Membership
Join as a Business
Cloud Customers
Cloud Solution Providers
SaaS Solution Providers
CxO Initiative
Contact Us
Current Business Members
Cloud Customers
Cloud Solution Providers
Join as an Individual
Regional Chapters
Circle Community Forum
Research Working Groups
STAR Program
STAR Registry
STAR Home
Submit to Registry
Provide Feedback
What is the STAR Registry?
Learn how to stay compliant in the cloud.
CCAK Training
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
GDPR Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
CSA Approved STAR Assessment Firms
Certificates & Training
Events
Learn and network while you earn CPE credits.
Events
Virtual Events & Webinars
Certificates & Training
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Train my entire team
Training Instructors
Become an Instructor
Training Partners
Become a Training Partner
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
CxO Initiative
CloudBytes Webinars
Awards & Recognition
Ron Knode Awards
Research Fellows
Industry Specific Research
Financial Services
Healthcare
Getting Started with CSA Research
Best practices for cloud security
Assess your compliance to cloud standards
Security questionnaire for vendors
The top threats to cloud computing
View more
Architectures and Components
Enterprise Architecture
Hybrid Cloud Security
Emerging Technologies
Blockchain/Distributed Ledger
Internet of Things (IoT)
Quantum-safe Security
Securing DevOps
Application Containers and Microservices
DevSecOps
Serverless
Security Services
Enterprise Resource Planning
Cloud Key Management
Security as a Service
Zero Trust
Threat Intelligence
Incident Response
Top Threats
View all working groups

Enterprise Architecture

Latest ResearchJoin Group
Enterprise Architecture Reference Diagram
Enterprise Architecture Reference Diagram

Download

Research Home
View Working Groups
Contribute
Download Publications
Join this working group
Home
Research
Working Groups
Enterprise Architecture
Cloud security architecture helps cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices. The CSA Enterprise Architecture creates a common roadmap to meet the cloud security needs of your business. It is both a methodology and a set of tools that enable security architects, enterprise architects and risk management professionals to fulfill a set of common requirements that risk managers must use to assess the operational status of internal IT security and cloud provider controls. 

The CSA cloud computing architecture is guided by business requirements. In the case of the CSA Enterprise Architecture, these requirements come from the Cloud Controls Matrix (CCM) guided by regulations such as Sarbanes-Oxley, standards frameworks such as ISO-27002, the Payment Card Industry Data Security Standards, and the IT Audit Frameworks, such as COBIT, all in the context of cloud delivery models such as SaaS, PaaS and IaaS.

The CSA Enterprise Architecture was used as the basis for NIST security reference architecture (SP500-299, SP500-292). 

*This working group also developed an interactive website for the previous version of the enterprise architecture.  

Enterprise ArchitectureConsensus AssessmentsCCAKCloud Controls Matrix

This group follows closely to the CCM working group in order to map the architecture domains that help enterprises identify critical components that are key to their cloud security architecture. These domains, when agreed upon to an adjacent CCM control domain, create a larger picture for easily implementing strategies.

Join Group

Next Meeting

Oct 01, 2021, 12:00PM PDT
Join the Meeting


Working Group Leadership

Jon-Michael Brook Headshot
Jon-Michael Brook
Jon-Michael Brook

Jon-Michael C. Brook, Principal at Guide Holdings, LLC, has 20 years of experience in Information Security with such organizations as Raytheon, Northrop Grumman, Booz Allen Hamilton, Optiv Security and Symantec. Mr. Brook's work traverses the government, financial, healthcare, gaming, oil and gas and pharmaceutical industries. Mr. Brook obtained a number of industry certifications, including CISSP and CCSK, has patents and trade secrets in...

Read more

Michael Roza Headshot
Michael Roza
Michael Roza

Risk, Audit, Control and Compliance Professional

Michael Roza is a risk, audit, control and compliance professional with 20-plus years of experience with organizations such as Bridgestone EMEA, Komatsu International, Mitsui Novus International, Johnson and Johnson Inc., and Baxter, Inc. Within CSA, he has served as lead author/contributor for 11 projects completed by CSA’s Internet of Things, Blockchain/Distributed Ledger, Top Threats, Cloud Control Matrix, and Software-Defined P...

Read more

Join this working group

Cloud Security Research for Enterprise Architecture

CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.

Enterprise Architecture to CCM Mapping Guide

Enterprise Architecture to CCM Mapping Guide

This document serves as an overview and explanation of the Enterprise Architecture v2 to CCM v3.0.1 Mapping. We first define the CSA Enterprise Architecture and CSA CCM, then demonstrate through example how the mapping was accomplished. After this, the mapping results are provided and explained in a summary.

Download the Mapping Guide
Enterprise Architecture Reference Guide v2

Enterprise Architecture Reference Guide v2

This guide is your deep dive into each domain of CSA’s Enterprise Architecture (EA). CSA’s EA is both a methodology and a set of tools. It is a framework, a comprehensive approach for the architecture of a secure cloud infrastructure, and can be used to assess opportunities for improvement, create roadmaps for technology adoption, identify reusable security patterns, and assess various cloud providers and security technology vendors against a common set of capabilities. To create the CSA Enterprise Architecture, the EA Working Group leveraged four industry standard architecture models: TOGAF, ITIL, SABSA, and Jericho, therefore combining the best of breed architecture paradigms into a comprehensive approach to cloud security. By merging business drivers with security infrastructure, the EA increases the value proposition of cloud services within an enterprise business model. 

Download the Reference Guide
Enterprise Architecture v2 to CCM v3 Mapping

Enterprise Architecture v2 to CCM v3 Mapping

The Enterprise Architecture (EA) is CSA’s standard cloud reference architecture, while the Cloud Controls Matrix (CCM) is CSA’s standard control set. By applying the CCM controls, an organization ensures that the EA is operating securely. However, until now, the link between the EA and CCM has never been demonstrated. This spreadsheet by CSA’s EA Working Group provides a mapping between the Enterprise Architecture 2.0 and Cloud Controls Matrix 3.0.1, showing how they can be used together to secure an enterprise architecture.

Download the Mapping
View All Research

Blog Posts

Enterprise Architecture Cloud Delivery Model - CCM Mapping
Read Now
CSA Issues Top 20 Critical Controls for Cloud Enterprise Resource Planning Customers
Read Now

Press Coverage

Article TitleSourceDate
The New Enterprise Architecture Is Zero TrustOODALoopJune 07, 2021