Extra, Extra! Cloud Security Alliance Releases New Guidance
Earlier this month the Cloud Security Alliance (CSA) released updates to its Security Guidance for Critical Areas of Focus in Cloud Computing Guide – an extensive guidebook that provides a “practical, actionable road map to managers wanting to adopt the cloud paradigm safely and securely.”
Here at Eze Castle Integration, we talk regularly about cloud security and best practices, so I believe it is important to increase awareness of this great resource. The topics covered in this 177-page report revolve around three key areas. Here is a snapshot of the three key sections as defined by the CSA:
1. Cloud Architecture: The Cloud Computing Architectural Framework provides a conceptual framework for the rest of the Cloud Security Alliance’s guidance. The content of this section focuses on a description of cloud computing that is specifically tailored to the unique perspective of IT network and security professionals. Checkout the OpenCrowd Taxonomy below.
2. Governing in the Cloud: The fundamental issues of governance and enterprise risk management in cloud computing concern the identification and implementation of the appropriate organizational structures, processes, and controls to maintain effective information security governance, risk management, and compliance.
Organizations should also assure reasonable information security across the information supply chain, encompassing providers and customers of cloud computing services and their supporting third-party vendors, in any cloud deployment model.
To assist in this effort, this section of the guide covers governance and risk management, cloud computing legal issues, compliance and audit management, data security, and interoperability.
3. Operating in the Cloud: One purpose of this section is to assist cloud service users to share a common understanding of traditional security (physical security) with cloud service. Traditional security can be defined as the measures taken to ensure the safety and material existence of data and personnel against theft, espionage, sabotage, or harm. In the context of cloud information security, this is about information, products, and people.
Topics covered in this section include business continuity and disaster recovery in the cloud, data center operations, incident response, application security, encryption and key management, access management, virtualization, and security as a service.
You can download a copy of the complete report HERE.