The next presentation at the ISSA half-day seminar was on the “Cloud Security Alliance” and Security Guidance for Critical Areas of Focus in Cloud Computing by Jeff Reich.  Here are my notes from this presentation:


  • About the Cloud Security Alliance
  • Getting Involved
  • Guidance 1.0
  • Call to Action

About the Cloud Security Alliance

  • Not-for-profit organization
  • Inclusive membership, supporting broad spectrum of subject matter expertise: cloud experts, security, legal, compliance, virtualization, etc
  • We believe in Cloud Computing, we want to make it better

Getting Involved

  • Individual membership (free)
    • Subject matter experts for research
    • Interested in learning about the topic
    • Administrative & organizational help
  • Corporate Sponsorship
    • Help fund outreach, events
  • Affiliated Organizations (free)
    • Joint projects in the community interest
  • Contact information on website

Download version 1.0 of the Security Guidance at

Overview of Guidance

  • 15 domains
  • #1 is Architecture & Framework
  • Covers Governing in the Cloud (2-7) and Operating in the Cloud (8-15) as well

Assumptions & Objectives

  • Trying to bridge gap between cloud adopters and security practitioners
  • Broad “security program” view of the problem

Architecture Framework

  • Not “One Cloud”: Nuanced definition critical to understanding risks & mitigation
  • 5 principal characteristics (abstration, sharing, SOA, elasticity, consumption/allocation)
  • 3 delivery models
    • Infrastructure as a Service
    • Platform as a Service
    • Software as a Service
  • 4 deployment models: Public, Private, Managed, Hybrid

Governance & ERM

  • A portion of cloud cost savings must be invested into provider security
  • Third party transparency of cloud provider
  • Financial viability of cloud provider
  • Alignment of key performance indicators
  • PII best suited in private/hybrid cloud outside of significant due diligence of public cloud provider
  • Increased frequency of 3rd party risk assessments

Important thing to consider is the financial viability of your provider.  You never want to have your data held hostage in a court battle.


  • Contracts must have flexible structure for dynamic cloud relationships
  • Plan for both an expected and unexpected termination of the relationship and an orderly return of your assets
  • Find conflicts between the laws the cloud provider must comply with and those governing the cloud customer

Compliance & Audit

  • Classify data and systems to understand compliance requirements
  • Understand data locations, copies

Information Lifecycle Management

  • Understand the logical segregation of information and protective controls imnplemented in storage, transfers, backups


  • Cloud Computing is real and transformational
  • Cloud Computing can and will be secured
  • Broad governance approach needed
  • Tactical fixes needed
  • Combination of updating existing best practices and creating completely new best practices
  • Common sense is not optional

Call to Action

  • Join us, help make our work better
  • Twitter: @cloudsa, #csaguide