Research
Working Groups
The CSA maintains Working Groups across 34 domains of Cloud Security.
Big Data Working Group
Listen to Dr. Arnab Roy on Federal News Radio 1500AM Dr. Arnab Roy is a Member of Research Staff at the Fujitsu Laboratories of America since 2012. From 2010-11, he was a post-doctoral researcher at the IBM Thomas J. Watson Research Center. Arnab obtained his PhD in Computer Science from Stanford University in 2009, where…Blockchain/Distributed Ledger Working Group
More information coming soon.Cloud Controls Matrix Working Group
The Cloud Controls Matrix is part of the CSA GRC Stack. Download the Latest Version of CCM New and updated mappings, consolidation of redundant controls, rewritten controls for clarity of intent, STAR enablement, and SDO alignment. Document Version Release Date Download Cloud Controls Matrix 3.0.1 10/6/2016 Get it now Click on a CCM Version below…Cloud Data Governance Working Group
Working Group Scope and Responsibilities Propose a data governance framework to ensure the privacy, availability, integrity and overall security of data in different cloud models. These will feed into the GRC stack and can be implemented as controls across the CAIQ, CCM and STAR Develop thought leadership materials to promote CSA¹s leadership across the spheres…Cloud Vulnerabilities Working Group
What's New about Cloud Vulnerabilities? While cloud computing offers features such as 24/7 availability and elasticity, it faced a new dimension of challenges and vulnerabilities caused by scale, and the challenges of keep systems live and dynamic. It is therefore of maximum benefit to the cloud computing community and industry, if a global vulnerability working…CloudAudit Working Group
Our execution mantra is straightforward: Keep it simple, lightweight and easy to implement; offer primitive definitions & language structure using HTTP(S) Allow for extension and elaboration by providers and choice of trusted assertion validation sources, checklist definitions, etc. Not require adoption of other platform-specific APIs Provide interfaces to Cloud naming and registry services CloudAudit is…CloudCISC Working Group
Member Access to CloudCISC Exchange CSA corporate members receive 2 free seats for the CloudCISC threat intelligence exchange. Please go to https://www.csa-cloudcisc.org/ to request access. The Mandate Organizations are increasingly overwhelmed by information security attacks with huge consequences in financial, legal and reputational damage. Malicious actors collaborate with skill and agility, effectively moving from target…CloudTrust Protocol Working Group
CloudTrust Protocol DemoConsensus Assessments Working Group
The Latest Questionnaire is Version 3.0.1 Download nowEnterprise Resource Planning (ERP) Security Working Group
CSA Enterprise Resource Planning (ERP) Security Working Group seeks to develop best practices to enable organizations that run their business on large ERP implementations, such as SAP or Oracle applications, to securely migrate to and operate in cloud environments. Every ERP deployment is something that is unique to each organization. In most cases organizations spend…Financial Services Stakeholder Platform Working Group
Membership Eligible members are: CSA enterprise customer corporate members operating in the financial institution (FIs) sector CSA solution provider corporate members (Cloud Service Providers). Additional fees apply, for more info contact: Contact membership@cloudsecurityalliance.org financial services regulators / supervisory authority / central banks (Regulators), and for the CSA Enterprise Customer Members operating in the financial sectors.…Innovation Working Group
Innovation Initiative Scope and Responsibilities The working group will be responsible for several primary tasks. These will include but are not limited to the following: Create consensus lists or security gaps existent in the industry that technology innovation shows promise to address. Communicate the availability of CSA tools to innovators. Form “task forces” of community…Internet of Things Working Group
Scope and Responsibilities The working group is chartered to research the following areas: Analysis of IoT implementation use cases in various industries Best practices for securing IoT implementations Mapping of IoT security controls to the Cloud Controls Matrix (CCM) Identifying threats to IoT devices and implementations Identifying gaps in standards coverage for IoT security Identifying…Legal Working Group
Ask a Legal Expert Have a question about a thorny legal issue related to cloud? Just ask! The CSA Legal Working Group is staffed by legal experts ready to help you. We will endeavor to answer as many questions as we can, please send your question to asklegal@cloudsecurityalliance.org. Please be aware that the experts will…Mobile Working Group
Scope and Responsibilities The working group is chartered to research: Evolutionary shift from management of mobile devices to management of mobile data Security and audit-ability traveling as an integrated part of corporate data, enabling data security anywhere. Augmentation of enterprise identity and authentication with omnipresent mobile devices. The impact of public cloud applications on mobility…Open Certification Working Group
The CSA Open Certification Working Group provides: A path for any region to address compliance concerns with trusted, global best practices. For example, we expect governments to be heavy adopters of the CSA Open Certification Framework to layer their own unique requirements on top of the GRC Stack and provide agile certification of public sector…Privacy Level Agreement Working Group
I think [the PLA Outline] is a very helpful document, both for potential customers of CSPs and for CSPs themselves. By following closely the WP29 Opinion it ensures that both parties understand the obligations under EU law - probably the strictest requirements they will have to comply with. Hopefully it will be accepted by CSPs…Quantum-safe Security Working Group
The Quantum‐safe Security (QSS) Working Group has been formed to address key generation and transmission methods and to help the industry understand quantum‐safe methods for protecting their networks and their data. Two differing technologies are covered by this working group, namely: Quantum key distribution, or QKD, which is a physics‐based technology to securely deliver keys,…SaaS Governance Working Group
SaaS services present unique risks to their cloud customers: they are highly business process specific they handle and store critical business and personal data they integrate a broad array of service components, operating over a deep application stack they may depend on multiple cloud service providers Due to heavy competitive pressure in the SaaS market…Security as a Service Working Group
The Security as a Service Implementation Guidance is made possible by the following sponsors:Security Guidance Working Group
CSA Security Guidance Version 3 Security Guidance Version 3.0 incorporates the highly dynamic nature of IT and new developments within other CSA research projects, tying in various CSA activities into one comprehensive C-level best practice. Security Guidance v3.0 will serve as the gateway to emerging standards being developed in the world’s standards organization and is…Software Defined Perimeter Working Group
Security Model To solve the problem of stopping network attacks on application infrastructure the SDP Workgroup developed a clean sheet approach that combines on device authentication, identity-based access and dynamically provisioned connectivity. While the security components in SDP are common place, the integration of the three components is fairly novel. More importantly, the SDP security…Telecom Working Group
Research Initiative Roadmap How does the Telecom Industry meet the GRC Stack? Objective: The GRC stack currently provides a detailed framework regarding governance, risk, and compliance control within a cloud environment. However, it primarily addresses the cloud customer requirements rather than the business plans of the telecom industry or cloud provider in general. The objective…Top Threats Working Group
“The CSA Top Threats Working Group aims to provide organizations with an up-to-date, expert-informed understanding of cloud security risks, threats and vulnerabilities in order to make educated risk-management decisions regarding cloud adoption strategies.” The Treacherous Twelve: Cloud Computing Top Threats in 2016 The 2016 Top Threats release mirrors the shifting ramifications of poor cloud computing…Virtualization Working Group
The security issues and recommended best practices of this broader view of virtualization merit additional focused research from a reconstituted version of the CSA Virtualization Working Group. Research Road map 2015 Deliverables Mitigating Risks in a Virtualized Environment White Paper V.4 Domain 13 2016 Deliverables Security Position Paper: Network Function Virtualization Security Position Paper: Network…EMEA Research Projects
The CSA EMEA research team is involved in 9 publicly funded projects.
| A4Cloud | CIRRUS | CloudWatch |
| CloudWatch 2 | CUMULUS | Helix Nebula |
| PICSE | SLAReady | SPECS |
A4Cloud Project
The Cloud Accountability Project (or A4Cloud for short) focuses on the Accountability For Cloud and Other Future Internet Services as the most critical prerequisite for effective governance and control of corporate and private data processed by cloud-based IT services. The research being conducted in the project will increase trust in cloud computing by devising methods and tools, through which cloud stakeholders can be made accountable for the privacy and confidentiality of information held in the cloud. These methods and tools will combine risk analysis, policy enforcement, monitoring and compliance auditing. They will contribute to the governance of cloud activities, providing transparency and assisting legal, regulatory and socio-economic policy enforcement.CIRRUS Project
Certification, Internationalisation and standardization in cloud security (CIRRUS) project aims to provide “high-level, high-impact” support and coordination for European ICT security research projects. Project activities target joint standardization, certification schemes, link research projects with EU policy and strategy, internationalization, as well as industry best practices and public private cooperation initiatives. The contribution of the CIRRUS project focuses on the cloud security standardization and certification efforts, both within the EU and at an international level, with the goals of supporting on-going research projects and coordinate a dialogue that will lead to a convergence of such efforts.CloudWatch Project
CloudWatch will also draw on key issues, disseminate best practices on model contract terms, foster a multi-stakeholder dialogue and facilitate the emergence and use of standard contracts. Thus, raise awareness of the benefits of cloud computing to major stakeholder groups: enterprises, especially SMEs; governments and public authorities; research and education institutions.CloudWatch 2 Project
One of the objectives of the Digital Single Market Strategy is creating long-term growth potential. Europe needs a digital market that allows new business models to flourish, start-ups to grow and industry to innovate and compete on a global scale. The European Commission’s programme for Software, Services and Cloud gives companies and research institutions the freedom to innovate technically in cloud computing. This is how European research and innovation initiatives bring continuous improvements and deliver services and solutions with increasing value for the digital single market. CloudWatch 2 provides a set of services to help European R&I initiatives capture the value proposition and business case as key to boosting the European economy.CUMULUS Project
CUMULUS framework will bring service users, service providers and cloud suppliers to work together with certification authorities in order to ensure security certificate validity in the ever-changing cloud environment.Helix Nebula Project
Helix Nebula was a new, pioneering partnership between big science and big business in Europe that is charting the course towards the sustainable provision of cloud computing - the Science Cloud.PICSE Project
The growth in cloud services is exploding, but procurement contracting has not kept up the pace. As a result, most people required to write cloud contracts for their organization have encountered many issues. The opportunity for cloud service providers on the supply side is widely recognised and this can potentially have enormous impact on the delivery of services across the public sector. However, procurement in the public sector is bound by procedures and is not tailored to the dynamic, on-demand and elastic nature of cloud services. There is therefore a need to focus on new ways of procuring cloud-based services.SLAReady Project
SLA-Ready aims to provide common understanding of Service Level Agreements (SLAs) for Cloud services with greater standardisation and transparency so firms can make an informed decision on what services to use, what to expect and what to trust. SLA-Ready services will support SMEs with practical guides, and a social marketplace, encouraging them to carefully plan their journey and make it strategic through an informed, stepping-stone approach, so the Cloud and applications grow with their business.SPECS Project
The Secure Provisioning of Cloud Services based on SLA Management (SPECS) project aims at developing and implementing an open source framework to offer Security-as-a-Service, by relying on the notion of security parameters specified in Service Level Agreements (SLA), and also providing the techniques to systematically manage their life-cycle. Providing comprehensible and enforceable security assurance by Cloud Service Providers (CSP) is a critical factor to deploy trustworthy Cloud ecosystems.APAC Research Projects
The CSA APAC research team is involved in 1 publicly funded project.
| STRATUS |
STRATUS Project
STRATUS project, a six-year, NZ $12.2 million cyber security project funded by the Ministry of Business, Innovation, and Employment. Led by the University of Waikato, CSA is part of the consortium that was awarded the funding and the work which began in November 2014. STRATUS, which is an acronym for Security Technologies Returning Accountability, Transparency and User-centric Services in the Cloud, is an ambitious project that intends to create a suite of novel security tools, techniques and capabilities that will return control of data to cloud computing users. More importantly, it aims to put New Zealand ICT industry onto the world map capitalizing on the global trend in cloud computing, cybersecurity and data analytics.| Initiative Details | Date Opened | |
|---|---|---|
Quantum-Safe Security Awareness Survey Report |
September 05, 2017 | Contribute now |
Intrusion Management |
August 24, 2017 | Contribute now |
Email Security |
August 24, 2017 | Contribute now |
Best Practices for Cyber Incident ExchangeThe Best Practices for Cyber Incident Exchange initiative will help remove barriers and enable secure, timely and effective intelligence incident exchange and collaboration. |
May 02, 2017 | Contribute now |
Mobile Working Group Security Guidance for Critical Areas of Mobile Computing |
January 12, 2017 | Contribute now |
SDP Specification v2.0With increased awareness and demand for SDP solutions, the specification |
December 22, 2016 | Contribute now |
Submit your research ideas to research@cloudsecurityalliance.org.
Latest Initiatives
- Quantum-Safe Security Awareness Survey Report - September 5, 2017
- Intrusion Management - August 24, 2017
- Email Security - August 24, 2017
Upcoming Meetings
Internet of Things Working Group
Platform:
Webex
Meeting ID:
192 364 319
Enterprise Resource Planning (ERP) Security Working Group
Platform:
GoToMeeting
Meeting ID:
703-003-813
Enterprise Architecture Working Group
Platform:
Webex
Meeting ID:
194 099 756
Top Threats Working Group
Platform:
GoToMeeting
Meeting ID:
670-348-405
Blockchain/Distributed Ledger Working Group
Platform:
Webex
Meeting ID:
190 893 187
CloudCISC Working Group
Platform:
Webex
Meeting ID:
190 605 489
Dial-in by Phone to Webex
Dial one of these phone numbers then enter the Meeting ID when prompted.
- US: +1-415-655-0001
- Austria: +43-125-302-1547
- Belgium: +32-2894-8319
- Denmark: +45-3272-7726
- France: +33-17091-8651
- Germany: +49-6925511-4406
- Italy: +39-023041-0445
- Luxembourg: +352-2088-1746
- Netherlands: +31-20794-6701
- Spain: +34-91769-9724
- Switzerland: +41-43456-9569
- UK: 44-203-478-5291
Can’t access your meeting?
Get help with Webex
Internet of Things Working Group
Platform: WebexMeeting ID: 192 364 319
Enterprise Resource Planning (ERP) Security Working Group
Platform: GoToMeetingMeeting ID: 703-003-813
Enterprise Architecture Working Group
Platform: WebexMeeting ID: 194 099 756
Top Threats Working Group
Platform: GoToMeetingMeeting ID: 670-348-405
Blockchain/Distributed Ledger Working Group
Platform: WebexMeeting ID: 190 893 187
CloudCISC Working Group
Platform: WebexMeeting ID: 190 605 489
Dial-in by Phone to Webex
Dial one of these phone numbers then enter the Meeting ID when prompted.
- US: +1-415-655-0001
- Austria: +43-125-302-1547
- Belgium: +32-2894-8319
- Denmark: +45-3272-7726
- France: +33-17091-8651
- Germany: +49-6925511-4406
- Italy: +39-023041-0445
- Luxembourg: +352-2088-1746
- Netherlands: +31-20794-6701
- Spain: +34-91769-9724
- Switzerland: +41-43456-9569
- UK: 44-203-478-5291
Can’t access your meeting?
Get help with Webex
Security Trust and Assurance Registry
STAR is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.
Welcome New Members
The CSA is a member-driven organization, chartered with promoting the use of best practices for providing security assurance within Cloud Computing. We would like to welcome our newest members:
- OutSystems
- Crowdstrike
- Saxo
- Barracuda Networks
- Intility
