Cloud 101CircleEventsBlog
Register for CSA's AI Summit at RSAC on May 6!

CSA Security Guidance for Critical Areas of Focus in Cloud Computing

Read the best practices recommended by security experts for staying secure in the cloud.

Download Guidance
Security Guidance for Critical Areas of Focus in Cloud Computing v4.0
Security Guidance v4.0

Cloud computing offers tremendous potential benefits in agility, resiliency, economy as well as security. However, the security benefits only appear if you understand and adopt cloud-native models and adjust your architectures and controls to align with the features and capabilities of cloud platforms. The cloud security best practices outlined in the Security Guidance for Critical Areas of Focus in Cloud Computing 4.0 were crowd-sourced by Cloud Security Alliance's community of security experts and can help you implement and adopt a cloud-native approach.

While the implementation details vary greatly depending on the specific cloud project, there is a relatively straightforward, high-level process for managing cloud security.

  • Identify necessary security and compliance requirements and any existing controls.
  • Select your cloud provider, service, and deployment models.
  • Define the architecture.
  • Assess the security controls.
  • Identify control gaps.
  • Design and implement controls to fill the gaps.
  • Manage changes over time.

Since different cloud projects, even on a single provider, will likely leverage entirely different sets of configurations and technologies, each project should be evaluated on its own merits. After reading the Security Guidance, you will be familiar with the cloud security best practices you need to evaluate a cloud project.

Download the CSA Security Guidance v4.0 today.

Security Domains

The domains which comprise the CSA Guidance are tuned to address both the strategic and tactical security “pain points” within a cloud environment and can be applied to any combination of cloud service and deployment model. We have over 25+ research working groups dedicated to creating further guidance and frameworks for these domains.

CSA CCSK Domain 1 Icon

DOMAIN 1

Cloud Computing Concepts and Architecture

DOMAIN 1

Cloud Computing Concepts and Architecture

This domain provides the conceptual framework for the rest of the Cloud Security Alliance’s guidance. It describes and defines cloud computing, sets our baseline terminology, and details the overall logical and architectural frameworks used in the rest of the document.

CSA CCSK Domain 2 Icon

DOMAIN 2

Governance and Enterprise Risk Management

DOMAIN 2

Governance and Enterprise Risk Management

This domain addresses the ability of an organization to govern and measure enterprise risk introduced by cloud computing. Items discussed include the legal precedence for agreement breaches, the ability of an organization to assess the risk of a cloud provider adequately, the responsibility to protect sensitive data when both the user and provider may be at fault, and how international boundaries may affect these issues.

Related working groups: Cloud Controls Matrix

CSA CCSK Domain 3 Icon

DOMAIN 3

Legal Issues, Contracts, and Electronic Discovery

DOMAIN 3

Legal Issues, Contracts, and Electronic Discovery

This domain covers the potential legal issues when using cloud computing. Topics touched on in this section include protection requirements for information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, international laws, etc.

CSA CCSK Domain 4 Icon

DOMAIN 4

Compliance and Audit Management

DOMAIN 4

Compliance and Audit Management

This domain explains how to maintain and prove compliance when using cloud computing. It also covers evaluating how cloud computing affects compliance with internal security policies and various compliance requirements (regulatory, legislative, and otherwise). It also includes some direction on proving compliance during an audit.

Related working groups: Cloud Controls Matrix

CSA CCSK Domain 5 Icon

DOMAIN 5

Information Governance

DOMAIN 5

Information Governance

This domain addresses governing data that is placed in the cloud. It discusses items surrounding the identification and control of data in the cloud and compensating controls that can be used to deal with the loss of physical control when moving data to the cloud. Other items, such as who is responsible for data confidentiality, integrity, and availability, are mentioned.

CSA CCSK Domain 6 Icon

DOMAIN 6

Management Plane and Business Continuity

DOMAIN 6

Management Plane and Business Continuity

This domain discusses how to secure the management plane, and administrative interfaces used when accessing the cloud, including web consoles and APIs. Ensuring business continuity for cloud deployments is also covered.

CSA CCSK Domain 7 Icon

DOMAIN 7

Infrastructure Security

DOMAIN 7

Infrastructure Security

This domain covers core cloud infrastructure security, including networking, workload security, and hybrid cloud considerations. It also covers security fundamentals for private clouds.

Related working groups: Hybrid Cloud Security

CSA CCSK Domain 8 Icon

DOMAIN 8

Virtualization and Containers

DOMAIN 8

Virtualization and Containers

This domain discusses security considerations for hypervisors, containers, and Software Defined Networks.

CSA CCSK Domain 9 Icon

DOMAIN 9

Incident Response, Notification and Remediation

DOMAIN 9

Incident Response, Notification and Remediation

This domain will help you understand the complexities the cloud brings to your current incident-handling program. It covers proper and adequate incident detection, response, notification, and remediation. It attempts to address items that should be in place at both the provider and user levels to enable proper incident handling and forensics.

Related working groups: Cloud Incident Response Working Group

CSA CCSK Domain 10 Icon

DOMAIN 10

Application Security

DOMAIN 10

Application Security

This domain discusses how to secure application software that is running on or being developed in the cloud. This includes items such as whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS, PaaS, or IaaS).

Related working groups: DevSecOps

CSA CCSK Domain 11 Icon

DOMAIN 11

Data Security and Encryption

DOMAIN 11

Data Security and Encryption

This domain discusses how to secure application software that is running on or being developed in the cloud. This includes items such as whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud platform is most appropriate (SaaS, PaaS, or IaaS).

Related research: Encryption Implementation Guidance

CSA CCSK Domain 12 Icon

DOMAIN 12

Identity, Entitlement and Access Management

DOMAIN 12

Identity, Entitlement and Access Management

This domain addresses managing identities and leveraging directory services to provide access control. The focus is on issues encountered when extending an organization’s identity into the cloud. This section provides insight into assessing an organization’s readiness to conduct cloud-based Identity, Entitlement, and Access Management.

Related research: Identity and Access Management

CSA CCSK Domain 13 Icon

DOMAIN 13

Security as a Service

DOMAIN 13

Security as a Service

This domain discusses providing third-party-facilitated security assurance, incident management, compliance attestation, and identity and access oversight.

Related working groups: Security as a Service

CSA CCSK Domain 14 Icon

DOMAIN 14

Related Technologies

DOMAIN 14

Related Technologies

This domain discusses security for established and emerging technologies with a close relationship to cloud computing, including Big Data and the Internet of Things (IoT).

Related working groups: IoT and Blockchain

You can learn more about how to implement each of these domains by earning your Certificate of Cloud Security Knowledge (CCSK).

Version 4.0 Acknowledgments

On behalf of the CSA Board of Directors and the CSA Executive Team, we would like to thank all of the individuals that contributed time and feedback to the fourth version of the CSA Security Guidance for Critical Areas of Focus in Cloud Computing. We value your volunteer contributions and believe that the devotion of volunteers like you will lead the Cloud Security Alliance into the future. Thank you especially to our two editors, Dan Moren, John Moltz, and the lead authors: Rich Mogull, James Arlen, Adrian Lane, Gunnar Peterson, Mike Rothman and David Mortman.