Research

Working Groups

The CSA maintains Working Groups across 33 domains of Cloud Security.

Big Data Working Group

The Big Data Working Group (BDWG) will be identifying scalable techniques for data-centric security and privacy problems. BDWG’s investigation is expected to lead to crystallization of best practices for security and privacy in big data, help industry and government on adoption of best practices, establish liaisons with other organizations in order to coordinate the development…

JoinLearn more

Cloud Controls Matrix Working Group

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned…

JoinLearn more

Cloud Data Center Security Working Group

As a critical infrastructure for Cloud Computing, it is essential to review the security measures of Cloud Data Center. The Cloud Data Center Security working group aims to develop and maintain a research portfolio providing capabilities to assist the cloud provider industry in enhancing their Data Centers’ security such as through the infrastructure security and…

JoinLearn more

Cloud Data Governance Working Group

The mission of this group is to design a universal set of principles and map these to emerging technologies and techniques for ensuring the privacy, confidentiality, availability, integrity and security of data across private and public clouds. Working Group Scope and Responsibilities Propose a data governance framework to ensure the privacy, availability, integrity and overall…

JoinLearn more

Cloud Vulnerabilities Working Group

Founded by the CSA APAC region in May 2013, the CSA Cloud Vulnerabilities Working Group is global working group chartered to conduct research in the area of cloud computing vulnerabilities, with the goals of understanding and educating the classification and exact causes of cloud computing vulnerabilities, recommendations and best practices for the reduction of top…

JoinLearn more

CloudAudit Working Group

The goal of CloudAudit is to provide a common interface and namespace that allows enterprises who are interested in streamlining their audit processes (cloud or otherwise) as well as cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of…

JoinLearn more

CloudCISC Working Group

Member Access to CloudCISC Exchange CSA corporate members receive 2 free seats for the CloudCISC threat intelligence exchange. Please go to https://www.csa-cloudcisc.org/ to request access. The Mandate Organizations are increasingly overwhelmed by information security attacks with huge consequences in financial, legal and reputational damage. Malicious actors collaborate with skill and agility, effectively moving from target…

JoinLearn more

CloudTrust Working Group

We want to improve trust in the cloud through transparency and assurance. A trusted cloud is defined as a cloud service or Cloud Service Provider (CSP) that implements standards of governance, management, and security while also meeting a minimum set of requirements aimed at increasing the confidence of Cloud Service Customers (CSCs). Tactical implementation of…

JoinLearn more

CloudTrust Protocol Working Group

The CloudTrust Protocol (CTP) is the mechanism by which cloud service consumers (also known as “cloud users” or “cloud service owners”) ask for and receive information about the elements of transparency as applied to cloud service providers. The primary purpose of the CTP and the elements of transparency is to generate evidence-based confidence that everything…

JoinLearn more

Consensus Assessments Working Group

Lack of security control transparency is a leading inhibitor to the adoption of cloud services. The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. We are focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS,…

JoinLearn more

Containers and Microservices Working Group

The mission of the CSA Application Containers and Microservices working group is to conduct research on the security of application containers and microservices and publish guidance and best practices for the secure use of application containers and microservices.

JoinLearn more

Enterprise Architecture Working Group

The Enterprise Architecture helps cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices. The Enterprise Architecture Working Group will develop reference models and education in a vendor-neutral manner, inclusive of all CSA members and affiliates who wish to participate. The Enterprise Architecture is both a methodology and a set…

JoinLearn more

Financial Services Stakeholder Platform Working Group

Membership Eligible members are: CSA enterprise customer corporate members operating in the financial institution (FIs) sector CSA solution provider corporate members (Cloud Service Providers). Additional fees apply, for more info contact: Contact [email protected] financial services regulators / supervisory authority / central banks (Regulators), and for the CSA Enterprise Customer Members operating in the financial sectors.…

JoinLearn more

Health Information Management Working Group

The Health Information Management Working Group (HIWG) within the Cloud Security Alliance (CSA) has been designated to provide direct influence on how health information service providers deliver secure cloud solutions (services, transport, applications and storage) to their clients, and foster cloud awareness within all aspects of healthcare and related industries. The efforts are jointly executed…

JoinLearn more

Incident Management and Forensics Working Group

The Incident Management and Forensics Working Group serves as a focal point for the examination of incident handling and forensics in cloud environments. We seek to develop best practices that consider the legal, technical, and procedural elements involved in responding in a forensically sound way to security incidents in the cloud.

JoinLearn more

Innovation Working Group

The CSA Innovation Working Group was created to foster secure innovation in information technology. Our mission is to: Identify key structural issues related to trust and security that will inhibit the adoption of next generation information technology. Articulate the guiding principles and objectives that IT innovators must address. Help innovators incubate technology solutions that align…

JoinLearn more

Internet of Things Working Group

ITU-T Y.2060 defines the IoT as a “global infrastructure for the information society, enabling advanced services by interconnecting (physical and virtual) things based on existing and evolving interoperable information and communication technologies.” ITU-T Y.2060 also defines a device in the context of the IoT, as a “piece of equipment with the mandatory capabilities of communication…

JoinLearn more

Legal Working Group

Confusion about legal issues is one of the biggest issues facing both cloud providers and cloud customers. Laws regarding government access to data vary in respective countries. Laws governing privacy protections for citizens and cross-border export of data also differ according to jurisdiction. There is also a great deal of hype and misinformation around specific…

JoinLearn more

Mobile Working Group

Mobile computing is experiencing tremendous growth and adoption, while the devices are gaining significant power and dynamic capabilities. Personally owned mobile devices are increasingly being used to access employers’ systems and cloud-hosted data - both via browser-based and native mobile applications. Clouds of mobile devices are likely to be common. The CSA Mobile working group…

JoinLearn more

Open API Working Group

Enterprises are moving towards an IT model in which most business applications are delivered as Software as a Service (SaaS) from Cloud Service Providers (CSPs). The emerging tools and products used to secure these (use cases) business applications are categorized as Cloud Access Security Brokers (CASB) by leading analysts. The goal of the Cloud Security…

JoinLearn more

Open Certification Working Group

The CSA Open Certification Working Group is an industry initiative to allow global, accredited, trusted certification of cloud providers. The CSA Open Certification Working Group is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives. The program will integrate with popular…

JoinLearn more

Privacy Level Agreement Working Group

Privacy is one of the top concerns for potential cloud customers. Both Cloud Service Providers (CSPs) and potential users struggle with different data protection legislation across the globe, where the inconsistencies between National legislations represent a significant barrier to a broad adoption of cloud computing. Moreover, privacy compliance has become a fundamental evaluation criterion when…

JoinLearn more

Quantum-safe Security Working Group

Modern encryption methods are composed of two parts: an algorithm that encrypts or decrypts our data with a random, secret key, and a method of sharing the secret key between the parties. The encryption algorithm (AES‐256) appears safe, at least for the next 20 to 30 years, based on our current knowledge of cryptographic attacks.…

JoinLearn more

SaaS Governance Working Group

Security and privacy are the primary concerns for organisations considering SaaS adoption, and recent research indicates that 77% of SaaS-adopting organizations have experienced SaaS-specific security incidents. SaaS services account for the bulk of the cloud industry market, and any security incident could critically impact cloud customers. SaaS services present unique risks to their cloud customers:…

JoinLearn more

Security as a Service Working Group

The mission statement of the Cloud Security Alliance is ". . . to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing." In order to provide greater focus on the second part of our…

JoinLearn more

Security Guidance Working Group

CSA Security Guidance for Critical Areas of Focus in Cloud Computing seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable roadmap to managers wanting to adopt the cloud paradigm safely and securely. Domains are reviewed to emphasize security, stability, and privacy in a multi-tenant environment. Make a Difference…

JoinLearn more

Software Defined Perimeter Working Group

With the adoption of cloud services, the threat of network attacks against application infrastructure increases since servers can not be protected with traditional perimeter defense techniques. The Software Defined Perimeter (SDP) is a research working group that was established in 2013 with the goal to develop a solution to stop network attacks against application infrastructure.…

JoinLearn more

Telecom Working Group

The Telecom Working Group within the Cloud Security Alliance (CSA) has been designated to provide direct influence on how to deliver secure cloud solutions and foster cloud awareness within all aspects of Telecommunications. The efforts are jointly executed by CSA Global, Telecom cloud communities (i.e. focus groups, associations, research institutes, forums, academia), Solution Providers and…

JoinLearn more

Top Threats Working Group

At an unprecedented pace, cloud computing has simultaneously transformed business and government, and created new security challenges. The development of the cloud service model delivers business-supporting technology more efficiently than ever before. The shift from traditional client/server to service-based models is transforming the way technology departments think about, designing, and delivering computing technology and applications.…

JoinLearn more

Virtualization Working Group

Virtualization is a critical part of cloud computing. Virtualization provides an important layer of abstraction from physical hardware, enabling the elasticity and resource pooling commonly associated with cloud. Virtualized operating systems are the backbone of Infrastructure as a Service (IaaS). The CSA Security Guidance for Critical Areas of Focus in Cloud Computing focused exclusively on…

JoinLearn more

EMEA Research Projects

The CSA EMEA research team is involved in 9 publicly funded projects.

A4Cloud Project

The Cloud Accountability Project (or A4Cloud for short) focuses on the Accountability For Cloud and Other Future Internet Services as the most critical prerequisite for effective governance and control of corporate and private data processed by cloud-based IT services. The research being conducted in the project will increase trust in cloud computing by devising methods and tools, through which cloud stakeholders can be made accountable for the privacy and confidentiality of information held in the cloud. These methods and tools will combine risk analysis, policy enforcement, monitoring and compliance auditing. They will contribute to the governance of cloud activities, providing transparency and assisting legal, regulatory and socio-economic policy enforcement.

Learn more

CIRRUS Project

Certification, Internationalisation and standardization in cloud security (CIRRUS) project aims to provide “high-level, high-impact” support and coordination for European ICT security research projects. Project activities target joint standardization, certification schemes, link research projects with EU policy and strategy, internationalization, as well as industry best practices and public private cooperation initiatives. The contribution of the CIRRUS project focuses on the cloud security standardization and certification efforts, both within the EU and at an international level, with the goals of supporting on-going research projects and coordinate a dialogue that will lead to a convergence of such efforts.

Learn more

CloudWatch Project

CloudWatch will also draw on key issues, disseminate best practices on model contract terms, foster a multi-stakeholder dialogue and facilitate the emergence and use of standard contracts. Thus, raise awareness of the benefits of cloud computing to major stakeholder groups: enterprises, especially SMEs; governments and public authorities; research and education institutions.

Learn more

CloudWatch 2 Project

One of the objectives of the Digital Single Market Strategy is creating long-term growth potential. Europe needs a digital market that allows new business models to flourish, start-ups to grow and industry to innovate and compete on a global scale. The European Commission’s programme for Software, Services and Cloud gives companies and research institutions the freedom to innovate technically in cloud computing. This is how European research and innovation initiatives bring continuous improvements and deliver services and solutions with increasing value for the digital single market. CloudWatch 2 provides a set of services to help European R&I initiatives capture the value proposition and business case as key to boosting the European economy.

Learn more

CUMULUS Project

CUMULUS framework will bring service users, service providers and cloud suppliers to work together with certification authorities in order to ensure security certificate validity in the ever-changing cloud environment.

Learn more

Helix Nebula Project

Helix Nebula was a new, pioneering partnership between big science and big business in Europe that is charting the course towards the sustainable provision of cloud computing - the Science Cloud.

Learn more

PICSE Project

The growth in cloud services is exploding, but procurement contracting has not kept up the pace. As a result, most people required to write cloud contracts for their organization have encountered many issues. The opportunity for cloud service providers on the supply side is widely recognised and this can potentially have enormous impact on the delivery of services across the public sector. However, procurement in the public sector is bound by procedures and is not tailored to the dynamic, on-demand and elastic nature of cloud services. There is therefore a need to focus on new ways of procuring cloud-based services.

Learn more

SLAReady Project

SLA-Ready aims to provide common understanding of Service Level Agreements (SLAs) for Cloud services with greater standardisation and transparency so firms can make an informed decision on what services to use, what to expect and what to trust. SLA-Ready services will support SMEs with practical guides, and a social marketplace, encouraging them to carefully plan their journey and make it strategic through an informed, stepping-stone approach, so the Cloud and applications grow with their business.

Learn more

SPECS Project

The Secure Provisioning of Cloud Services based on SLA Management (SPECS) project aims at developing and implementing an open source framework to offer Security-as-a-Service, by relying on the notion of security parameters specified in Service Level Agreements (SLA), and also providing the techniques to systematically manage their life-cycle. Providing comprehensible and enforceable security assurance by Cloud Service Providers (CSP) is a critical factor to deploy trustworthy Cloud ecosystems.

Learn more

APAC Research Projects

The CSA APAC research team is involved in 1 publicly funded project.

STRATUS Project

STRATUS project, a six-year, NZ $12.2 million cyber security project funded by the Ministry of Business, Innovation, and Employment. Led by the University of Waikato, CSA is part of the consortium that was awarded the funding and the work which began in November 2014. STRATUS, which is an acronym for Security Technologies Returning Accountability, Transparency and User-centric Services in the Cloud, is an ambitious project that intends to create a suite of novel security tools, techniques and capabilities that will return control of data to cloud computing users. More importantly, it aims to put New Zealand ICT industry onto the world map capitalizing on the global trend in cloud computing, cybersecurity and data analytics.

Learn more

Initiative Details Date Opened

ERP Security Working Group Charter

February 09, 2017 Contribute now

CCM – Shared Assessments (AUP/SIG) Mapping

February 09, 2017 Contribute now

Guidance v4 – Domain 14: Related Technologies

January 18, 2017 Contribute now

Guidance v4 – Domain 08: Virtualization and Containers

January 18, 2017 Contribute now

Cloud Security Services Management Working Group Charter

January 13, 2017 Contribute now

Cloud Component Specifications Working Group Charter

January 13, 2017 Contribute now

Mobile Working Group Security Guidance for Critical Areas of Mobile Computing

January 12, 2017 Contribute now

SDP Specification v2.0

With increased awareness and demand for SDP solutions, the specification
document will be updated to include the latest best practices, new
architectures, and applications of SDP.

December 22, 2016 Contribute now

Guidance v4 – Domain 12: Identity, Entitlement, and Access Management

Description: This section of the guidance is for Security, Identity and IT teams who want to deploy strong identity systems for SaaS, PaaS and IaaS Cloud environments.

December 14, 2016 Contribute now

Guidance v4 – Domain 13: Security as a Service

Description: Security as a Service (SecaaS) providers offer security capabilities as a cloud service. Are typically SaaS or PaaS. Not limited to dedicated SecaaS providers, can include packaged security features from generalized cloud providers.

December 14, 2016 Contribute now

Guidance v4 – Domain 10: Application Security

Description: This section of the guidance is for software development and IT teams who want to securely build — and deploy — applications in cloud computing environments, specifically PaaS and IaaS. How application security is different in cloud. Review of secure software development basics and how those change in the cloud. Leveraging cloud capabilities for more secure cloud applications

December 14, 2016 Contribute now

Guidance v4 – Domain 05: Data Governance

Description: Definition of data/information governance. Ensuring use of data and information complies with organizational requirements, including regulatory, contractual, and organizational requirements and objectives.

December 14, 2016 Contribute now

Guidance v4 – Domain 07: Infrastructure Security

Description: Core cloud infrastructure security, including networking, workload security, and hybrid cloud considerations. This domain also includes security fundamentals for private clouds.

December 14, 2016 Contribute now

Guidance v4 – Domain 02: Governance and Enterprise Risk Management

Description: Governance and risk management are incredibly large topics. This guidance will focus on how they change in cloud computing, and is not and should not be considered a primer or comprehensive exploration of those topics outside of cloud.

December 14, 2016 Contribute now

Guidance v4 – Domain 11: Data Security and Encryption

Description: Data security is the enforcement of data governance.

Must take a risk-based approach, not appropriate to secure everything equally. Must account for the cloud provider’s security controls and trust. Cloud security is a shared responsibility. You lose the economic benefits if you don’t understand or trust the cloud provider. The focus is on implementing controls that are either outside the cloud provider’s domain, or when, after a risk assessment, you need additional security to manage a provider risk. For example, encrypting everything in SaaS because you don’t trust that provider at all likely means you shouldn’t be using it in the first place.

December 12, 2016 Contribute now

Guidance v4 – Domain 06: Management Plane and Business Continuity

Description: The importance of the management plane (metastructure).

  • The management plane is the single most significant security difference between traditional infrastructure and cloud computing.

  • We always have a management plane, but cloud abstracts and centralizes administrative management of resources. Instead of controlling a data center configuration with boxes and wires, it is now controlled with API calls and web consoles.

  • Thus gaining access to the management plane is like gaining unfettered access to your data center, unless you put the proper security controls in place.

December 11, 2016 Contribute now

Guidance v4 – Domain 04: Compliance and Audit Management

Description: Organizations face new challenges as they migrate from traditional data centers to the cloud. Delivering, measuring, and communicating compliance with a multitude of regulations across multiple jurisdictions is one of the largest challenges. Customers and providers alike need to understand and appreciate the differences and implications on existing compliance and audit standards, processes, and practices. The distributed and virtualized nature of cloud requires significant framework adjustment from approaches based on definite and physical instantiations of information and processes.

December 10, 2016 Contribute now

Guidance v4 – Domain 01: Cloud Computing Concepts and Architectures

Description: This domain provides the conceptual framework for the rest of the Cloud Security Alliance’s guidance. It describes and defines cloud computing, sets our baseline terminology, and details the overall logical and architectural frameworks used in the rest of the document.

December 09, 2016 Contribute now

Guidance v4 – Domain 09: Incident Response

Description:
Incident Response (IR) is a critical facet of any information security program. Preventive security controls have proven unable to completely eliminate the possibility of a compromise of critical data. Most organizations have some sort of IR plan to govern how they will investigate an attack, but with the distinct differences in both access to forensic data and governance in the cloud, organizations must consider how their IR processes will change.

December 08, 2016 Contribute now

Guidance v4 – Domain 03: Legal Issues, Contracts and Electronic Discovery

Description:
This domain highlights some of the legal aspects raised by cloud computing. It provides a general background on legal issues that can be raised by moving data to the cloud, some issues for consideration in a cloud services agreement, and the special issues presented by electronic discovery in litigation.

December 08, 2016 Contribute now

Top Threats to Cloud Computing Update 2016-2017

December 04, 2016 Contribute now

Defined Categories of Security as a Service – Continuous Monitoring as a Service

February 03, 2016 Contribute now

Financial Services Working Group Charter

October 12, 2015 Contribute now

Open API Working Group Charter

October 12, 2015 Contribute now

Health Information Management Working Group Charter

October 12, 2015 Contribute now

CloudCISC Working Group Charter

October 06, 2015 Contribute now

Cloud Data Governance Working Group Charter

October 06, 2015 Contribute now

Open API Charter

June 08, 2015 Contribute now

Security Guidance for Critical Areas of Focus in Cloud Computing v3.0

May 26, 2015 Contribute now

BYOD – Legal Analysis & Practical TIPs

March 30, 2015 Contribute now

Privacy Level Agreement Version 2

November 18, 2014 Contribute now

Cloud Broker Working Group Proposed Charter

The CSA Cloud Broker Working Group will address the above challenges through intelligent market outreach, aligning brokers with cloud governance best practices, documenting use cases, identifying standards requirements, and creating other innovative research artifacts.

July 21, 2014 Contribute now

SLA Guidance

Service Level Agreements (SLA) represents a key component of any cloud service agreement and the concept, upon first glance, appears to be easy to understand: a commitment to performance on the part of the Cloud Service Provider (CSP) to the Cloud Service User (CSU). The reality is that while the concept is simple, the application, enforcement and the monitoring is not.

February 28, 2014 Contribute now

Next Generation SIEM

The capabilities of today’s modern SIEM infrastructures have already changed compared with traditional SIEMs that enterprises used to deploy 5 years ago (extended functions like compliance monitoring, broader input from additional event sources, different ways to store and access data, less complex to set-up and operate). But the evolution is ongoing and there is a broad discussion about what the next generation SIEM technology should be able to deliver and how. While Cloud environments might introduces more complexity (virtualization layer, distributed infrastructure, federated applications, …) and thus are more complex to monitor by a SIEM, at the same time the cloud “technology” and SecaaS based SIEM services create new opportunities for enterprises and the Cloud can help in storing and processing the increasing amount of data captured by SIEMs.

July 03, 2013 Contribute now