What You Need to Know about Cloud Security Alliance (CSA) for a Job in Information Security

By Peter H. Gregory

If you plan on a career in information security, you need to know about the CSA. Cloud Security Alliance (CSA) is an organization that has developed standards and guidance for cloud service providers as well as organizations utilizing cloud‐based services such as software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). Noted CSA publications follow:

  • Cloud Controls Matrix: This matrix of recommended controls for cloud service providers provides relevance tags for SaaS, PaaS, and IaaS, as well as mappings to many other controls frameworks, including AICPA, BITS, COBIT, European Privacy Directive, NIST SP800‐53, HIPAA, ISO27001, and PCI‐DSS.

  • Enterprise Architecture: This extensive one‐sheet infographic portrays cloud security controls in four main categories:

    • Business operations support services: compliance, data governance, operational risk management, human resource security, security monitoring services, legal services, and internal investigations

    • Information technology operation and support: IT operations, service delivery, and service support

    • Services: presentation services, application services, information services, and infrastructure services

    • Security and risk management: governance, risk, and compliance; InfoSec management; privilege management infrastructure; threat and vulnerability management; infrastructure protection services; data protection; and policies and standards

    You’ll want to print this infographic and hang it in your office as a handy reference.

  • Security Guidance for Critical Areas of Mobile Computing: This extensive whitepaper describes the current state of mobile computing and provides guidance for policies, controls, and tools for the safe utilization of mobile devices in an organization.

  • Security Guidance for Critical Areas of Focus in Cloud Computing: This lengthy whitepaper contains detailed narratives on cloud computing lexicons, governance, risk, and implementation guidance.

  • Consensus Assessments Initiative Questionnaire: A potential consumer of cloud‐based services can send this detailed questionnaire to a cloud services provider to better understand the service provider’s safeguards and controls.

Although these standards are voluntary, they represent significant improvement in the development of controls and guidance for cloud service providers and consumers of cloud services.