CSA Security Guidance for Critical Areas of Focus in Cloud Computing
Read the best practices recommended by security experts for staying secure in the cloud.
Download GuidanceCloud computing offers tremendous potential benefits in agility, resiliency, economy as well as security. However, the security benefits only appear if you understand and adopt cloud-native models and adjust your architectures and controls to align with the features and capabilities of cloud platforms. The cloud security best practices outlined in the Security Guidance for Critical Areas of Focus in Cloud Computing 4.0 were crowd-sourced by Cloud Security Alliance's community of security experts and can help you implement and adopt a cloud-native approach.
While the implementation details vary greatly depending on the specific cloud project, there is a relatively straightforward, high-level process for managing cloud security.
- Identify necessary security and compliance requirements and any existing controls.
- Select your cloud provider, service, and deployment models.
- Define the architecture.
- Assess the security controls.
- Identify control gaps.
- Design and implement controls to fill the gaps.
- Manage changes over time.

Since different cloud projects, even on a single provider, will likely leverage entirely different sets of configurations and technologies, each project should be evaluated on its own merits. After reading the Security Guidance, you will be familiar with the cloud security best practices you need to evaluate a cloud project.
Download the CSA Security Guidance v4.0 today.

Security Domains
The domains which comprise the CSA Guidance are tuned to address both the strategic and tactical security “pain points” within a cloud environment and can be applied to any combination of cloud service and deployment model. We have over 25+ research working groups dedicated to creating further guidance and frameworks for these domains.
DOMAIN 1
Cloud Computing Concepts and Architecture
DOMAIN 1
Cloud Computing Concepts and Architecture
This domain provides the conceptual framework for the rest of the Cloud Security Alliance’s guidance. It describes and defines cloud computing, sets our baseline terminology, and details the overall logical and architectural frameworks used in the rest of the document.
DOMAIN 2
Governance and Enterprise Risk Management
DOMAIN 2
Governance and Enterprise Risk Management
This domain addresses the ability of an organization to govern and measure enterprise risk introduced by cloud computing. Items discussed include the legal precedence for agreement breaches, the ability of an organization to assess the risk of a cloud provider adequately, the responsibility to protect sensitive data when both the user and provider may be at fault, and how international boundaries may affect these issues.
Related working groups: Cloud Controls Matrix
DOMAIN 3
Legal Issues, Contracts, and Electronic Discovery
DOMAIN 3
Legal Issues, Contracts, and Electronic Discovery
This domain covers the potential legal issues when using cloud computing. Topics touched on in this section include protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, international laws, etc.
DOMAIN 4
Compliance and Audit Management
DOMAIN 4
Compliance and Audit Management
This domain explains how to maintain and prove compliance when using cloud computing. It also covers evaluating how cloud computing affects compliance with internal security policies and various compliance requirements (regulatory, legislative, and otherwise). It also includes some direction on proving compliance during an audit.
Related working groups: Cloud Controls Matrix
DOMAIN 5
Information Governance
DOMAIN 5
Information Governance
This domain addresses governing data that is placed in the cloud. It discusses items surrounding the identification and control of data in the cloud and compensating controls that can be used to deal with the loss of physical control when moving data to the cloud. Other items, such as who is responsible for data confidentiality, integrity, and availability, are mentioned.
DOMAIN 6
Management Plane and Business Continuity
DOMAIN 6
Management Plane and Business Continuity
This domain discusses how to secure the management plane, and administrative interfaces used when accessing the cloud, including web consoles and APIs. Ensuring business continuity for cloud deployments is also covered.
DOMAIN 7
Infrastructure Security
DOMAIN 7
Infrastructure Security
This domain covers core cloud infrastructure security, including networking, workload security, and hybrid cloud considerations. It also covers security fundamentals for private clouds.
Related working groups: Hybrid Cloud Security
DOMAIN 8
Virtualization and Containers
DOMAIN 8
Virtualization and Containers
This domain discusses security considerations for hypervisors, containers, and Software Defined Networks.
DOMAIN 9
Incident Response, Notification and Remediation
DOMAIN 9
Incident Response, Notification and Remediation
This domain will help you understand the complexities the cloud brings to your current incident-handling program. It covers proper and adequate incident detection, response, notification, and remediation. It attempts to address items that should be in place at both the provider and user levels to enable proper incident handling and forensics.
Related working groups: Cloud Incident Response Working Group
DOMAIN 10
Application Security
DOMAIN 10
Application Security
This domain discusses how to secure application software that is running on or being developed in the cloud. This includes items such as whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS, PaaS, or IaaS).
Related working groups: DevSecOps
DOMAIN 11
Data Security and Encryption
DOMAIN 11
Data Security and Encryption
This domain discusses how to secure application software that is running on or being developed in the cloud. This includes items such as whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS, PaaS, or IaaS).
Related research: Encryption Implementation Guidance
DOMAIN 12
Identity, Entitlement and Access Management
DOMAIN 12
Identity, Entitlement and Access Management
This domain addresses managing identities and leveraging directory services to provide access control. The focus is on issues encountered when extending an organization’s identity into the cloud. This section provides insight into assessing an organization’s readiness to conduct cloud-based Identity, Entitlement, and Access Management.
Related research: Identity and Access Management
DOMAIN 13
Security as a Service
DOMAIN 13
Security as a Service
This domain discusses providing third-party-facilitated security assurance, incident management, compliance attestation, and identity and access oversight.
Related working groups: Security as a Service
DOMAIN 14
Related Technologies
DOMAIN 14
Related Technologies
This domain discusses security for established and emerging technologies with a close relationship to cloud computing, including Big Data and the Internet of Things (IoT).
Related working groups: IoT and Blockchain
You can learn more about how to implement each of these domains by earning your Certificate of Cloud Security Knowledge (CCSK).
Version 4.0 Acknowledgments
On behalf of the CSA Board of Directors and the CSA Executive Team, we would like to thank all of the individuals that contributed time and feedback to the fourth version of the CSA Security Guidance for Critical Areas of Focus in Cloud Computing. We value your volunteer contributions and believe that the devotion of volunteers like you will lead the Cloud Security Alliance into the future. Thank you especially to our two editors, Dan Moren, John Moltz, and the lead authors: Rich Mogull, James Arlen, Adrian Lane, Gunnar Peterson, Mike Rothman and David Mortman.