Security Guidance Working Group
Introduction to the Security Guidance Working Group
CSA Security Guidance for Critical Areas of Focus in Cloud Computing seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable roadmap to managers wanting to adopt the cloud paradigm safely and securely. Domains are reviewed to emphasize security, stability, and privacy in a multi-tenant environment.
Make a Difference and Contribute to CSA Guidance V.4
CSA Security Guidance Version 3
Security Guidance Version 3.0 incorporates the highly dynamic nature of IT and new developments within other CSA research projects, tying in various CSA activities into one comprehensive C-level best practice. Security Guidance v3.0 will serve as the gateway to emerging standards being developed in the world’s standards organization and is designed to serve as an executive-level primer to any organization seeking a secure, stable transition to hosting their business operations in the cloud.
|Security Guidance||3||11/14/2011||Download (pdf)|
CSA Guidance v3 is the third version of the Cloud Security Alliance document, “Security Guidance for Critical Areas of Focus in Cloud Computing”, which was originally released in April 2009.
In a departure from the second version of our guidance, each domain was assigned its own editor and peer reviewed by industry experts. The structure and numbering of the domains align with industry standards and best practices. We encourage the adoption of this guidance as a good operating practice in strategic management of cloud services.
These white papers and their release schedule are located at:
In another change from the second version, there are some updated domain names. We have these changes: Domain 3: Legal Issues: Contracts and Electronic Discovery and Domain 5: Information Management and Data Security. We now have added another domain, which is Domain 14: Security as a Service
Version 3 Acknowledgments
- Archie Reed
- Chris Rezek
- Paul Simmonds
- Domain 1: Chris Hoff, Paul Simmonds
- Domain 2: Marlin Pohlman, Becky Swain, Laura Posey, Bhavesh Bhagat
- Domain 3: Francoise Gilbert, Pamela Jones Harbour, David Kessler, Sue Ross, Thomas Trappler
- Domain 4: Marlin Pohlman, Said Tabet
- Domain 5: Rich Mogull, Jesus Luna
- Domain 6: Aradhna Chetal, Balaji Ramamoorthy, Jim Peterson, Joe Wallace, Michele Drgon, Tushar Bhavsar
- Domain 7: Randolph Barr, Ram Kumar, Michael Machado, Marlin Pohlman
- Domain 8: Liam Lynch
- Domain 9: Michael Panico, Bernd Grobauer, Carlo Espiritu, Kathleen Moriarty, Lee Newcombe, Dominik Birk, Jeff Reed
- Domain 10: Aradhna Chetal, Balaji Ramamoorthy, John Kinsella, Josey V. George, Sundararajan N., Devesh Bhatt, Tushar Bhavsar
- Domain 11: Liam Lynch
- Domain 12: Paul Simmonds, Andrew Yeomans, Ian Dobson, John Arnold, Adrian Secombe, Peter Johnson, Shane Tully
- Domain 13: Dave Asprey, Richard Zhao, Kanchanna Ramasamy Balraj, Abhik Chaudhuri, Melvin M. Rodriguez
- Domain 14: Jens Laundrup, Marlin Pohlman, Kevin Fielder
Valmiki Mukherjee, Bernd Jaeger, Ulrich Lang, Hassan Takabi, Pw Carey, Xavier Guerin, Troy D. Casey, James Beadel, Anton Chuvakin, Tushar Jain, M S Prasad, Damir Savanovic, Eiji Sasahara, Chad Woolf, Stefan Pettersson, M S Prasad, Nrupak Shah, Kimberley Laris, Henry St. Andre, Jim Peterson, Ariel Litvin, Tatsuya Kamimura, George Ferguson, Andrew Hay, Danielito Vizcayno, K.S. Abhiraj, Liam Lynch, Michael Marks, JP Morgenthal, Amol Godbole, Damu Kuttikrishnan, Rajiv Mishra, Dennis F. Poindexter, Neil Fryer, Andrea Bilobrk, Balaji Ramamoorthy, Damir Savanovic
- Executive Director: Jim Reavis
- Technical Writer/Editor: Amy L. Van Antwerp
- Graphic Designer: Kendall Scoboria
- Research Director: J.R. Santos
Security Guidance Working Group Leadership
Security Guidance Co-chairs
Rich has twenty years experience in information security, physical security, and risk management. He specializes in data security, application security, emerging security technologies, and security management.
Security Guidance Working Group Initiatives
Open Peer Reviews
|Initiative Details||Date Opened|
Description: Definition of data/information governance. Ensuring use of data and information complies with organizational requirements, including regulatory, contractual, and organizational requirements and objectives.
|December 14, 2016||Contribute now|
Description: Organizations face new challenges as they migrate from traditional data centers to the cloud. Delivering, measuring, and communicating compliance with a multitude of regulations across multiple jurisdictions is one of the largest challenges. Customers and providers alike need to understand and appreciate the differences and implications on existing compliance and audit standards, processes, and practices. The distributed and virtualized nature of cloud requires significant framework adjustment from approaches based on definite and physical instantiations of information and processes.
|December 10, 2016||Contribute now|
Description: This domain provides the conceptual framework for the rest of the Cloud Security Alliance’s guidance. It describes and defines cloud computing, sets our baseline terminology, and details the overall logical and architectural frameworks used in the rest of the document.
|December 09, 2016||Contribute now|
There are no working drafts at this time.
Thanks for your interest!
Your request to join Security Guidance has been recorded. Someone will be in touch with you soon with more instructions.
Security Guidance Working Group News
December 21, 2016
Closing Date: Jan 13th, 2017 The Cloud Security Alliance would like to invite you to review and comment on 12 Domains of the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing. This document acts as a practical, actionable roadmap to individuals looking to safely and securely adopt the cloud paradigm. This is…
November 04, 2015
The Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing seeks to establish a stable, secure baseline for cloud operations. It acts as a practical, actionable roadmap to individuals looking to safely and securely adopt the cloud paradigm. Since it’s last revision in 2011, the cloud landscape, tools and technologies have…
November 16, 2011
The Cloud Security Alliance (CSA) today unveiled the third version of its Security Guidance for Critical Areas of Focus in Cloud Computing. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely.
September 29, 2011
The Cloud Security Alliance would like to invite you to review and comment on the following Guidance V.3 Domains: Domain 7: Traditional Security, Business Continuity and Disaster Recovery, Domain 14: Security as a Service
September 26, 2011
CSA today announced that the Security as a Service working group has published its first white paper, “Defined Categories of Service 2011”. The purpose of this group’s research is to identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices.
September 22, 2011
The Cloud Security Alliance would like to invite you to review and comment on the following Guidance V.3 Domains: Domain 4: Compliance and Audit, Domain 8: Data Center Operations, Domain 9: Incident Response, Notification, and Remediation, Domain 11: Encryption and Key Management.
September 20, 2011
The Cloud Security Alliance would like to invite you to review and comment on the following Guidance V.3 Domains: Domain 2: Governance and Enterprise Risk Management, Domain 3: Legal and Electronic Discovery, Domain 5: Information Lifecycle Management, Domain 12: Identity and Access Management.
July 26, 2011
The Cloud Security Alliance and Group 2 GRC, Audit, Physical, BCM, DR Leadership team are looking for volunteers to assist with drafting Domain 2, 4 and 7 of version 3 of CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing.
July 21, 2011
The Cloud Security Alliance and Group 8 Virtualization and Technology Compartmentalization Leadership are looking for volunteers to assist with drafting Domain 13 of version 3 of CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing.
April 22, 2009
The information security industry is taking on the task of providing guidance to enable secure Cloud Computing with today’s formal launch of the Cloud Security Alliance.
Security Guidance Working Group Downloads
The CSA guidance as it enters its third edition seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. Domains have been rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment.
Release Date: November 14, 2011
This book is for all these people, and indeed for all executives whose companies are using, or thinking of using, cloud computing.
Release Date: March 02, 2011
Release Date: December 02, 2009