn Brunette
  • Greg Kane
  • Greg Tipps
  • Hadass Harel
  • James Tiller
  • Jean Pawluk
  • Jeff Reich
  • Jeff Spivey
  • Jeffrey Ritter
  • Jens Laundrup
  • Jesus Luna Garcia
  • Jim Arlen
  • Jim Hietala
  • Joe Cupano
  • Joe McDonald
  • Joe Stein
  • Joe Wallace
  • Joel Weise
  • John Arnold
  • Jon Callas
  • Joseph Stein
  • Justin Foster
  • Kathleen Lossau
  • Karen Worstell
  • Lee Newcombe
  • Luis Morales
  • M S Prasad
  • Michael Johnson
  • Michael Reiter
  • Michael Sutton
  • Mike Kavis
  • Nadeem Bukhari
  • Pam Fusco
  • Patrick Sullivan
  • Peter Gregory
  • Peter McLaughlin
  • Philip Cox
  • Ralph Broom
  • Randolph Barr
  • Rich Mogull
  • Richard Austin
  • Richard Zhao
  • Sarabjeet Chugh
  • Scott Giordano
  • Scott Matsumoto
  • Scott Morrison
  • Sean Catlett
  • Sergio Loureiro
  • Shail Khiyara
  • Shawn Chaput
  • Sitaraman Lakshminarayanan
  • Srijith K. Nair
  • Subra Kumaraswamy
  • Tajeshwar Singh
  • Tanya Forsheit
  • Vern Williams
  • Warren Axelrod
  • Wayne Pauley
  • Werner Streitberger
  • Wing Ko
  • Yvonne Wilson

Want to contribute to the Security Guidance Working Group?

Fill out the form below to join today!


Other:

If you experience trouble using this form, please submit the information here.

Security Guidance Working Group News

November 16, 2011

Cloud Security Alliance Releases Guidance Version 3

The Cloud Security Alliance (CSA) today unveiled the third version of its Security Guidance for Critical Areas of Focus in Cloud Computing. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely.

September 29, 2011

Open Review Period for Guidance V.3: Domains 7, and 14 (Has Begun)

The Cloud Security Alliance would like to invite you to review and comment on the following Guidance V.3 Domains: Domain 7: Traditional Security, Business Continuity and Disaster Recovery, Domain 14: Security as a Service

September 26, 2011

Cloud Security Alliance Issues First Security as a Service White Paper

CSA today announced that the Security as a Service working group has published its first white paper, “Defined Categories of Service 2011”. The purpose of this group’s research is to identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices.

September 22, 2011

Open Review Period for Guidance V.3: Domains 4, 8, 9 and 11(Has Begun)

The Cloud Security Alliance would like to invite you to review and comment on the following Guidance V.3 Domains: Domain 4: Compliance and Audit, Domain 8: Data Center Operations, Domain 9: Incident Response, Notification, and Remediation, Domain 11: Encryption and Key Management.

September 20, 2011

Open Review Period for Guidance V.3: Domains 2, 3, 5 and 12 (Has Begun)

The Cloud Security Alliance would like to invite you to review and comment on the following Guidance V.3 Domains: Domain 2: Governance and Enterprise Risk Management, Domain 3: Legal and Electronic Discovery, Domain 5: Information Lifecycle Management, Domain 12: Identity and Access Management.

July 26, 2011

Call for Volunteers for V.3 Guidance Group 2: GRC, Audit, Physical, BCM, DR

The Cloud Security Alliance and Group 2 GRC, Audit, Physical, BCM, DR Leadership team are looking for volunteers to assist with drafting Domain 2, 4 and 7 of version 3 of CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing.

July 21, 2011

Call for volunteers for V.3 Guidance Group 8: Virtualization and Technology Compartmentalization

The Cloud Security Alliance and Group 8 Virtualization and Technology Compartmentalization Leadership are looking for volunteers to assist with drafting Domain 13 of version 3 of CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing.

April 22, 2009

Cloud Security Alliance issues Guidance for Critical Areas of Focus in Cloud Computing

The information security industry is taking on the task of providing guidance to enable secure Cloud Computing with today’s formal launch of the Cloud Security Alliance.

Security Guidance Working Group Videos

No videos currently available.

Security Guidance Working Group Downloads

Cloud Computing for Business

Cloud Computing for Business

This book is for all these people, and indeed for all executives whose companies are using, or thinking of using, cloud computing.

Release Date: March 02, 2011

Security Guidance Working Group Co-chairs

Rich Mogul

Analyst & CEO, Securosis

Rich has twenty years experience in information security, physical security, and risk management. He specializes in data security, application security, emerging security technologies, and security management.