The Inner Circle

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Good morning John, v.4 has been very fundamental for many organizations and its exciting that v.5 will build upon that.  I think option #2 is very well aligned to how most companies align their security practices/programs.  It will allow for both strategic alignment to overarching risk reduction efforts as well as tactical areas of focus on a team/program level. Cloud concepts and cloud related technologies could be subsections for each of the 5 high level areas since each of those would be unique per area of focus.  

Happy to provide any additional information/feedback if it is valuable. 

​

------------------------------
Ian Sharpe
Product
AppOmni
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

At the risk of upsetting your cart, I think there is a 4th option, which seems to make sense to me: instead of taking the three items in red at the bottom right of Option 2, and moving them to the orange branch on the left, which is what you did to get to Option 3, merge them into the green branch (Secure Development and Delivery).

Thus, in this putative Option 4, you would have, at the bottom right of the mindmap:

• Secure Development and Delivery
  
  • DevSecOps WG
  • ERP WG
  • Application and Interface security Domain
  • Containers and Microservices WG
  • Infrastructure and Virtualization Security Domain
  • Serverless WG

Another point is, three related technologies (Blockchain, IoT, IA) are listed because there are WGs associated with them. But does this really belong in the Guidance document? Would it make more sense to call out the vertical domains and their specific requirements for security? Healthcare, Finance (which would probably include Blockchain, although of course there are other use cases for DLTs), Industrial Automation (which would include IoT), Power Distribution, Transportation, ...

Feel free to criticize or ignore...

------------------------------
Claude Baudoin
cébé IT Knowledge Management
Co-Chair, OMG Cloud Working Group
https://www.omg.org/cloud
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Hi

I think covering topics like DevOps or Secure development could be left to the specialists in that field, there is plenty of good practice available from OWASP, BSIMM, ISO and other organisations in this area. DevOps is also cultural, and a series of processes. It might make the guidance overly complicated with little gain (given there is a lot of guidance out there already).

I think option 2 sounds good, and coverse the vast majority of what is needed.
Operational security - we can look to blend items from COBIT or similar as needed, as cloud providers don't really talk abou the "run" of cloud, which is a key theme missing in all of their onboarding frameworks.

------------------------------
Abhishek Vyas CISSP ¦ CCSP ¦ TOGAF
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Hi John
I like where this is going, but could you change the PDF so that it is actually readable when printed out? 
It is really small now.

------------------------------
Peter HJ van Eijk
CCSK & CCAK trainer
https://www.clubcloudcomputing.com/
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Hi John,
I like option number 3 the most.
Why?
Because the domains are  consistent to the different areas/disciplines that we got in information security (grc, appsec, devsecops, etc)

good work



------------------------------
Moshe Ferber
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

That's a nice ice breaker to get ideas flowing John. Can I bring one fact to the table? This guidance is not going to be a standalone document but will be used in conjunction with CAIQ. I still think that Option 1 is "granular" enough given this fact and also that - cloud architectures can have several permuation/ combinations. It does sound a looong list in Option 1 but I think its more "manageable" if you get what I mean. Let's keep those thoughts coming.

------------------------------
Rajeev Gupta Risk Taker
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

I'd recommend that significantly enhancing cloud Shared Security Responsibility Model (SSRM) guidance to align with and support the SSRM STA controls and corresponding CCM and CAIQ template content should be a top priority. In developing that CCM & CAIQ content we identified the need for more comprehensive SSRM guidance (above and beyond individual control guidance) to support proper execution and management of the SSRM over the full service lifecycle for all the different service models by the applicable roles (CSP, CSC, audit/assessment, etc.). The CSA Security Guidance doc definitely seems like the right home for it.

The CSA has long been a champion (and even a pioneer?) in the SSRM space.  It's time to take SSRM guidance to the next level.  I'd be glad to assist in its development.

To this end I'd suggest the Hybrid option #3.​

------------------------------
Erik Johnson CISSP, CCSK, CCSP, PMP
Erik Johnson | LinkedIn
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Hi, all.

I vote for option 3.

In my opinion, Operational security is a mandatory part. Operational security is ultimately responsible for the protection of cloud infrastructure. Too broad definitions of governance, risk and compliance are of little help for engineers. There should be tangible recommendations for engineers.

I like that Serverless and Containers security have their own sections in the 3rd option.

Best regards,
Dmitrijs Mohoviks

------------------------------
Dmitrijs Mohoviks
Head of Security Operations
4finance
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Hello John,

I agree with you that the CSA Security Guidance v4 has become the go-to guide for cloud security best practices.  Aligning it with the upcoming version 4 of the CCM and CAIQ makes sense.

I feel that the five high level areas in the option#2 make the guidance easier to understand since it maps well with the organizational security programs across the industry.

Also, I like the option#2 since, Infrastructure and Platform Security is a separate domain and not included as part of operational security, as in option#3.

------------------------------
Vani Murthy, CISSP CRISC PMP ITIL
Cloud Security Architect
Akamai Technologies, MA, USA
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Hello John
I like Option 2 as it is aligned with CCM v4 Domains. I'd recommend to add the cloud Shared Security Responsibility Model (SSRM) as Erik Johnson suggested.

------------------------------
Mamane IBRAHIM
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Hi John,

Option 2 appears to be the best of all because of its alignment and clarity.

Thank you!

------------------------------
Michael Bayere
Principal Officer
CAS Assurance, LLC (CPA)
Miramar FL
------------------------------

Original Message:
Sent: Jan 18, 2021 07:23:30 AM
From: Mamane IBRAHIM
Subject: CSA Security Guidance [version 5] Proposals

Hello John
I like Option 2 as it is aligned with CCM v4 Domains. I'd recommend to add the cloud Shared Security Responsibility Model (SSRM) as Erik Johnson suggested.

------------------------------
Mamane IBRAHIM

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

I like option 2.

------------------------------
Brian Dorsey
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Like several others, I vote for Option 2. 

Also, I would love to be a contributor for this new release, as I think it is much needed and will continue to be an excellent resource for the community. How do I go about doing so @John Yeoh​

------------------------------
Christopher Hughes
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

I would opt for option 2 - as this relates more to common domains.
However I also agree with Abishek's comment on DevOps/secure development and the overlap with other organizations.

------------------------------
Saan Vandendriessche CCSP | CISSP | CRISC
Brussels - Belgium
------------------------------

Original Message:
Sent: Jan 26, 2021 11:51:58 AM
From: Christopher Hughes
Subject: CSA Security Guidance [version 5] Proposals

Like several others, I vote for Option 2.

Also, I would love to be a contributor for this new release, as I think it is much needed and will continue to be an excellent resource for the community. How do I go about doing so @John Yeoh​

------------------------------
Christopher Hughes

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

From a GRC and Policy viewpoint, Option 2 headings/categories make a sound logical construct of the whole landscape.

Option 3 concerns me in that the 'Infrastructure and Platforms' components have been hidden away somewhere; but the Application component gets a top-level mention. Why?

I also agree with the various comments around DevSecOps (which is a better topic than just DevOps) being well covered by other organisations that specialise in those disciplines; and the comments around including the SSRM viewpoint somehwere in the structure.

------------------------------
Phil Cutforth
Manager, Policy & Research, and GCISO Office
NCSC NZ
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Option 2 is more related to prevailing domains.

------------------------------
Manuel Dantas
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Good Morning John

I would go more for option 2.
I see that the points are very aligned to the new CCM, also the proposed model of the SSRM would be very interesting

Regards

------------------------------
Alfredo Alva
Head of Cybersecurity at Niubiz
VP CSA, Peru Chapter
------------------------------
​

------------------------------
Alfredo Alva
Head of Cybersecurity & Innovation
Niubiz
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

In line with all the other responses, CSA guidance is the go to resource for best practices and actionable guidance on all things cloud. I really liked Option 2 as it covers the most critical elements from security domains & lifecycle as it relates to day to day responsibilities of securing workloads.

------------------------------
Satyajeet Rattan
VP, Information Security Architecture & Engineering
Synchrony
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Original Message:
Sent: 2/5/2021 10:25:00 AM
From: Satyajeet Rattan
Subject: RE: CSA Security Guidance [version 5] Proposals

In line with all the other responses, CSA guidance is the go to resource for best practices and actionable guidance on all things cloud. I really liked Option 2 as it covers the most critical elements from security domains & lifecycle as it relates to day to day responsibilities of securing workloads.

------------------------------
Satyajeet Rattan
VP, Information Security Architecture & Engineering
Synchrony
------------------------------

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

Hello, for those of us who would like to contribute to the latest release, how do we ensure we get the opportunity to do so?

------------------------------
Christopher Hughes
------------------------------

Original Message:
Sent: Feb 05, 2021 01:17:18 PM
From: Christopher Hughes
Subject: CSA Security Guidance [version 5] Proposals

On the note of version 5, how do those interested in contributing signup to participate for specific sections?

Chris Hughes 

Original Message:
Sent: 2/5/2021 10:25:00 AM
From: Satyajeet Rattan
Subject: RE: CSA Security Guidance [version 5] Proposals

In line with all the other responses, CSA guidance is the go to resource for best practices and actionable guidance on all things cloud. I really liked Option 2 as it covers the most critical elements from security domains & lifecycle as it relates to day to day responsibilities of securing workloads.

------------------------------
Satyajeet Rattan
VP, Information Security Architecture & Engineering
Synchrony

Original Message:
Sent: Jan 07, 2021 01:10:26 PM
From: John Yeoh
Subject: CSA Security Guidance [version 5] Proposals

CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.