Cutting through the haze of cloud security
The Cloud Security Alliance comprises dozens of cloud service providers, including three of the four big IaaS providers: Google, Microsoft, and VMware. (Amazon is missing from the members list.) Other members include Cisco, VeriSign, American Institute of CPAs, the biggest accounting firms, and many antimalware companies.
The group's mission is to promote the use of best practices for providing security assurance within cloud computing, as well to provide education on the uses of cloud computing to help secure all other forms of computing. The CSA doesn't do cloud auditing itself, but rather provides guidance to its members and readers.
Four pillars comprise the CSA's Governance, Risk, and Compliance (GRC) "stack": Cloud Trust Protocol, Cloud Audit, Consensus Assessment Initiative, and Cloud Controls Matrix.
The Cloud Trust Protocol is an XML-based standard way of communicating cloud security assertions, evidence of those assertions, and affirmations. According to CSA, the protocol allows "transparency as a service" for privacy, security, and compliance needs. The CSA website has a good summary of the protocol [PDF].
CSA also offers "Security Guidance for Critical Areas of Focus" [PDF] that breaks down cloud security into 13 domains:
- Governance and enterprise risk management
- Legal and electronic discovery
- Information lifecycle management
- Portability and interoperability
- Business continuity and disaster recovery
- Data center operations
- Incident response
- Application security
- Encryption and key management
- Identity and access management
The CSA has done a good job of highlighting all the computer security bases as they apply to cloud offerings.
The CSA's Cloud Controls Matrix [XLS] is geared toward cloud service providers and auditors. It lists controls and maps them to popular compliance requirements: COBIT, HIPAA, PCI DSS, and so on. CSA's Consensus Assessments Initiative Questionnaire [XLS] lists well over 100 questions that map back to the controls listed in the Cloud Controls Matrix. These documents are meant to be used together.