The CSA cloud computing architecture is guided by business requirements. In the case of the CSA Enterprise Architecture, these requirements come from the Cloud Controls Matrix (CCM) guided by regulations such as Sarbanes-Oxley, standards frameworks such as ISO-27002, the Payment Card Industry Data Security Standards, and the IT Audit Frameworks, such as COBIT, all in the context of cloud delivery models such as SaaS, PaaS and IaaS. The working group has developed an interactive website to learn about and explore the cloud reference architecture.
The CSA Enterprise Architecture was used as the basis for NIST security reference architecture (SP500-299, SP500-292).
This group follows closely to the CCM working group in order to map the architecture domains that help enterprises identify critical components that are key to their cloud security architecture. These domains, when agreed upon to an adjacent CCM control domain, create a larger picture for easily implementing strategies.
No Meetings Currently Scheduled
Working Group Leadership
Cloud Security Research for Enterprise Architecture
CSA Research crowd-sources the knowledge and expertise of security experts and helps address the challenges and needs they’ve experienced, or seen others experience, within the cybersecurity field. Each publication is vendor-neutral and follows the peer review process outlined in the CSA Research Lifecycle. We recommend getting started by reading the following documents.
Enterprise Architecture Reference Architecture Quick Guide
This quick guide provides an overview of what the Enterprise Architecture is, the challenges it helps solve and how to use it. The Enterprise Architecture itself is a comprehensive approach for the architecture of a secure, identity-aware cloud infrastructure which leverages four industry standard architecture models: TOGAF, ITIL, SABSA, and Jericho. This quick guide covers the following domains: security and risk management, information technology operation and support, business operation support services. It also covers presentation, application, information and infrastructure services. The Enterprise Architecture can be used in multiple enterprise security design phases, from assessing opportunities for improvement and creating road maps for technology adoption, to defining reusable security patterns and assessing various cloud providers and security technology vendors against a common set of capabilities. We recommend reading this quick guide before ...
Enterprise Architecture v2.0
The Enterprise Architecture is both a methodology and a set of tools that enable security architects, enterprise architects and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.
Enterprise Architecture to CCM Shared Responsibility Model
The EA-CCM Shared Responsibility Model is a companion piece with the EA-CCM Mapping.The mapping of CCM controls per the Shared Responsibility Model according to the following service levels - IaaS, PaaS, SaaS. It is intended to give the reader an overview of cloud responsibility with the specific control domain from the view of either the cloud service provider and/or the cloud consumer. 0 (zero) signifies no responsibility, whereas the placement of a 1 (one) signifies the given responsibility. From here, the reader can map that control domain back to the CCM control for further guidance and architecture.