Downloads Archive

Using BlockChain Technology to Secure the Internet of Things – Japanese Translation

本書「IoT セキュリティのためのブロックチェーン技術の活用」は、Cloud Security Alliance (CSA)が公開して いる「Using Blockchain Technology to Secure the Internet of Things」の日本語訳です。本書は、CSA ジャパ ンが、CSA の許可を得て翻訳し、公開するものです。原文と日本語版の内容に相違があった場合には、原文が優先 されます。

Release Date: October 03, 2018

IoT Firmware Update Processes

Description: The traditional approach to updating software for IT assets involves analysis, staging and distribution of the update—a process that usually occurs during off-hours for the business. These updates typically have cryptographic controls (digital signatures) applied to safeguard the integrity and authenticity of the software.

Release Date: September 20, 2018

Code of Conduct for GDPR Compliance – Japanese Translation

説明: 本書「GDPR 準拠の為の行動規範」は、Cloud Security Alliance (CSA)が公開している「CODE OF CONDUCT FOR GDPR COMPLIANCE」の日本語訳および一般社団法人日本クラウドセキュリティアライア ンス(CSAジャパン)が解説を加えたものです。本書は、CSAジャパンが、CSAの許可を得て翻訳し、公開 するものです。原文と日本語版の内容に相違があった場合には、原文が優先されます。

Release Date: September 14, 2018

CSA Malaysia FSI Report

Description: The “Cloud Adoption in the Malaysian Financial Services Industry (FSI) sector” survey was undertaken by CSA to understand and evaluate cloud adoption trends and concerns in the FSI in that country.

Release Date: August 20, 2018

CCM Mapping Workpackage Template

Description: This document is the companion document to the Methodology for the Mapping of the Cloud Controls Matrix (CCM). It is a CCM mapping workpackage template that can be used by organizations who want to map their frameworks to the CCM.

Release Date: August 13, 2018

Top Threats to Cloud Computing: Deep Dive

Description: This case study attempts to connect all the dots when it comes to security analysis by using nine anecdotes cited in the Top Threats for its foundation. Each of the nine examples are presented in the form of (1) a reference chart and (2) a detailed narrative. The reference chart’s format provides an attack-style…

Release Date: August 08, 2018

OWASP Secure Medical Devices Deployment Standard

Description: With the explosion of botnets and other malware that now target IoT devices (of which medical devices can be considered a subtype) the need for security-minded deployments of medical devices is now more essential than ever. This guide is intended to serve as comprehensive guide to the secure deployment of medical devices within a…

Release Date: August 07, 2018

Security Position Paper Network Function Virtualization – Chinese Translation

近五年来,随着云基础设施的能力和复杂性飞速演进,安全风险也相应上升。 虽然虚拟化已不是一个很新的概念,但几乎任何人都可以对计算、存储、网络和应 用程序等资源进行虚拟化的想法会增加安全威胁的影响和速度。同时,全球地缘政 治格局已从由机遇驱动的网络攻击转变为资金充足的国家行动。

Release Date: August 03, 2018

Using BlockChain Technology to Secure the Internet of Things – Chinese Translation

在过去的四年中,技术专家、首席数字官、营销经理、记者、博客作者和研究机构讨论 并 推广了一种新的分布式模型,将区块链技术应用于安全事务处理和存储。国际数据公司 IDC FutureScape 预测,到 2020 年,全球 20%的贸易融资将纳入区块链。

Release Date: August 03, 2018

Security Guidance v4.0 – Chinese Translation

欢迎来到云安全联盟关于云计算关键领域安全指南的第四个版本。云计算的兴起是一项不 断发展的技术,它带来了许多机遇和挑战。通过这个文档,我们的目标是提供指导和灵感来支 持业务目标,同时管理和减轻采用云计算技术相关的风险。

Release Date: August 03, 2018

GEAB State of the Cloud 2018 – Chinese Translation

云安全联盟全球企业顾问委员会成立于2016年,是由十多位行业的大型跨国公 司的顶尖专家组成的代表团队。该委员会的成立是为了表达大型IT终端用户的观点, 并融合云计算使用者信息安全相关的观点。

Release Date: August 03, 2018

CSA Code of Conduct for GDPR Compliance – Chinese Translation

云安全联盟 CSA 近期发布了 CoC for GDPR Compliance(CSA GDPR 合规行为准则),旨 在为云服务提供商(CSP)、云消费者、及相关企业提供 GDPR 合规解决方案,并提供涉及云服 务提供商应提交的关于数据保护级别的透明性准则。这个准则为各种规模的客户提供工具来评 估其个人数据保护水平从而支持决策。它也指导任何规模和地点的云服务提供商,遵守欧盟 (EU)个人数据保护法规,并以结构化的方式披露其提供给客户的个人数据保护级别。

Release Date: August 03, 2018

Building a Foundation for Successful Cyber Threat Intelligence Exchange – Chinese Translation

描述: 当前网络攻击的频率和复杂程度在不断提高。攻击者可能是个人,也可能是资源丰富、 组织严密的团伙。面对这样的威胁,企业如果只关注内部防护措施,可能建成最后被绕过 “马其顿防线”;如果只依赖自身的情报能力,可能面临攻防不对等的窘境。为了解决上述问 题,网络威胁情报(CTI, Cyber Threat Intelligence)

Release Date: August 03, 2018

CCM v3.0 – Chinese Translation

Description: The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors and cloud customers seeking to assess the overall security risk of a cloud service. The CSA CCM provides a detailed controls framework that is aligned with Cloud Security Alliance’s Security Guidance in 16 domains.

Release Date: August 03, 2018

Mobile Application Security Testing (MAST) – Charter

Description: Mobile Applications are becoming an integral part of not just modern enterprises but also of human existence and a huge part of this shift is due to the emergence of cloud computing. Cloud computing has allowed for the instantaneous utilization of applications which imparts tremendous agility to the enterprise.

Release Date: July 24, 2018

Cloud Security Alliance Code of Conduct for GDPR Compliance

Description: The CSA Code of Conduct is designed to offer both a compliance tool for GDPR compliance and transparency guidelines regarding the level of data protection offered by the Cloud Service Provider.

Release Date: July 10, 2018

CCM Mapping Methodology

Description: The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors and cloud customers seeking to assess the overall security risk of a cloud service. The CSA CCM provides a detailed controls framework that is aligned with Cloud Security Alliance’s Security Guidance in 16 domains.

Release Date: July 09, 2018

Cloud Controls Matrix (CCM) v3.0.1 ISO Reverse Mapping

Description: This latest expansion to the CCM incorporates the ISO/IEC 27017:2015:2015 and ISO/IEC 27018:20147:2015 and ISO/IEC 27002:2013 controls, introduces a new approach to the development of the CCM, and an updated approach to incorporate new industry control standards.

Release Date: June 26, 2018

Firmware Integrity in the Cloud Data Center

Description: This paper presents the point of view from key stakeholders in datacenter development regarding how to build cloud infrastructure using secure servers and in order to enable customers to trust the cloud provider’s infrastructure at the hardware/firmware level. In general, security of a cloud server at the firmware level is comprised of two equally…

Release Date: June 12, 2018

Software Defined Perimeter Glossary

Description: The Software Defined Perimeter (SDP) Glossary is a reference document that brings together SDP related terms and definitions from various professional resources. The terms and supporting information in the SDP glossary cover a broad range of areas, including the components of SDP and common supporting technologies.

Release Date: June 12, 2018

CSA STAR Certification Intake Form

Description: The CSA STAR Certification is a rigorous third party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix, a specified set of criteria that measures the capability levels of the cloud service.

Release Date: June 07, 2018

CSA STAR Attestation Intake Form

Description: The STAR Attestation is positioned as STAR Certification at Level 2 of the Open Certification Framework and STAR Certification is a rigorous third party independent assessment of the security of a cloud service provider.

Release Date: June 07, 2018

The State of Post-Quantum Cryptography

Description: Most people pay little attention to the lock icon on their browser’s address bar that signifies a secure connection called HTTPS. This connection establishes secure communications by providing authentication of the website and web server as well as encryption of communications between the client and server. If the connection is not secure, then a…

Release Date: May 23, 2018

The Treacherous 12 – Top Threats to Cloud Computing + Industry Insights – Japanese Translation

誰も予測できなかった速さで、クラウドコンピューティングはビジネスや政府に等しく変容を迫り、そ して新たなセキュリティ課題をもたらしている。クラウドのサービスモデルが開発されることで、ビジ ネスを支える技術はかつてないほど効率性の高いものになった。サーバを保有する発想からサービ ス利用ベースの思考への転換は、IT 部門にコンピューティングとアプリケーションの企画 ・設計 ・提供 に関する考え方の刷新を迫っている。一方でこうした進化は新たなセキュリティ上の脆弱性を生み、

Release Date: May 21, 2018

A Day Without Safe Cryptography

Description: Over the past fifty years, the digital age has sparked the creation of a remarkable infrastructure through which a nearly infinite variety of digital transactions and communications are executed, enabling businesses, education, governments, and communities to thrive and prosper. Millions of new devices are connecting to the Internet, creating, processing, and transferring digital information…

Release Date: April 19, 2018

GDPR Preparation and Awareness Survey Report

Description: Cloud computing, the Internet of Things, Artificial Intelligence, and other new technologies allow businesses to have better customer engagement, more access to data, and powerful analytical tools. Providers are racing to bring these technologies to the enterprise and users are anxious to take advantage of their benefits.

Release Date: April 17, 2018

State of Cloud Report

Description: Innovators and early adopters have been using cloud for years taking advantage of the quicker deployment, greater scalability, and cost saving of services. The growth of cloud computing continues to accelerate offering more solutions with added features and benefits, including security.

Release Date: April 16, 2018

Best Practices for Cyber Incident Exchange

Description: No organization is immune from cyber attack. Malicious actors collaborate with skill and agility, effectively moving from target to target at a breakneck pace. New attacks are directed at dozens of companies within the first 24 hours and hundreds within a few days.

Release Date: April 16, 2018

Using Blockchain Technology to Secure the Internet of Things

Description: In the last four years, technical experts, chief digital officers, marketing managers, journalists, bloggers and research institutions have discussed and promoted a new distributed model for secure transaction processing and storage using blockchain technology. IDC FutureScape predicted that by 2020, 20% of global trade finance will incorporate blockchain.

Release Date: February 13, 2018

The State of Enterprise Resource Planning Security in the Cloud

Description: The State of ERP Security in the Cloud briefly highlights some of the issues and challenges of migrating ERP solutions to the cloud. The document examines common security and privacy risks that organizations might incur during a transition to the cloud, as well as how organizations have mitigated these hazards.

Release Date: February 07, 2018

Quantum-Safe Security Awareness Survey

Release Date: January 26, 2018

Cloud Security for Startups

Release Date: November 20, 2017

Top Threats to Cloud Computing Plus: Industry Insights

Abstract: The Top Threats to Cloud Computing Plus: Industry Insights serves as a validation of the relevance of security issues discussed in the earlier document as wells as provides references and overviews of these incidents. In total, 21 anecdotes and examples are featured in the document. The references and overview of each anecdote and example…

Release Date: October 20, 2017

Consensus Assessments Initiative Questionnaire v3.0.1 (9-1-17 Update)

Description: The CAIQ is based upon the CCM and provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix.

Release Date: October 12, 2017

Cloud Controls Matrix v3.0.1 (9-1-17 Update)

Description: The CCM, the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. CCM is currently considered a de-facto standard for cloud security assurance and compliance.

Release Date: October 03, 2017

Improving Metrics in Cyber Resiliency

Release Date: August 30, 2017

Security Guidance v4.0 Info Sheet

Release Date: July 26, 2017

Security Guidance for Critical Areas of Focus in Cloud Computing v4.0

Description: The rise of cloud computing as an ever-evolving technology brings with it a number of opportunities and challenges. With this document, we aim to provide both guidance and inspiration to support business goals while managing and mitigating the risks associated with the adoption of cloud computing technology.

Release Date: July 26, 2017

A Repeatable Cloud-first Deployment Process Model

By now the benefits of cloud computing are generally understood at high level. What is not necessarily clear are the details of the potential security, legal, financial, and compliance impacts that cloud adoption will produce. The stakeholders who are currently responsible for these areas are sometimes not sufficiently familiar with how a cloud-first strategy affects…

Release Date: June 06, 2017

Observations and Recommendations on Connected Vehicle Security

The introduction of Connected Vehicles (CVs) has been discussed for many years. Pilot implementations currently underway are evaluating CV operations in realistic municipal environments. CVs are beginning to operate in complex environments composed of both legacy and modernized traffic infrastructure. Security systems, tools and guidance are needed to aid in protecting CVs and the supporting…

Release Date: May 25, 2017

State of Cloud Adoption in APAC 2017

Release Date: April 23, 2017

Applied Quantum Safe Security

Release Date: March 13, 2017

SDP for IaaS

Release Date: February 13, 2017

Quantum Safe Security Glossary

Release Date: January 24, 2017

Cloud Adoption and Security in India

The “State on Cloud Adoption and Security in 2016: India” survey was circulated in an effort to understand and evaluate cloud computing trends in India. We hope to understand cloud adoption plans and usage from different industries in India and how cloud adoption can have an impact on organization business strategies and plans. This report…

Release Date: November 22, 2016

Cloud Adoption Practices & Priorities in the Chinese Financial Sector

We circulated the “Financial Services Industry Cloud Adoption Survey: China” survey to IT and security professionals in the Financial Services Institutions (FSIs) in China. The goal was not only to raise awareness around Cloud service adoption, but also to provide insight into how finance, government, insurance, and security decision makers take action in their organization…

Release Date: October 28, 2016

Defeating Insider Threats

As a follow up to the Top Threats in Cloud Computing and from the months of May to July 2016 we surveyed approximately 100 professionals on the extent of the following: Employees leaking critical information and tradecraft on illicit sites Data types and formats being exfiltrated along with exfiltration mechanisms Why so many data threats…

Release Date: October 19, 2016

Future Proofing the Connected World

Release Date: October 07, 2016

Big Data Security and Privacy Handbook

Release Date: August 26, 2016

Mitigating Risk

With several years of cloud adoption in organizations, approaches to security have been evolving rapidly. To dig deeper into these concerns and the controls being used to mitigate both sanctioned and unsanctioned cloud security risks, the Cloud Security Alliance and Bitglass conducted a survey of 176 IT security leaders. Respondents revealed that visibility and control…

Release Date: August 17, 2016

Re-Think Security

Release Date: July 15, 2016

Mobile Application Security Testing

The Mobile Application Security Testing (MAST) Initiative is a research which aims to help organizations and individuals reduce the possible risk exposures and security threat in using mobile applications. MAST aims define a framework for secure mobile application development, achieving privacy and security by design. Implementation of MAST will result in clearly articulated recommendations and…

Release Date: June 30, 2016

Quantum Random Number Generators

A random number is generated by a process whose outcome is unpredictable, and which cannot be reliably reproduced. Randomness, quantitatively measured by entropy, is the measure of uncertainty or disorder within a set of data. The higher the level of unpredictability, the more random the data is and the more valuable it becomes, particularly for…

Release Date: June 09, 2016

Cloud Controls Matrix v3.0.1 (10-6-16 Update)

Cloud Security Alliance Releases Candidate Mapping of ISO 27002/27017/27018 Security Controls At the Cloud Security Alliance Summit San Francisco 2016, the CSA announced the release of the Candidate Mappings of ISO 27002/27017/27018 to version 3.0.1 of the CSA Cloud Controls Matrix (CCM). The ISO 27XXX series provides an overview of information security management systems. ISO…

Release Date: June 06, 2016

Identity Security

The goal of the Identity Solutions: Security Beyond the Perimeter survey was to address Insufficient Identity, Credential, and Access Management and gain a better understanding and perception of enterprise security in the evolving Information Technology (IT) world.

Release Date: April 19, 2016

CSA STAR Program & Open Certification Framework in 2016 and Beyond

The Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR) program is the industry’s leading trust mark for cloud security. The CSA Open Certification Framework (OCF) is a program for flexible, incremental and multi-layered CSP certifications according to the CSA’s industry leading security guidance. The OCF/STAR program comprises a global cloud computing assurance framework…

Release Date: April 12, 2016

Mobile Application Security Testing Initiative Revised Charter

Mobile applications are becoming an integral part of not just modern enterprises but also of human existence and a huge part of this shift is due to the emergence of cloud computing. The Mobile Application Security Testing initiative will aim to create a safer cloud ecosystem for mobile applications by creating systematic approaches to application…

Release Date: March 14, 2016

Defining Categories of Security as a Service: Continuous Monitoring

In order to improve the understanding of Security as a Service and accelerate market acceptance, clear categorization and definitions of these services is necessary. This document provides a high overview of the business and technical elements needed to evaluate the risks associated with the category of Continuous Monitoring.

Release Date: February 29, 2016

‘The Treacherous Twelve’ Cloud Computing Top Threats in 2016

“The Treacherous 12 – Cloud Computing Top Threats in 2016” plays a crucial role in the CSA research ecosystem. The purpose of the report is to provide organizations with an up-to-date, expert-informed understanding of cloud security concerns in order to make educated risk-management decisions regarding cloud adoption strategies. The report reflects the current consensus among…

Release Date: February 29, 2016

Security Position Paper – Network Function Virtualization

This white paper discusses some of the potential security issues and concerns, and offers guidance for securing a Virtual Network Function (NFV) based architecture, whereby security services are provisioned in the form of Virtual Network Functions (VNFs).

Release Date: February 29, 2016

State of Cloud Security 2016

Cloud computing is an incredible innovation. While at its heart a simple concept, the packaging of compute resources as an on demand service is having a fundamental impact on information technology with far reaching consequences. Cloud is disrupting most industries in a rapid fashion and is becoming the back end for all other forms of…

Release Date: February 27, 2016

Consensus Assessments Initiative Questionnaire v3.0.1 (12-5-16 Update)

Realigns the CAIQ questions to CCM v3.0.1 control domains and the Cloud Security Alliance “Security Guidance for Critical Areas of Focus in Cloud Computing V3.0”

Release Date: February 01, 2016

The Cloud Balancing Act for IT: Between Promise and Peril

Cloud Adoption does not have to mean opening up your organization to increased security risks and threats if the right policies are in place. That’s what the findings from a new Cloud Security Alliance (CSA) survey, titled The Cloud Balancing Act for IT: Between Promise and Peril, indicated when it surveyed executives and IT managers…

Release Date: January 13, 2016

CloudTrust Protocol Prototype Source Code

The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service customers can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust. The source code implements a CTP server that acts as a gateway between cloud customers and cloud…

Release Date: December 10, 2015

International Standardization Council Policies & Procedures

In today’s technological environment, standards play a critical role in product development and market competitiveness. Every input, behavior, and action has both a contributory and a potential legal consequence. These procedures help protect the International Standardization Council (ISC or Council) participants and the CSA by establishing the necessary framework for a sound process.

Release Date: October 15, 2015

CloudTrust Protocol Data Model and API

The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service customers can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust. This document focuses on the definition of the CTP Data Model and Application Programing Interface.

Release Date: October 09, 2015

What is Post-Quantum Cryptography

Release Date: September 28, 2015

What is Quantum Key Distribution?

The security of QKD relies on fundamental laws of nature, which are invulnerable to increasing computational power, new attack algorithms or quantum computers. It is secure against the most arbitrarily powerful eavesdroppers.

Release Date: August 05, 2015

Cloud Computing Market Maturity

This white paper reports the results of a recent study conducted by ISACA and the Cloud Security Alliance to examine cloud market maturity through four lenses: cloud use and satisfaction level, expected growth, cloud-adoption drivers, and limitations to cloud adoption.

Release Date: July 15, 2015

Security Considerations for Private vs. Public Clouds

The Cloud Security Alliance teamed up with Palo Alto Networks to produce this whitepaper. A public cloud deployment occurs when a cloud’s entire infrastructure is owned, operated and physically housed by an independent Cloud Service Provider. A private cloud deployment consists of a cloud’s entire infrastructure owned, operated and physically housed by the tenant business…

Release Date: June 15, 2015

The Mandate for Meaningful Cyber Incident Sharing for the Cloud

New and increasingly significant cybersecurity breaches are reported practically every day. For most companies, it is no longer a matter of whether they will be attacked, but rather how long ago they were attacked. Enterprises and cloud providers alike need to understand the types of incidents that peers and technology partners are experiencing so that…

Release Date: June 13, 2015

Privacy Level Agreement – Version 2

PLA [V2] is intended to be used as an appendix to a Cloud Services Agreement, and to describe the level of privacy protection that the CSP will provide. While Service Level Agreements (“SLA”) are generally used to provide metrics and other information on the performance of the services, PLAs will address information privacy and personal…

Release Date: June 02, 2015

SMB Membership Brochure APAC

Release Date: June 01, 2015

SME Cloud Security

This 2015 Hong Kong Small and Medium-sized Enterprises (SME) Cloud Adoption, Security and Privacy Readiness Survey was conducted by the Internet Society Hong Kong and the Cloud Security Alliance Hong Kong and Macau Chapter, who commissioned the Hong Kong Productivity Council (Council) to carry out telephone interviews with SMEs (<100 employees) in Hong Kong. The…

Release Date: June 01, 2015

What is Quantum Safe Security

Release Date: May 19, 2015

STAR Overview PDF

The CSA STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is used by customers, providers, industries and governments around the world.

Release Date: April 20, 2015

Cloud Adoption In The Financial Services Sector

We circulated the “How Cloud is Being Used in the Financial Sector” survey to IT and security professionals in financial services institutions. The goal was to further the discussion to these topics: Describe your company’s approach to cloud computing. Describe your private cloud policy. What is your corporate risk assessment to cloud computing? What features…

Release Date: March 05, 2015

Mobile Application Security Testing Initiative Charter

Mobile applications are becoming an integral part of not just modern enterprises but also of human existence and a huge part of this shift is due to the emergence of cloud computing. The Mobile Application Security Testing initiative will aim to create a safer cloud ecosystem for mobile applications by creating systematic approaches to application…

Release Date: February 16, 2015

Cloud Adoption Practices & Priorities

The benefits for enterprises moving to the cloud are clear: greater business agility, data availability, collaboration, and cost savings. The cloud is also changing how companies consume technology. Employees are more empowered than ever before to find and use cloud applications, often with limited or no involvement from the IT department, creating what’s called “shadow…

Release Date: January 09, 2015

AOSSL and CCM Technote

Release Date: December 18, 2014

Big Data Taxonomy

A research document outlining the six dimensions of big data to help decision makers navigate the myriad choices in compute and storage infrastructures as well as data analytics techniques, and security and privacy frameworks.

Release Date: September 18, 2014

Cloud Usage: Risks and Opportunities

This survey was circulated to over 165 IT and security professionals in the U.S. and around the globe representing a variety of industry verticals and enterprise sizes. The goal was to understand their perception of how their enterprises are using cloud apps, what kind of data are moving to and through those apps, and what…

Release Date: September 15, 2014

Data Protection Heat Index

The Cloud Security Alliance surveyed a select group of global data privacy experts with the intention to measure attitudes towards data protection areas that tie into technology solutions which enable the exchange of information across the cloud.

Release Date: September 12, 2014

Cloud Controls Matrix v3.0.1 (July 2014)

New and updated mappings, consolidation of redundant controls, rewritten controls for clarity of intent, STAR enablement, and SDO alignment.

Release Date: July 11, 2014

Big Data, Big Concerns, and What the White House Wants to Do about It

Big data tools offer astonishing and powerful opportunities to unlock previously inaccessible insights from new and existing data sets. Large amounts of data are being processed through new techniques and technologies, dissecting the digital footprints individuals leave behind, and revealing a surprising number of personal details.

Release Date: May 29, 2014

STAR Certification Guidance Document: Auditing the Cloud Controls Matrix (CCM)

There are a number of control areas on the CCM that will each be awarded a management capability score on a scale of 1-15. This 2nd version release includes alignment with the CCM v1.4 and v3.X.

Release Date: May 16, 2014

Guidelines for CPAs Providing CSA STAR Attestation

This document provides guidance for CPAs in conducting a STAR Attestation.

Release Date: May 15, 2014

SDP Specification v1.0

This document outlines a Cloud Security Alliance (CSA) initiated protocol for the Software Defined Perimeter specification, and requests discussion and suggestions for improvements.

Release Date: April 30, 2014

SDP Hackathon Whitepaper

The CSA SDP Hackathon challenged hackers to attack a server defended by a software defined perimeter. Of the billions of packets fired at the server, not one attacker penetrated even the first layer of security. The whitepaper outlines how this is possible.

Release Date: April 17, 2014

Comment on Big Data and the Future of Privacy

Responses to questions on the relationship between big data and public policy, government, technology trends, and policy frameworks.

Release Date: April 09, 2014

Research Lifecycle

A step-by-step guide to producing and distributing research artifacts. From inspiration and conception to publication and distribution, it covers the the process for research projects and their typical timeframes. The Research Lifecycle is a tool to provide a framework for the life of a research artifact.

Release Date: March 19, 2014

The Future of Security

Disruption defines the business of information security. New technologies change how businesses work, as well as what risks people take. Attackers shift their strategies. But the better security professionals predict and prepare for these disruptions, the more effective we can be.

Release Date: February 25, 2014

The Future of Security: Executive Summary

Disruption defines the business of information security. New technologies change how businesses work, as well as what risks people take. Attackers shift their strategies. But the better security professionals predict and prepare for these disruptions, the more effective we can be.

Release Date: February 25, 2014

SAFEcode/CSA: Practices for Secure Development of Cloud Applications

SAFECode and CSA partnered to determine whether additional software security guidance was needed to address unique threats to the cloud computing, and if so, to identify specific security practices in the context of identified threats.

Release Date: December 04, 2013

Software Defined Perimeter

This document explains the software defined perimeter (SDP) security framework and how it can be deployed to protect application infrastructure from network-based attacks. The SDP incorporates security standards from organizations such as the National Institute of Standards and Technology (NIST) as well as security concepts from organizations such as the U.S. Department of Defense (DoD) into an integrated framework.

Release Date: December 01, 2013

Net+ Initiative CCM v.3 Candidate Mappings

A team of 30 CIOs, CISOs, and other executives from Internet2’s membership (both higher education institutions and industry service providers) developed this extended version of the CCM. This version includes candidate mappings to address higher education security and compliance requirements.

Release Date: December 01, 2013

CCM v3.0 Info Sheet

Release Date: October 07, 2013

Cloud Controls Matrix v3.0

Cloud Controls Matrix (CCM) Version 3.0, is a comprehensive update to the industry’s gold standard for assessing cloud centric information security risks.

Release Date: September 26, 2013

Publicizing Your STAR Certification

The following guidelines will help you to apply good practice in publicizing, communicating and promoting your certification to stakeholders, including staff, customers and business partners, and to the general public.

Release Date: September 03, 2013

Requirements for Bodies Providing STAR Certification

This document outlines how to conduct a STAR certification assessments to the Cloud Controls Matrix (CCM) as part of an ISO 27001 assessment.

Release Date: September 03, 2013

Government Access to Information

The survey received almost 500 responses from CSA members around the world. It found that 56% of non-US residents were now less likely to use US-based cloud providers, in light of recent revelations about government access to customer information.

Release Date: July 23, 2013

Mapping the Forensic Standard ISO/IEC 27037 to Cloud Computing

The purpose of this document is to survey the issues related to forensic investigation in cloud environments, to describe the international standards for cloud forensics, and to summarize the current integration of cloud forensic requirements into service level agreements (SLAs).

Release Date: June 26, 2013

Expanded Top Ten Big Data Security and Privacy Challenges

Big Data remains one of the most talked about technology trends in 2013. But lost among all the excitement about the potential of Big Data are the very real security and privacy challenges that threaten to slow this momentum.

Release Date: June 16, 2013

Cloud Computing Vulnerability Incidents: A Statistical Overview

In an attempt to ascertain Cloud Computing reliability, 11,491 news articles on cloud computing-related outages from 39 news sources between Jan 2008 and Feb 2012 – effectively covering the first five years of cloud computing – were reviewed.

Release Date: May 31, 2013

Cloud Computing: What Damages in Case of Outages

Service interruptions are inevitable regardless of whether the cloud service provider is a small company or a large company. When a cloud service goes down, users lose access to their data; they may also be deprived from the processing capabilities that are provided as part of the cloud offering.

Release Date: May 21, 2013

Cloud Controls Matrix v1.4

Release Date: March 08, 2013

GRC Stack

Release Date: March 08, 2013

Enterprise Architecture v2.0

The Enterprise Architecture is both a methodology and a set of tools that enable security architects, enterprise architects and risk management professionals to leverage a common set of solutions that fulfill their common needs to be able to assess where their internal IT and their cloud providers are in terms of security capabilities and to plan a roadmap to meet the security needs of their business.

Release Date: February 25, 2013

CSA Position Paper on AICPA Service Organization Control Reports

The Cloud Security Alliance (CSA) has drafted the CSA Position Paper on AICPA Service Organization Control Reports as a means to educate its members and provide guidance on selecting the most appropriate reporting standard.

Release Date: February 25, 2013

Privacy Level Agreement (PLA) Outline for the Sale of Cloud Services in the European Union

The Outline provides a structure for Cloud Service Providers (CSP) to disclose, in a consistent matter, information about the privacy and data protection policies, procedures and practices used when processing personal data that customers upload or store in the CSP’s servers.

Release Date: February 24, 2013

The Notorious Nine: Cloud Computing Top Threats in 2013

Providing organizations with up-to-date, expert-informed understanding of cloud security threats in order to make educated risk-management decisions regarding cloud adoption strategies.

Release Date: February 24, 2013

Article 29 Working Party Cloud Computing Opinion: A Blow to Safe Harbor

The Article 29 Data Protection Working Party—which includes representatives of the data protection authorities of each of the European Union member states—recently issued an opinion on cloud computing that could impact U.S. cloud providers.

Release Date: February 22, 2013

What Rules Apply to Government Access to Data Held by US Cloud Service Providers

What rules regulate government access to data held by US cloud service providers.

Release Date: February 22, 2013

Security Guidance for Critical Areas of Mobile Computing

Mobile devices empower employees to do what they need to do — whenever and wherever. People can work and collaborate “in the field” with customers, partners, patients or students and each other. But they need to be supported with always current operational processes and information, whether from apps, the Internet, or documents from other people.

Release Date: November 08, 2012

Top Ten Big Data Security and Privacy Challenges

In this paper, we highlight the top ten big data specific security and privacy challenges. We interviewed Cloud Security Alliance members and surveyed security practitioner-oriented trade journals to draft an initial list of high-priority security and privacy problems, studied published research, and arrived at the following top ten challenges…

Release Date: November 07, 2012

CSA Congress 2012 Big Data Overview

Crystallization of best practices for security and privacy in big data.

Release Date: November 06, 2012

SecaaS Category 7 // Security Information and Event Management Implementation Guidance

This document provides guidance on how to evaluate, architect, and deploy cloud-based SIEM services to both enterprise and cloud-based networks, infrastructure and applications.

Release Date: October 29, 2012

SecaaS Category 9 // BCDR Implementation Guidance

When using the cloud for operational processes and/or production systems, an organization’s BC/DR requirements must be included in their procurement, planning, design, management, and monitoring of their cloud environments and cloud service providers.

Release Date: October 08, 2012

SecaaS Category 8 // Encryption Implementation Guidance

Encryption is a primary data (and application) protection technique. For encryption to be useful, encryption keys must be properly managed and protected. This document covers both the encryption and key management topics.

Release Date: October 08, 2012

SecaaS Category 6 // Intrusion Management Implementation Guidance

Because of the limited market maturity and lack of widely accepted best practices, this document provides implementation guidelines for cloud-based intrusion management service of multiple flavors—in the cloud, through the cloud, or from the cloud—focusing on the basic tenets of service and architecture rather than solutions.

Release Date: October 08, 2012

SecaaS Category 5 // Security Assessments Implementation Guidance

There are many choices for an assessment framework standard and there is no “one size fits all” solution for security assessments. One could reasonably expect that as cloud technology and governance evolves, a much smaller subset will emerge with a cloud focus.

Release Date: October 08, 2012

SecaaS Category 4 // Email Security Implementation Guidance

Due to its ubiquitous use, electronic mail is both the prime target of, and primary vehicle for, attacks, and must be protected on both ends: sending and receiving. Email service is a well defined utility in the enterprise, and securing email in the cloud is similar to securing email in the enterprise. Email Security as a Service (SecaaS) has a few unique aspects, but most responses entail differences of degree, rather than instituting new methods of security.

Release Date: October 08, 2012

SecaaS Category 3 // Web Security Implementation Guidance

The vendor and academic community have come together to form a set of solutions called Security as a Service. This document specifically addresses one element focused on Web Security as a Service (Web SecaaS).

Release Date: October 08, 2012

SecaaS Category 2 // Data Loss Prevention Implementation Guidance

DLP must be considered an essential element for achieving an effective information security strategy for protecting data as it moves to, resides in and departs from the cloud. DLP has two facets: one as viewed from the owner’s perspective and one as viewed from the custodian’s perspective.

Release Date: October 08, 2012

SecaaS Category 10 // Network Security Implementation Guidance

In a cloud environment, a major part of network security is likely to be provided by virtual security devices and services, alongside traditional physical network devices. Tight integration with the underlying cloud software layer to ensure full visibility of all traffic on the virtual network layer is important.

Release Date: October 08, 2012

Mobile Top Threats

Release Date: October 04, 2012

CSA/ISACA Cloud Market Maturity Study Results

A collaborative project by ISACA and CSA, the Cloud Market Maturity study provides business and IT leaders with insight into the maturity of cloud computing and will help identify any changes in the market.

Release Date: September 27, 2012

SecaaS Category 1 // Identity and Access Management Implementation Guidance

This document addresses personnel involved in the identification and implementation of the IAM solution in the cloud. It will be of particular interest to those with the responsibility of designing, implementing and integrating the consumption of services of the IAM function within any cloud application of SecaaS.

Release Date: September 26, 2012

Mobile Device Management: Key Components

Release Date: September 20, 2012

Cloud Controls Matrix v1.3

Release Date: September 20, 2012

OCF Vision Statement

The CSA Open Certification Framework is a program for flexible, incremental and multi-layered cloud provider certification according to the Cloud Security Alliance’s industry leading security guidance and control objectives.

Release Date: August 17, 2012

Innovation Initiative Overview Powerpoint

Release Date: February 24, 2012

Innovation Initiative Charter

Release Date: February 24, 2012

Cloud Consumer Advocacy Questionnaire

The purpose of this survey was to capture the current state of data governance and data security capabilities offered by leading cloud service providers in the industry. The results of this survey are intended to be used for guidance and research conducted by CSA and its affiliates.

Release Date: November 16, 2011

CSA Security Guidance Domain 3: Legal Issues: Contracts and Electronic Discovery

This domain highlights some of the legal aspects raised by cloud computing. It provides general background on legal issues that can be raised by moving data to the cloud, some issues for consideration in a cloud services agreement, and the special issues presented by electronic discovery under Western litigation.

Release Date: November 14, 2011

Security Guidance for Critical Areas of Focus in Cloud Computing V3.0

The CSA guidance as it enters its third edition seeks to establish a stable, secure baseline for cloud operations. This effort provides a practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely. Domains have been rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment.

Release Date: November 14, 2011

Enterprise Architecture Mapping V1.9

Release Date: November 09, 2011

Enterprise Architecture Model V1.1

Release Date: October 26, 2011

Defined Categories of Service 2011

Release Date: October 26, 2011

GRC Stack Courseware

Release Date: October 10, 2011

Consensus Assessments Initiative Questionnaire v1.1

Questionnaire is organized using CSA 13 governing & operating domains divided into “control areas” within CSA’s Control Matrix structure.

Release Date: September 01, 2011

CloudTrust Protocol Information Overview Powerpoint

The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.

Release Date: September 01, 2011

Cloud Controls Matrix v1.2

Release Date: August 26, 2011

CCAQIS v1.2

The purpose of this survey is to capture the current state of data governance and data security capabilities offered by leading cloud service providers in the industry. The results of this survey will be aggregated and used for guidance and research conducted by CSA and its affiliates.

Release Date: August 01, 2011

CSA V3 Guideline: Book Excerpts

Culture‐free, one‐size‐fits‐all English is usually the most efficient way to speak to a large, heterogeneous audience of E2s. In contrast, there are times when our English materials are intended for E2s in a small number of specific countries. In these cases, it might make good business sense to produce more than one English version, sensitive to the first language of the readers.

Release Date: July 02, 2011

CloudTrust Protocol Information Overview

The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.

Release Date: June 01, 2011

GRC Stack Training Document

Release Date: March 06, 2011

Cloud Computing for Business

This book is for all these people, and indeed for all executives whose companies are using, or thinking of using, cloud computing.

Release Date: March 02, 2011

CloudCERT Report to CSA Summit 2011

Release Date: February 14, 2011

Cloud Controls Matrix V1.1

Release Date: December 17, 2010

Cloud Controls Matrix V1.01

Release Date: October 20, 2010

A Precis for the CloudTrust Protocol (V2.0)

The CloudTrust Protocol (CTP) offers an uncomplicated, natural way to request and receive fundamental information about essential elements of transparency.

Release Date: September 01, 2010

Cloud Controls Matrix V1.0

Release Date: April 27, 2010