Security as a Service Working Group

Introduction to the Security as a Service Working Group

The mission statement of the Cloud Security Alliance is ". . . to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing." In order to provide greater focus on the second part of our mission statement, the CSA is embarking on a new research project to provide greater clarity on the area of Security as a Service.

Numerous security vendors are now leveraging cloud based models to deliver security solutions. This shift has occurred for a variety of reasons including greater economies of scale and streamlined delivery mechanisms. Regardless of the motivations for offering such services, consumers are now faced with evaluating security solutions which do not run on premises. Consumers need to understand the unique nature of cloud delivered security offerings so that they are in a position to evaluate the offerings and to understand if they will meet their needs.

The purpose of this research will be to identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices. Other research purposes will be identified by the working group.

Download the Security as a Service Working Group Charter


The Security as a Service Implementation Guidance is made possible by the following sponsors:

Security as a Service Working Group Leadership

Security as a Service Co-chairs

Michael Roza Headshot

Michael Roza

Risk, Audit, Control and Compliance Professional

Michael Roza is a risk, audit, control and compliance professional with 20-plus years of experience with organizations such as Bridgestone EMEA, Komatsu International, Mitsui Novus International, Johnson and Johnson Inc., and Baxter Inc. He has worked with several hi-tech startups serving the network management and contact center software markets, in addition to disk manufacturing, and radiological cancer treatment markets.

He has held lead positions in SAP configuration and transformation teams, as well as SAP Segregation of Duties and IT General Controls projects. Roza also served as secretary or observer of various committees and councils such as internal audit, risk management, governance and risk, information security and corporate social responsibility. He is a Certified Information Systems Auditor, Certified Public Accountant, and Certified Internal Auditor. He holds an AEMBA from Claremont College, Peter Drucker Center, and an MBA from De Paul University.

He has served as lead author/contributor for 11 projects completed by CSA’s IoT, Blockchain, Top Threats, Cloud Control Matrix, Software Defined Perimeter and Cyber Resiliency Working Groups.

Cameron Smith


Kevin Fielder

Kevin Fielder

Kevin Fielder has over 15 years IT and security experience across multiple industries encompassing online trading, online supermarkets, banking/finance/insurance. His various roles have included pen testing and security assessments through technical and security architecture to security consulting and innovations.

Current focus includes security strategy, secure design and development, security innovations, software based mobile security, cloud policy and architecture, structured risk assessments, and of course his role as co-chair of the SecaaS working group.

He holds a Bachelors degree in Computing with Human Biology and a Masters in Distributed Systems and Networks, along with various industry certifications such as CISSP-ISSAP, CISSP-ISSMP, C|EH, ISEB enterprise and solutions architecture.

Security as a Service Working Group Initiatives

Please contact Working Group Leadership for more information.

Join Working Group

Address Information

In what ways do you see yourself contributing?

Having read and understood the CSA’s Privacy Policy,

I specifically consent to receive marketing messages via the following channels:

Connect with Us

Security as a Service Working Group Downloads

SecaaS Working Group Charter

SecaaS Working Group Charter

In order to improve understanding, perception, and thus reputation, Security as a Service requires a clear definition and direction to ensure it is understood and to improve the adoption across industry sectors. This will ensure the market has a clear understanding of what SecaaS is, what it means, the services encompassed and how they can be implemented.

Release Date: 04/09/2019

Defining Categories of Security as a Service: Continuous Monitoring

In order to improve the understanding of Security as a Service and accelerate market acceptance, clear categorization and definitions of these services is necessary. This document provides a high overview of the business and technical elements needed to evaluate the risks associated with the category of Continuous Monitoring.

Release Date: February 29, 2016

SecaaS Category 7 // Security Information and Event Management Implementation Guidance

This document provides guidance on how to evaluate, architect, and deploy cloud-based SIEM services to both enterprise and cloud-based networks, infrastructure and applications.

Release Date: October 29, 2012

SecaaS Category 9 // BCDR Implementation Guidance

When using the cloud for operational processes and/or production systems, an organization’s BC/DR requirements must be included in their procurement, planning, design, management, and monitoring of their cloud environments and cloud service providers.

Release Date: October 08, 2012

SecaaS Category 8 // Encryption Implementation Guidance

Encryption is a primary data (and application) protection technique. For encryption to be useful, encryption keys must be properly managed and protected. This document covers both the encryption and key management topics.

Release Date: October 08, 2012

SecaaS Category 6 // Intrusion Management Implementation Guidance

Because of the limited market maturity and lack of widely accepted best practices, this document provides implementation guidelines for cloud-based intrusion management service of multiple flavors—in the cloud, through the cloud, or from the cloud—focusing on the basic tenets of service and architecture rather than solutions.

Release Date: October 08, 2012

SecaaS Category 5 // Security Assessments Implementation Guidance

There are many choices for an assessment framework standard and there is no “one size fits all” solution for security assessments. One could reasonably expect that as cloud technology and governance evolves, a much smaller subset will emerge with a cloud focus.

Release Date: October 08, 2012

SecaaS Category 4 // Email Security Implementation Guidance

Due to its ubiquitous use, electronic mail is both the prime target of, and primary vehicle for, attacks, and must be protected on both ends: sending and receiving. Email service is a well defined utility in the enterprise, and securing email in the cloud is similar to securing email in the enterprise. Email Security as a Service (SecaaS) has a few unique aspects, but most responses entail differences of degree, rather than instituting new methods of security.

Release Date: October 08, 2012

SecaaS Category 3 // Web Security Implementation Guidance

The vendor and academic community have come together to form a set of solutions called Security as a Service. This document specifically addresses one element focused on Web Security as a Service (Web SecaaS).

Release Date: October 08, 2012

SecaaS Category 2 // Data Loss Prevention Implementation Guidance

DLP must be considered an essential element for achieving an effective information security strategy for protecting data as it moves to, resides in and departs from the cloud. DLP has two facets: one as viewed from the owner’s perspective and one as viewed from the custodian’s perspective.

Release Date: October 08, 2012

SecaaS Category 10 // Network Security Implementation Guidance

In a cloud environment, a major part of network security is likely to be provided by virtual security devices and services, alongside traditional physical network devices. Tight integration with the underlying cloud software layer to ensure full visibility of all traffic on the virtual network layer is important.

Release Date: October 08, 2012

SecaaS Category 1 // Identity and Access Management Implementation Guidance

This document addresses personnel involved in the identification and implementation of the IAM solution in the cloud. It will be of particular interest to those with the responsibility of designing, implementing and integrating the consumption of services of the IAM function within any cloud application of SecaaS.

Release Date: September 26, 2012

CSA V3 Guideline: Book Excerpts

Culture‐free, one‐size‐fits‐all English is usually the most efficient way to speak to a large, heterogeneous audience of E2s. In contrast, there are times when our English materials are intended for E2s in a small number of specific countries. In these cases, it might make good business sense to produce more than one English version, sensitive to the first language of the readers.

Release Date: July 02, 2011