The Cloud Security Alliance (CSA) is a nonprofit organization that promotes research into best practices for securing cloud computing and the use of cloud technologies to secure other forms of computing. CSA leverages the expertise of industry practitioners, associations and governments, as well as its corporate and individual members, to offer research, education, certification, events and products specific to cloud security.
The organization's activities, knowledge and extensive network benefit the entire cloud community, including cloud service providers, customers, entrepreneurs and governments. The CSA also offers a forum through which all parties can work together to create and maintain a trusted cloud ecosystem.
The industry group also provides security education and guidance to companies in different stages of cloud adoption and helps cloud service providers address security in their software delivery models. CSA membership is available to any interested parties with the expertise to contribute to the security of cloud computing.
Cloud Security Alliance research areas
The CSA leads a number of ongoing research initiatives through which it provides white papers, tools and reports to help companies and vendors secure cloud computing services.
There are CSA working groups that target 38 different cloud security domains and address almost every aspect of cloud security. These include the following:
- The Cloud Data Governance Working Group works to design principles and map them to emerging technologies and techniques to guarantee the privacy, availability, integrity, confidentiality and security of data across public and private clouds.
- The Cloud Security Alliance IoT Working Group focuses on developing relevant use cases for internet of things (IoT) implementations, as well as establishing actionable guidance to enable security practitioners to secure their deployments.
- The CSA Application Containers and Microservices Working Group focuses on conducting research on the security of application containers and microservices. It is also charged with publishing guidance and best practices for the secure use of application containers and microservices.
- The SaaS Governance Working Group aims to encourage and define mechanisms to promote cooperation and help vendors and customers work closely together to manage software-as-a-service risks and guarantee the security of customer data and the resilience of the SaaS cloud infrastructure.
CSA programs and partnerships
The CSA also offers numerous programs and partnerships, including the Cloud Security Alliance Global Consulting Program (CSA GCP), which enables cloud consumers to work with trusted security professionals and organizations that provide qualified professional services based on CSA best practices.
Providers in this program include:
- BH Consulting, an independent advisory firm that specializes in information security consulting, ISO 27001, cybersecurity, risk assessment, cloud security, incident response, cloud and digital forensics, and training.
- KPMG, a professional services company that provides audit, tax and advisory services.
- Optiv, a provider of cybersecurity solutions that help companies plan, build and run successful cybersecurity programs, whether on premises, in the cloud or in a hybrid cloud computing environment.
- Securosis, an information security research and advisory firm that aims to develop and apply techniques to achieve a higher level of security in the cloud than in enterprise data centers.
The CSA Security, Trust & Assurance Registry (STAR) is a program for security assurance in the cloud. STAR incorporates the principles of transparency, rigorous auditing and the harmonization of standards. The STAR program offers a number of benefits, including "indications of best practices and validation of security posture of cloud offerings," according to the CSA website.
In addition, the CSA Code of Conduct for GDPR Compliance offers a consistent and comprehensive framework to help companies comply with the European Union's GDPR (General Data Protection Regulation). The CSA Code of Conduct offers a compliance tool to achieve GDPR compliance, as well as transparency guidelines regarding the level of data protection offered by a cloud service provider.
The Cloud Security Alliance offers three membership options:
- Corporate Membership for Solution Providers offers a venue for members to learn about the latest developments in the cloud, showcase their expertise to a global audience and connect with users.
- Corporate Membership for Enterprises provides the information, tools and guidance to help members realize the benefits of their cloud investments.
- Individual Membership offers any individual with an interest in cloud computing and the expertise to help make it more secure a complimentary individual membership based on a minimum level of participation.
The CSA currently has 90,000 individual members, 80 global chapters and 400 corporate members.
Cloud Security Alliance certifications
The Cloud Security Alliance also offers professional cloud security certifications.
- CSA STAR (Security, Trust & Assurance Registry) Certification is a rigorous, third-party, independent assessment of the security of a cloud service provider. The STAR Certification is based on achieving ISO/IEC 27001, as well as the specified set of criteria detailed in the Cloud Controls Matrix. Achieving the STAR Certification means that cloud providers will be able to offer prospective customers a greater understanding of their level of security control.
- CSA CCSK (Certificate of Cloud Security Knowledge) is a web-based examination of a person's competency in the primary cloud security issues. The CCSK aims to provide an understanding of security issues and best practices over a range of cloud computing domains. Recommended for IT auditors, the CCSK is required for portions of the CSA STAR program.
- CSA CCSP (Certified Cloud Security Professional) is a global credential representing the highest standard for expertise in cloud security. It was co-created by the Cloud Security Alliance and the International Standardization Council -- the stewards for information security and cloud computing security. The CCSP is recommended for experienced IT/ICT (information communication technology) professionals involved with IT architecture; web and cloud security engineering; information security; governance, risk and compliance, or IT auditing. Additionally, the CCSP is useful for individuals who are working with organizations committed to DevSecOps, Agile or bimodal IT practices.