Security Guidance for Critical Areas of Focus in Cloud Computing Arrow to Content

Download: Security Guidance

Document Version Release Date Download
Security Guidance 3 11/14/2011 Download (pdf)

Introducing Guidance for Critical Areas of Focus in Cloud Computing

The CSA guidance as it enters its third edition seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. Domains have been rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment.

In the third edition, the guidance assumes a structural maturity in parallel with multinational cloud standards development in both structure and content. Version 3 extends the content included in previous versions with practical recommendations and requirements that can be measured and audited. CSA industry expert authors have endeavored to present a working product that is measured and balanced between the interests of cloud providers and tenants. Controls focus on the preservation of tenant data ownership integrity while embracing the concept of a shared physical infrastructure. Guidance Version 3 incorporates lessons learned from the CSA GRC Stack and Trusted Cloud Initiative and ties in the various CSA activities into one comprehensive C-level best practice. The Security Guidance V.3 will serve as the gateway to emerging standards being developed in the world’s standards organization and is designed to serve as an executive-level primer to any organization seeking a secure, stable transition to hosting their business operations in the cloud.

Download: Security Guidance

Document Version Release Date Download
Security Guidance 3 11/14/2011 Download (pdf)

About CSA Security Guidance Version 3

CSA Guidance v3 is the third version of the Cloud Security Alliance document, “Security Guidance for Critical Areas of Focus in Cloud Computing”, which was originally released in April 2009. The permanent archive locations for these documents are:

http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf (this document)
http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf (version 2 guidance)
http://www.cloudsecurityalliance.org/guidance/csaguide.v1.0.pdf (version 1 guidance)

In a departure from the second version of our guidance, each domain was assigned its own editor and peer reviewed by industry experts. The structure and numbering of the domains align with industry standards and best practices. We encourage the adoption of this guidance as a good operating practice in strategic management of cloud services. These white papers and their release schedule are located at:

http://www.cloudsecurityalliance.org/guidance/

In another change from the second version, there are some updated domain names. We have these changes: Domain 3: Legal Issues: Contracts and Electronic Discovery and Domain 5: Information Management and Data Security. We now have added another domain, which is Domain 14: Security as a Service

Version 3 Acknowledgments

Editors

Archie Reed
Chris Rezek
Paul Simmonds

Domain Authors/Contributors

Domain 1: Chris Hoff, Paul Simmonds Domain 2: Marlin Pohlman, Becky Swain, Laura Posey, Bhavesh Bhagat
Domain 3: Francoise Gilbert, Pamela Jones Harbour, David Kessler, Sue Ross, Thomas Trappler
Domain 4: Marlin Pohlman, Said Tabet
Domain 5: Rich Mogull, Jesus Luna
Domain 6: Aradhna Chetal, Balaji Ramamoorthy, Jim Peterson, Joe Wallace, Michele Drgon, Tushar Bhavsar
Domain 7: Randolph Barr, Ram Kumar, Michael Machado, Marlin Pohlman
Domain 8: Liam Lynch
Domain 9: Michael Panico, Bernd Grobauer, Carlo Espiritu, Kathleen Moriarty, Lee Newcombe, Dominik Birk, Jeff Reed
Domain 10: Aradhna Chetal, Balaji Ramamoorthy, John Kinsella, Josey V. George, Sundararajan N., Devesh Bhatt, Tushar Bhavsar
Domain 11: Liam Lynch
Domain 12: Paul Simmonds, Andrew Yeomans, Ian Dobson, John Arnold, Adrian Secombe, Peter Johnson, Shane Tully
Domain 13: Dave Asprey, Richard Zhao, Kanchanna Ramasamy Balraj, Abhik Chaudhuri, Melvin M. Rodriguez
Domain 14: Jens Laundrup, Marlin Pohlman, Kevin Fielder

Peer Reviewers

Valmiki Mukherjee, Bernd Jaeger, Ulrich Lang, Hassan Takabi, Pw Carey, Xavier Guerin, Troy D. Casey, James Beadel, Anton Chuvakin, Tushar Jain, M S Prasad, Damir Savanovic, Eiji Sasahara, Chad Woolf, Stefan Pettersson, M S Prasad, Nrupak Shah, Kimberley Laris, Henry St. Andre, Jim Peterson, Ariel Litvin, Tatsuya Kamimura, George Ferguson, Andrew Hay, Danielito Vizcayno, K.S. Abhiraj, Liam Lynch, Michael Marks, JP Morgenthal, Amol Godbole, Damu Kuttikrishnan, Rajiv Mishra, Dennis F. Poindexter, Neil Fryer, Andrea Bilobrk, Balaji Ramamoorthy, Damir Savanovic

CSA Staff

Jim Reavis: Executive Director
Technical Writer/Editor: Amy L. Van Antwerp
Graphic Designer: Kendall Scoboria
Research Director: J.R. Santos

Download: Security Guidance for Critical Areas of Focus in Cloud Computing.

Document Version Release Date Download
Security Guidance 2.1 12/01/2009 Download (pdf)

About CSA Security Guidance Version 2

Guidance v2 is the second version of the Cloud Security Alliance document, “Security Guidance for Critical Areas of Focus in Cloud Computing”, which was originally released in April 2009. The permanent archive locations for these documents are:

http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf (this document)
http://www.cloudsecurityalliance.org/guidance/csaguide.v1.0.pdf (version 1 guidance)

In a departure from the first version of our guidance, a decision was made to separate the key guidance from the core domain research. Each domain’s core research is being released as its own white paper. These white papers and their release schedule are located at:

http://www.cloudsecurityalliance.org/guidance/

In another change from the first version, Domain 3: Legal and Domain 4: Electronic Discovery were combined into a single domain. Additionally, Domain 6: Information Lifecycle Management and Domain 14: Storage were combined into a single domain, renamed Data Lifecycle Management. This has caused a renumbering of our (now 13) domains.

Version 2 Acknowledgments

Editors
Glenn Brunette

Contributors
Adrian Seccombe
Alex Hutton
Alexander Meisel
Alexander Windel
Anish Mohammed
Anthony Licciardi
Anton Chuvakin
Aradhna Chetal
Arthur J. Hedge III
Beau Monday
Beth Cohen
Bikram Barman
Brian O’Higgins
Carlo Espiritu
Christofer Hoff
Colin Watson
David Jackson
David Lingenfelter
David Mortman
David Sherry
David Tyson
Dennis Hurst
Don Blumenthal
Dov Yoran
Erick Dahan
Erik Peterson
Ernie Hayden
Francoise Gilbert
Geir Arild Engh-Hellesvik
Georg Hess
Gerhard Eschelbeck
Girish Bhat
Glenn Brunette
Greg Kane
Greg Tipps
Hadass Harel
James Tiller
Jean Pawluk
Jeff Reich
Jeff Spivey
Shail Khiyara
Shawn Chaput
Sitaraman Lakshminarayanan
Srijith K. Nair
Subra Kumaraswamy
Tajeshwar Singh
Tanya Forsheit

Rich Mogull

Jeffrey Ritter
Jens Laundrup
Jesus Luna Garcia
Jim Arlen
Jim Hietala
Joe Cupano
Joe McDonald
Joe Stein
Joe Wallace
Joel Weise
John Arnold
Jon Callas
Joseph Stein
Justin Foster
Kathleen Lossau
Karen Worstell
Lee Newcombe
Luis Morales
M S Prasad
Michael Johnson
Michael Reiter
Michael Sutton
Mike Kavis
Nadeem Bukhari
Pam Fusco
Patrick Sullivan
Peter Gregory
Peter McLaughlin
Philip Cox
Ralph Broom
Randolph Barr
Rich Mogull
Richard Austin
Richard Zhao
Sarabjeet Chugh
Scott Giordano
Scott Matsumoto
Scott Morrison
Sean Catlett
Sergio Loureiro
Vern Williams
Warren Axelrod
Wayne Pauley
Werner Streitberger
Wing Ko
Yvonne Wilson

November 16, 2011

Cloud Security Alliance Releases Guidance Version 3

The Cloud Security Alliance (CSA) today unveiled the third version of its Security Guidance for Critical Areas of Focus in Cloud Computing. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely.

September 29, 2011

Open Review Period for Guidance V.3: Domains 7, and 14 (Has Begun)

The Cloud Security Alliance would like to invite you to review and comment on the following Guidance V.3 Domains: Domain 7: Traditional Security, Business Continuity and Disaster Recovery, Domain 14: Security as a Service

September 26, 2011

Cloud Security Alliance Issues First Security as a Service White Paper

CSA today announced that the Security as a Service working group has published its first white paper, “Defined Categories of Service 2011”. The purpose of this group’s research is to identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices.

September 22, 2011

Open Review Period for Guidance V.3: Domains 4, 8, 9 and 11(Has Begun)

The Cloud Security Alliance would like to invite you to review and comment on the following Guidance V.3 Domains: Domain 4: Compliance and Audit, Domain 8: Data Center Operations, Domain 9: Incident Response, Notification, and Remediation, Domain 11: Encryption and Key Management.

September 20, 2011

Open Review Period for Guidance V.3: Domains 2, 3, 5 and 12 (Has Begun)

The Cloud Security Alliance would like to invite you to review and comment on the following Guidance V.3 Domains: Domain 2: Governance and Enterprise Risk Management, Domain 3: Legal and Electronic Discovery, Domain 5: Information Lifecycle Management, Domain 12: Identity and Access Management.

September 15, 2011

Open Review Period for Guidance V.3: Domains 1,6, 10 and 13 (Has Begun)

The Cloud Security Alliance would like to invite you to review and comment on the following Guidance V.3 Domains: Domain 1: Cloud Computing Architectural Framework, Domain 6: Portability and Interoperability, Domain 10: Application Security Domain 13: Virtualization.

July 26, 2011

Call for Volunteers for V.3 Guidance Group 2: GRC, Audit, Physical, BCM, DR

The Cloud Security Alliance and Group 2 GRC, Audit, Physical, BCM, DR Leadership team are looking for volunteers to assist with drafting Domain 2, 4 and 7 of version 3 of CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing.

July 21, 2011

Call for volunteers for V.3 Guidance Group 8: Virtualization and Technology Compartmentalization

The Cloud Security Alliance and Group 8 Virtualization and Technology Compartmentalization Leadership are looking for volunteers to assist with drafting Domain 13 of version 3 of CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing.

April 22, 2009

Cloud Security Alliance issues Guidance for Critical Areas of Focus in Cloud Computing

The information security industry is taking on the task of providing guidance to enable secure Cloud Computing with today’s formal launch of the Cloud Security Alliance.

Group 1: Architecture and Framework

Responsible for technical architecture and related framework definitions. CSA Guidance Domain 1.

Group 2: GRC, Audit, Physical, BCM, DR

Responsible for Governance, Risk Management, Compliance, Auditing, Traditional/Physical Security, Business Continuity Management and Disaster Recovery. CSA Guidance Domains 2, 4 and 7.

Group 3: Legal Issues: Contracts and E-Discovery

Responsible for legal guidance, contractual issues, global law, eDiscovery and related issues. CSA Guidance Domain 3.

Group 4: Portability, Interoperability and Application Security

Responsible for application layer security issues and developing guidance to facilitate portability and interoperability between cloud providers. CSA Guidance Domains 6 and 10.

Group 5: Information Management and Data Security

Responsible for Identity and Access Management, Encryption and Key Management, identifying enterprise integration issues and solutions. CSA Guidance Domains 11 and 12.

Group 6: Data Center Operations and Incident Response

Responsible for Incident Response and Forensics, as well as identifying new issues related to cloud-based Data Center Operations. CSA Guidance Domains 8 and 9.

Group 7: Information Lifecycle Management and Storage

Responsible for data-related issues in the cloud. CSA Guidance Domain 5.

Group 8: Virtualization and Technology Compartmentalization

Responsible for understanding how to compartmentalize technologies used for multitenancy, including, but not limited to virtualization. CSA Guidance Domain 13.

Group 9: Security as a Service

responsible for understanding how to deliver security solutions via cloud models. CSA Guidance Domain 14.

Security Guidance for Critical Areas of Focus in Cloud Computing V3.0

Security Guidance for Critical Areas of Focus in Cloud Computing V3.0

The CSA guidance as it enters its third edition seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. Domains have been rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment.

Release Date: November 14, 2011

CSA V3 Guideline: Book Excerpts

Culture‐free, one‐size‐fits‐all English is usually the most efficient way to speak to a large, heterogeneous audience of E2s. In contrast, there are times when our English materials are intended for E2s in a small number of specific countries. In these cases, it might make good business sense to produce more than one English version, sensitive to the first language of the readers.

Release Date: July 02, 2011

Cloud Computing for Business

This book is for all these people, and indeed for all executives whose companies are using, or thinking of using, cloud computing.

Release Date: March 02, 2011

Page Dividing Line