CSA Security Guidance for Critical Areas of Focus in Cloud Computing
Read the best practices recommended by security experts for staying secure in the cloud.
Download Guidance
Cloud computing offers tremendous benefits in agility, resiliency, economy, and security. However, the security benefits only appear if you adopt cloud-native models and adjust your architectures and security controls to align with the capabilities of cloud platforms.
The Cloud Security Alliance's Security Guidance for Critical Areas of Focus in Cloud Computing outlines cloud security best practices that have been developed and refined by CSA's extensive community of experts. Emphasizing the practical application of security principles in real-world scenarios, this comprehensive guide equips professionals with actionable skills. Learn how to adopt and implement a cloud-native approach that addresses modern challenges in complex cloud environments.
All NEW content with Security Guidance v5! Version 5 provides a comprehensive understanding of the essential security measures needed in today's cloud landscape. Completely revamped from v4, the v5 body of knowledge includes the latest in cloud architecture, cloud native security, workloads, virtual networking, data security, DevSecOps, Zero Trust, Generative AI, and much more. V5 also includes vital information about risk management, achieving compliance, optimizing organizational cloud security strategies, and understanding the shared responsibility model.Security Guidance v4 is still available for download here.
Download CSA's Security Guidance v5 today.
Security Domains
The domains which comprise the CSA Guidance are tuned to address both the strategic and tactical security “pain points” within a cloud environment and can be applied to any combination of cloud service and deployment model. We have over 25+ research working groups dedicated to creating further guidance and frameworks for these domains.
DOMAIN 1
Cloud Computing Concepts and Architecture
DOMAIN 1
Cloud Computing Concepts and Architecture
This domain lays the foundational framework for the Cloud Security Alliance (CSA) Security Guidance. It covers the definitions, baseline terminologies, controls, deployment, and architectural models crucial for understanding cloud computing. Learners will explore the transformative impact of cloud computing and its benefits when properly understood and adopted, emphasizing the importance of cloud-native capabilities and services.
DOMAIN 2
Cloud Governance
DOMAIN 2
Cloud Governance
Focusing on the governance framework of policies, procedures, and controls, this domain ensures transparency and accountability within cloud environments. It addresses strategic guidance, risk management, compliance monitoring, and budget allocation. Learners will understand key governance frameworks and regulations such as ISO/IEC 38500:2024, ISACA COBIT, ISO/IEC 27014:2020, and GDPR.
DOMAIN 3
Risk, Audit, & Compliance
DOMAIN 3
Risk, Audit, & Compliance
This domain delves into evaluating cloud service providers (CSPs), establishing cloud risk registries, and implementing approval processes. It covers compliance and auditing, including compliance inheritance, and introduces tools and technologies for governance, risk, and compliance (GRC) processes. Emphasis is placed on robust risk management frameworks, compliance with regulatory standards, and leveraging tools and technologies for effective governance.
DOMAIN 4
Organization Management
DOMAIN 4
Organization Management
Learners will explore the overall management of cloud environments, including organizing and validating the security assurance of CSPs and securing individual cloud service deployments. This domain highlights the importance of tenancy in a multitenant environment, key controls for managing hierarchy, and best practices for managing multiple cloud deployments. It also covers organization-level security management nuances and strategies for hybrid and multi-cloud environments.
DOMAIN 5
Identity & Access Management
DOMAIN 5
Identity & Access Management
This domain ensures that only authorized identities have the right access to resources. It covers fundamental IAM concepts, the characteristics and challenges of IAM in the cloud, and effective management strategies. Key topics include multi-factor authentication (MFA), just-in-time (JIT) access, identity federation, policy-based access control (PBAC), and secure identity providers (IdPs).
DOMAIN 6
Security Monitoring
DOMAIN 6
Security Monitoring
Focusing on the distinct aspects of security monitoring in cloud environments, this domain covers cloud telemetry, management plane logs, service and resource logs, and advanced monitoring tools. Learners will explore hybrid and multi-cloud setups, the role of logs, events, and configuration detection in security monitoring, and the use of Generative Artificial Intelligence (GenAI) for enhancing cloud security.
DOMAIN 7
Infrastructure & Networking
DOMAIN 7
Infrastructure & Networking
This domain covers managing the overall infrastructure footprint and network security. Key topics include Software Defined Networks (SDN), security groups, container networking, connectivity options, Zero Trust Architectures (ZTA), and Secure Access Service Edge (SASE). Emphasis is placed on implementing secure architectures, integrating security early in the development lifecycle, and maintaining vigilant monitoring.
DOMAIN 8
Cloud Workload Security
DOMAIN 8
Cloud Workload Security
Learners will explore securing various cloud workloads, including virtual machines (VMs), containers, serverless functions (FaaS), AI, and platform as a service (PaaS). The domain covers practices such as VM image security automation, enforcing least privilege, regular vulnerability assessments, customizing container configurations, securing API endpoints, managing secrets, adversarial training for AI workloads, and regular security audits for PaaS environments.
DOMAIN 9
Data Security
DOMAIN 9
Data Security
This domain addresses the complexities of data security within cloud environments, emphasizing the need for resilient practices to safeguard information. It explores strategies, tools, and practices essential for protecting data in-transit and at rest. Key topics include data classification, cloud storage types, advanced encryption methods, and access controls. The domain also provides a primer on cloud storage and examines key concepts and technologies shaping the future of data security. Learning objectives include understanding data security fundamentals, data classifications and states, cloud storage security measures, key management, protecting computing workloads, posture management, and advanced data security concepts.
DOMAIN 10
Application Security
DOMAIN 10
Application Security
This domain focuses on the practice of using security controls to protect computer applications from external threats. It covers the entire lifecycle of application security, from early design and threat modeling to maintaining and defending production applications. Cloud computing advancements necessitate stable, scalable, and secure progress in application development. Key topics include microservices, API exposure, DevOps approaches, shared responsibility models, third-party libraries, security features from cloud providers, programmable infrastructure, and stateless architectures. Emphasis is placed on secure architecture, IAM, DevSecOps, continuous monitoring, threat modeling, and automated security testing.
DOMAIN 11
Incident Response & Resilience
DOMAIN 11
Incident Response & Resilience
This domain covers critical aspects of incident response (IR) in cloud environments, addressing unique challenges introduced by cloud adaptation. It provides best practices for cloud incident response (CIR) and resilience, organized according to the IR Lifecycle described in the CSA Cloud Incident Response Framework and NIST SP 800-61 Rev. 2. Key frameworks include ISO/IEC 27035 and ENISA Strategies for IR. Emphasis is placed on preparation, detection and analysis, containment, eradication and recovery, and post-incident analysis. Effective communication and information sharing between CSPs and CSCs, internal IR teams, law enforcement, and key partners are crucial for strengthening CIR capabilities.
DOMAIN 12
Related Technologies & Strategies
DOMAIN 12
Related Technologies & Strategies
This domain explores various angles for analyzing cloud security challenges using perspectives (lenses) and processes. It covers critical security areas such as organization management, IAM, security monitoring, network, workload, application, and data. Key technologies and strategies include Zero Trust (ZT), Artificial Intelligence (AI), and Threat and Vulnerability Management (TVM). Practices include continuous verification of users and devices, least privilege principles, multi-factor authentication, micro-segmentation, encryption, threat detection, access control, policy enforcement, machine learning for anomaly detection, risk management, CSPM, and continuous monitoring. Integrating AI into TVM enhances threat detection and response, maintaining a robust security posture.
You can learn more about how to implement each of these domains by earning your Certificate of Cloud Security Knowledge (CCSK).
Version 5.0 Acknowledgments
On behalf of the CSA Board of Directors and the CSA Executive Team, we extend our heartfelt gratitude to everyone who dedicated their time and provided invaluable feedback for the fifth version of the CSA Security Guidance for Critical Areas of Focus in Cloud Computing. Your volunteer contributions are greatly appreciated, and it is the commitment of volunteers like you that propels the Cloud Security Alliance into the future.
Special thanks to our Editors, Larry Hughes and Jackie Donnelly, and to our Lead Authors, Mike Rothman and Rich Mogull. We also deeply appreciate the contributions of Michael Roza, Moshe Ferber, and Peter van Eijk.
We extend our sincere thanks to all contributors listed in the Security Guidance itself. Your efforts are truly valued.
