Most recent

Understanding the new Cloud Security Guidance from the CSA

By Amir Mizhar
Cloud Security Guidance At this year's Black Hat conference in July, the Cloud Security Alliance (CSA) announced new guidelines for enterprises to create secure public and private cloud computing architectures. The last time this update occurred was in 2011, which means that this update incorporates over half a decade of technological advancement.There is a significant new body of work in Guidance for Critical Areas of Focus in Cloud Computing 4.0, and its implications will reverberate.Around 80% of the Guidance has been changed in order to accommodate six years of technological changes in the cloud. It now covers topics that have emerged in the interval since 2011, including:
  • The appearance of the Internet of Things
  • The rise of DevOps as a preferred development philosophy
  • Containerization as a complement to DevOps
  • Updates to PCI-DSS and HIPAA, and the emergence of the GDPR
  • And more

Organizations who have already invested in cloud security would do well to examine these changes and see if their security architecture must change in response. For those who are planning on implementing more robust cloud security in the coming months or years, this document will serve as an important roadmap. Here's a brief summary of what's new:

Updated Cloud Security Guidance 4.0

The Guidance, as it is called, isn't simply a guide to cloud security. More accurately, it's a guide of guides. The CSA Guidance 4.0 is broken up into 14 domains, each comprehensively covering a specific area of practice of cloud security. The structure of the domains has changed a little between 3.0 and 4.0. There are still 14 domains, but for example:

  • "Cloud Computing Architectural Framework" has been amended to "Cloud Computing Concepts and Architectures"
  • "Information Management and Data Security" has been changed to "Information Governance"
  • The section that covered Data Center Operations now covers "Virtualization and Containers"
  • And so on

In general, the structure, flow, and organization of the document has changed, focusing more on the impact of the cloud. In addition, the document contains more links to external information such as NIST and ISO. In the Guidance 4.0, readers should find a much more comprehensible, informative, and up-to-date document.

The 3 Most Important Changes in the Guidance 4.0 Domains

Some individual domains contain more changes than others. Domain 2, focusing on Governance and Enterprise Risk Management, has barely been changed at all. By contrast Domain 3 has undergone a complete revision, adding information on data transfers that cross international boundaries (for a global perspective) as well as US and Global eDiscovery best practices. Some other major changes include:

  • Domain 6 is entirely new, focusing on business continuity and the management plane. This section discusses software-defined infrastructure  technology , which is expected to gain enormous traction in the enterprise before the end of the decade.
  • Domain 7, the infrastructure security segment, similarly offers a completely revised curriculum. Its focus is on segmentation and SDN technologies, which are important for increasing the security of a network in an era where firewalls increasingly fail.
  • Lastly, Domain 14 adds a discussion of technologies that are related to cloud security, but don't fall entirely under its umbrella. This includes emerging concepts such as the IoT, large-scale analytics, mobile computing, and more.

The revised CSA Guidance offers a wealth of information not previously covered, and adds insights that will make the document extremely relevant in the coming years. This is a crucial document for anyone looking to future proof their cloud security implementation.

Update Your Security with Safe-T

If you've got cloud security in mind, Safe-T is worth investigating. Safe-T integrates with many of the security concepts discussed in the revised CSA Guidance, and allows administrators to implement them with ease. If you want to augment your firewall, automatically force encryption and audit documentation, and other vital compliance and security features, contact Safe-T today for a free demo.New Call-to-action

All posts