Definition and purpose

The primary purpose of CSA is to promote the use of best practices for providing security assurance within Cloud Computing and provide education on the uses of Cloud Computing to help secure all other forms of computing. One of its most notable outputs is the CSA Security Guidance, which is a set of guidelines and best practices to secure cloud computing environments.

Governing Body

The governing body is the Cloud Security Alliance (CSA), a global non-profit organization.

Last updated

The CSA frequently updates its resources and guidelines based on emerging threats, technological advancements, and industry feedback.

Applies to

The guidelines and best practices provided by the CSA are designed to be applied across all industries and sectors that use or plan to use cloud computing services. This includes (but is not limited to) IT, healthcare, finance, education, government, and more.

Controls and requirements

One of the CSA's primary resources is the Cloud Controls Matrix (CCM). The CCM provides a controls framework that gives a detailed understanding of security concepts and principles aligned to the CSA guidance in a set of domains:

1. Application & Interface Security
2. Audit Assurance & Compliance
3. Business Continuity Management & Operational Resilience
4. Change Control & Configuration Management
5. Data Security & Information Lifecycle Management
6. Datacenter Security
7. Encryption & Key Management
8. Governance and Risk Management
9. Human Resources
10. Identity & Access Management
11. Infrastructure & Virtualization Security
12. Interoperability & Portability
13. Mobile Security
14. Security Incident Management, E-Discovery, & Cloud Forensics
15. Supply Chain Management, Transparency, and Accountability
16. Threat and Vulnerability Management

Each domain provides a structured framework of specific best practices and controls related to cloud computing security.

Please refer to the official Cloud Controls Matrix for a detailed list of controls and requirements.

Audit type, frequency, and duration

CSA's STAR (Security Trust Assurance and Risk) program offers a robust cloud-specific audit for cloud providers, consisting of three levels of assurance, which are:

• STAR Self-Assessment: A self-assessment provided by cloud suppliers.
• STAR Attestation: A third-party independent assessment of the security of a cloud service.
• STAR Certification: A rigorous third-party independent assessment of the security of a cloud service.

The frequency and duration of these audits or assessments will vary based on the specific cloud service, its complexity, and the level of assurance being pursued.