The CSA Open Certification WG is an industry initiative to allow global, accredited, trusted certification of cloud providers. It is a program for flexible, incremental and multi-layered cloud provider certification according to the CSA’s industry leading security guidance and control objectives. The program will integrate with popular third-party assessment and attestation statements developed within the public accounting community to avoid duplication of effort and cost.
The Trusted Cloud Initiative helps cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices. The Trusted Cloud Initiative will develop reference models and education in a vendor-neutral manner, inclusive of all CSA members and affiliates who wish to participate. The Trusted Cloud Initiative Reference Architecture is both a methodology and a set of tools that enable security architects, enterprise architects and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.
Privacy Level Agreement - Version 2 is intended to be used as an appendix to a Cloud Services Agreement, and to describe the level of privacy protection that the CSP will provide. While Service Level Agreements (“SLA”) are generally used to provide metrics and other information on the performance of the services, PLAs will address information privacy and personal data protection practices.
The PLA [V2] is based only on EU personal data protection mandatory legal requirements. Coherently, the Working Group has stripped away elements derived from best practices and recommendations from the PLA [V1] (see further the ‘Methodology’ section of the standards document), and further clarifies core mandatory legal requirements.
The goal of CloudAudit is to provide a common interface and namespace that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology. CloudAudit provides the technical foundation to enable transparency and trust in private and public cloud systems.
The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service customers can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust.
The CTP document focuses on the definition of the CTP Data Model and Application Programming Interface (API), including:
The format of CTP messages exchanged between cloud service customers and providers.
The modelling of concepts such as “security attributes”, “objectives”, “measurement results” and “triggers” in machine readable format.
The means to define the scope of the service to which CTP monitoring queries apply.
However, the document does not provide a specification of the “security attributes” (and associated metrics) that are queried by CTP. Such a specification will be provided by the Cloud Security Alliance in a separate document, and will likely be influenced by upcoming standards such as [ISO_19086]. CTP also offers implementers the choice to define and adopt their own set of security attributes and related metrics. This document is organised as follows.
Section 2 provides some key terms and definitions that are used throughout this document, borrowing from relevant key standards.
Section 3 offers a general introductory overview of CTP.
Section 4 describes the CTP data model, defining the main concepts that are used to represent security information related to cloud services in CTP.
Section 5 specifies the RESTful CTP API that implements the model described in section 4. It also specifies the CTPScript language used in “triggers” and “objectives” and describes when they should be evaluated.
Section 6 provides requirements and recommendations for securing the CTP API.
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers.
The Mobile Application Security Testing (MAST) initiative aims to create a safer cloud ecosystem for mobile applications by creating systematic approaches to application testing and vetting that helps integrate and introduce quality control and compliance to mobile application development and management. This initiative hopes that more research into mobile application security vetting and testing will help reduce the risk and security threats that organizations and individuals expose themselves to using mobile applications. Implementation of MAST will result in clearly articulated recommendations and best practices in the use of mobile applications. Mobile application security testing and vetting processes utilized through MAST involve both static and dynamic analyses to evaluate security issues of mobile applications for platforms such as Android, iOS and Windows.
As businesses are developing rapidly, and IT infrastructures are constantly diversified, a single public / private cloud or a traditional on-premises datacenter is no longer able to meet service requirements in terms of costs, performance, scalability, security, and compatibility. Users are increasingly choosing hybrid clouds to meet their needs. Hybrid clouds take advantage of various clouds and traditional IT infrastructures and work systematically to benefit the users based on their service requirements.However, hybrid clouds pose new security risks, bringing a few challenges on security protection. This initiative aims to develop a security white paper specifying hybrid cloud security risks and countermeasures, helping users identify and reduce risk. This initiative proposes to provide suggestions on hybrid cloud governance, hybrid cloud threat profiles, and hybrid cloud security evaluation, guiding both users and cloud service providers to choose and provide secure hybrid cloud solutions, and promoting security planning and implementation.
The shift from traditional client/server to service-based models is transforming the way technology departments think about, designing, and delivering computing technology and applications. However, the improved value offered by cloud computing advances have also created new security vulnerabilities, including security issues whose full impacts are still emerging.The CSA Top Threats Working Group aims to provide organizations with an up-to-date, expert-informed understanding of cloud security risks, threats and vulnerabilities in order to make educated risk-management decisions regarding cloud adoption strategies.
Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable roadmap to managers wanting to adopt the cloud paradigm safely and securely. Domains are reviewed to emphasize security, stability, and privacy in a multi-tenant environment. The CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing builds on previous iterations through dedicated research, public participation from CSA members, working groups, and industry experts. This version incorporates advances in cloud, security, and supporting technologies, reflects on real-world cloud security practices, integrates the latest CSA research projects, and offers guidance for related technologies. The goal of the fourth version of Security Guidance for Critical Areas of Focus in Cloud Computing is to provide guidance and inspiration to support business goals while managing and mitigating the risks associated with cloud computing adoption.
The purpose of this research will be to identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices.
The CSA Quantum Safe Security Working Group's goal is to address key generation and transmission methods that will aid the industry in understanding quantum-safe methods for protecting their data through quantum key distribution (QKD) -- a physics‐based technology to securely deliver keys-- and post-quantum cryptography (PQC) -- mathematical algorithms that are resistant to quantum computing. The goal of the working group is to support the quantum‐safe cryptography community in development and deployment of a framework to protect data whether in movement or at rest.
