CSA Cloud Security Guide and Other Resources
Posted by Ian Huynh on April 28, 2010
Looking back on our latest series of posts about cloud security, we thought we should also discuss the latest version of the security recommendations put forth by the Cloud Security Alliance.
As the name suggests, the Cloud Security Alliance (CSA) is a group of industry experts who have come together to promote best practices in the realm of cloud security. The organization is comprised of executives from several organizations. It published its first document, “Security Guidance for Critical Areas of Focus in Cloud Computing,” at RSA in 2009.
Although a good start, the recommendations were quite high-level, and I don’t believe the CSA went into enough detail discussing what to look for in a cloud provider if want to maintain the high levels of security you have in your own network when you move to the cloud.
The updated version (2.1) of the guide is much better. In addition to covering topics we have already discussed in our previous blog posts (like compliance issues, SLAs and auditing your cloud provider) the guide gives users an excellent high-level overview of how you can go about evaluating your cloud security needs in a convenient, step-by-step format. It also goes into great depth about legal and management issues that are vital issues to consider when dealing with any kind of managed service.
I think it’s an excellent place to start for any organization looking for guidance on using cloud-based services. (of course, at nearly 80 pages, it’s hardly a quick read!)
However, in addition to reading its basic security recommendations and the companion document “Top Threats to Cloud Computing v1.0”, I’d also like to suggest a few more resources for organizations wanting to make their transition to cloud services go as smoothly and securely as possible:
- Read this 2009 post from Bruce Schneier. It is the most direct discussion of the fundamental security question underpinning every relationship between a customer and cloud provider: ”Can I trust this company with my data?” This extends to everything from trusting that you’ll get personalized service to trusting that your provider will not abandon you due to bankruptcy or other business continuity issues. It’s important to remember that other concerns like standardization, data portability and governance, although important in creating a secure environment for your data, are informing a much more basic set of concerns. That is why we believe that our security story doesn’t begin at our secure development environment or our long history of network penetration testing, but with our proven track record of over a decade providing cloud services.
- Go back and read our series of blog posts on cloud security, starting with “Top 6 Questions Every CIO Should Ask a Cloud Vendor”. Although the CSA documents give a good high-level overview of cloud security as a management process, the recommendations are meant for a wide variety of organizations that have a wide range of security requirements. However, if you want to know what the industry standards are in terms of security in the cloud, our blog posts are much more specific and in-depth.
- The CSA recommends evaluating your organization’s needs against the many different types of cloud platforms that are available. I’d suggest reading the Cloud Computing Journal article “Six Ways To Decide Which ‘aaS’ Is Right for You” by Hubspan’s own Max Coburn and Margaret Dawson. The article is a great primer on how organizations can choose the right kind of “as-a-Service” technology for their needs.
Tags: Cloud Integration Platform, Cloud Security, Cloud Security Alliance, Top Threats
[...] I’ve written about before, Hubspan has been at the forefront of cloud security, and part of that is our membership in the [...]
Pingback by Hubspan and CSA Offer PCI DSS Cloud Training – Hubspan — June 8, 2011 @ 6:37 am