As with almost any other auditing control document, my only complaint is that the controls and control questions are fairly general in nature. For instance, it asks if data is encrypted at rest, which is a good thing, but it does not provide any clue as to how well this is done, even if the vendor says it is. The best encryption algorithms have been pushed aside by poor deployment practices. Unfortunately, very specific, technical details are rarely covered in any general security control guidelines, but at least you have a great starting baseline to work with.
If you're considering a cloud service, find out how it maps to the CSA's controls and other documents. For an example, see Microsoft's Office 365 Standard Response Document. (Microsoft is my full-time employer.)
Even if your cloud service provider doesn't currently map or work with the CSA's auditing documents, you can use those documents to assist with making sure you ask the reasonable questions that any cloud user would pose and any cloud provider should be able to answer.
The CSA is not a perfect organization, of course. Like any independent, emerging standards body, it's taken a few years to gain consensus and grow its membership. There are still a few notable missing members. I keep waiting for some of the computer auditing-specific societies to join, along with other big SaaS vendors, such as Salesforce.com. Its auditing controls and questionnaire could contain more details for my taste. Still, the group is accomplishing more than any other prior cloud standards body.
This story, "CSA helps clear up cloud security questions," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.