CSA

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers.

The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers.

This working group aims at creating PLA templates that can be a powerful self-regulatory harmonization tool, which is almost impossible to achieve at global level using traditional legislative means. This will provide a clear and effective way to communicate to (potential) customers a CSP’s level of personal data protection, especially when trans-border data flaw is concerned.

The CSA Open Certification WG is an industry initiative to allow global, accredited, trusted certification of cloud providers. It is a program for flexible, incremental and multi-layered cloud provider certification according to the CSA’s industry leading security guidance and control objectives. The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost.

The Software Defined Perimeter working grouped launched with the goal to develop a solution to stop network attacks against application infrastructure. With the adoption of cloud services the threat of network attacks against application infrastructure increases since servers can not be protected with traditional perimeter defense techniques.

The CSA Open Certification WG is an industry initiative to allow global, accredited, trusted certification of cloud providers. It is a program for flexible, incremental and multi-layered cloud provider certification according to the CSA’s industry leading security guidance and control objectives. The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost.

The Trusted Cloud Initiative helps cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices. The Trusted Cloud Initiative will develop reference models and education in a vendor-neutral manner, inclusive of all CSA members and affiliates who wish to participate. The Trusted Cloud Initiative Reference Architecture is both a methodology and a set of tools that enable security architects, enterprise architects and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.

The goal of CloudAudit is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. CloudAudit provides the technical foundation to enable transparency and trust in private and public cloud systems.

The Cloud Key Management Working Group aims to facilitate the standards for seamless integration between CSPs and key broker services. Standardization will take place across key management lifecycle operations and a common set of APIs, enabling consistent implementation of enterprise key policies. Customer-centric in principle, the goal will be for data stored or traversing the cloud and requiring encryption the corresponding encryption keys will be protected and their lifecycle managed by the customer. The purpose of the Cloud Key Management Working Group is to align cloud key management interoperability standards across service providers, maintain and develop API and key interoperability specifications, develop business model templates and specifications for standardized key interoperability, promote the adoption of key management standards and key brokering interoperability, and provide well documented guidelines and a standard approach to vendors to ensure seamless interoperability and compliance to those guidelines/standards.

From a user perspective, Cloud is a service. However, for Cloud Service Providers, integrators and channel partners who construct or build the Cloud, the Cloud architecture is comprised of many Cloud computing components. Examples of these components are hypervisors, Cloud operating systems components such as “Swift”, “Glance” for OpenStack, virtual desktop infrastructure platforms, cloud dedicated firewalls and so on. How can we evaluate the security of these Cloud components? Currently, most of the security standards related to Cloud Computing focus on the information security management system. However, these standards are insufficient to evaluate cloud component security because they focus on management security rather than the technical security requirements of the components. In order to address this gap, the Cloud Component Specifications working group proposes to develop internationally recognized technical security specifications for cloud components.