Founded in 2008, the Cloud Security Alliance defines standards, certifications and best practices to help ensure a secure cloud computing environment. It has over 80,000 members worldwide, and offers working groups across 31 domains of cloud security. These groups include participants from CSA’s diverse membership and provide the opportunity to participate in research initiatives with like-minded professionals.
What are some of the CSA’s most intriguing working groups that cloud professionals might wish to join? Here are our top five picks:
This working group releases one of the foundational reports of the CSA on the most pressing threats to cloud computing, which are updated periodically. The latest one, “Top Threats to Cloud Computing: Egregious Eleven,” was released in mid-2019, and covered 11 threats. The research of this working group is so significant that many of its reports have been translated to many languages.
The goal of the Top Threats research is to enable companies to help in risk prioritization by providing context around threats. For example, considering the high adoption rates of the cloud in the past decade, the latest top threats shifted from infrastructure threats to more high-level and customer-centric ones such as misconfiguration, insufficient key management and account hijacking.
As one of the foundational and prolific working groups, the Cloud Control Matrix group sets the required security controls standards, grouped as the CCM, so that cloud vendors and consumers can use a standardized framework to assess the security risk of a cloud provider. CCM is based on accepted security standards, regulations and controls framework, such as ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP.
The current CCM version is 3.0, which covers 136 controls and over 16 domains. In this version, three new domains were added: “mobile security,” which addresses mobile device specific controls; “supply chain management, transparency and accountability,” which assesses the risk of the cloud providers supply chain; and “interoperability and portability,” which comes to minimize customer cloud lock-in.
Typically, companies use a questionnaire, called the CAIQ (see below) to ascertain the cloud providers’ compliance with the CCM.
This working group creates the tools to enable cloud computing assessments. The group’s mission is to make the documentation of cloud security controls an industry standard. The group relies on the other working groups, and in particular the CCM. Their current main output is the CAIQ — a questionnaire consisting of yes/no questions to ascertain a cloud provider’s compliance with the CCM.
Panorays is a licensed distributor of CAIQ. This partnership provides customers with a context-based CAIQ, customized to the relationship of the customer and the provider so that only regulations or frameworks relevant to the relationship are asked. Onboarding third parties through CAIQ is done automatically so customers can send, track and evaluate their cloud providers.
The OCF group guides on how cloud providers can receive certification assessment to the CCM. In particular, this group focuses on the CSA Security, Trust and Risk (STAR) certification program.
STAR-certified organizations may also be listed on an open and searchable registry which allows stakeholders to view the organizations’ posture. The STAR program comprises three tiers: self assessment, attestation and certification, and full cloud assurance and transparency. All levels of STAR have the option of continuous monitoring. The OCF collaborates with other key working groups including CCM, GDPR, and GRC Stack.
The Cloud Cyber Incident Sharing Center is meant to help the cloud community share data around incidents, new technologies and even regulatory changes. Many providers and consumers of Cloud apps face the same challenges and can benefit from anonymized, community sharing of threat intel. Intel includes indicators of attack, attackers’ modus operandi, new techs and regulatory changes.
For those interested in building a cloud threat exchange, the CloudCISC released research that provides companies guidance on how to define the goals of a program, identify requirements and the basics to operationalize the program. The WG is co-chaired by Brian Kelly, CSO at Rackspace and Dave Cullinane, founder at TruStar technologies.