The Inner Circle

Expand all | Collapse all

CSA Security Guidance [version 5] Proposals

  • 1.  CSA Security Guidance [version 5] Proposals

    Posted 13 days ago
      |   view attached
    CSA Security Guidance v4 has become a fundamental source for best practices in the cloud. In 2021, we plan on updating this core research to integrate the latest best practices in cloud and aligning with the upcoming version 4 of the CCM and CAIQ.

    The following is a proposal to restructure the fifth version of Guidance in 2021 with details around each option. Add comments in this thread and let me know which option you prefer.

    Attachment(s)

    pdf
    Guidance v5 Proposal.pdf   513 KB 1 version


  • 2.  RE: CSA Security Guidance [version 5] Proposals

    Posted 12 days ago

    Good morning John, v.4 has been very fundamental for many organizations and its exciting that v.5 will build upon that.  I think option #2 is very well aligned to how most companies align their security practices/programs.  It will allow for both strategic alignment to overarching risk reduction efforts as well as tactical areas of focus on a team/program level. Cloud concepts and cloud related technologies could be subsections for each of the 5 high level areas since each of those would be unique per area of focus.  

    Happy to provide any additional information/feedback if it is valuable. 



    ------------------------------
    Ian Sharpe
    Product
    AppOmni
    ------------------------------



  • 3.  RE: CSA Security Guidance [version 5] Proposals

    Posted 11 days ago
    At the risk of upsetting your cart, I think there is a 4th option, which seems to make sense to me: instead of taking the three items in red at the bottom right of Option 2, and moving them to the orange branch on the left, which is what you did to get to Option 3, merge them into the green branch (Secure Development and Delivery).

    Thus, in this putative Option 4, you would have, at the bottom right of the mindmap:
    • Secure Development and Delivery
      • DevSecOps WG
      • ERP WG
      • Application and Interface security Domain
      • Containers and Microservices WG
      • Infrastructure and Virtualization Security Domain
      • Serverless WG

    Another point is, three related technologies (Blockchain, IoT, IA) are listed because there are WGs associated with them. But does this really belong in the Guidance document? Would it make more sense to call out the vertical domains and their specific requirements for security? Healthcare, Finance (which would probably include Blockchain, although of course there are other use cases for DLTs), Industrial Automation (which would include IoT), Power Distribution, Transportation, ...

    Feel free to criticize or ignore...

    ------------------------------
    Claude Baudoin
    cébé IT Knowledge Management
    Co-Chair, OMG Cloud Working Group
    https://www.omg.org/cloud
    ------------------------------



  • 4.  RE: CSA Security Guidance [version 5] Proposals

    Posted 11 days ago
    Hi

    I think covering topics like DevOps or Secure development could be left to the specialists in that field, there is plenty of good practice available from OWASP, BSIMM, ISO and other organisations in this area. DevOps is also cultural, and a series of processes. It might make the guidance overly complicated with little gain (given there is a lot of guidance out there already).

    I think option 2 sounds good, and coverse the vast majority of what is needed.
    Operational security - we can look to blend items from COBIT or similar as needed, as cloud providers don't really talk abou the "run" of cloud, which is a key theme missing in all of their onboarding frameworks.

    ------------------------------
    Abhishek Vyas CISSP ¦ CCSP ¦ TOGAF
    ------------------------------



  • 5.  RE: CSA Security Guidance [version 5] Proposals

    CSA Instructor
    Posted 11 days ago
    Hi John
    I like where this is going, but could you change the PDF so that it is actually readable when printed out?
    It is really small now.

    ------------------------------
    Peter HJ van Eijk
    CCSK & CCAK trainer
    https://www.clubcloudcomputing.com/
    ------------------------------



  • 6.  RE: CSA Security Guidance [version 5] Proposals

    CSA Instructor
    Posted 9 days ago
    Hi John,
    I like option number 3 the most.
    Why?
    Because the domains are  consistent to the different areas/disciplines that we got in information security (grc, appsec, devsecops, etc)

    good work



    ------------------------------
    Moshe Ferber
    ------------------------------



  • 7.  RE: CSA Security Guidance [version 5] Proposals

    Posted 9 days ago
    Edited by Rajeev Gupta 8 days ago
    That's a nice ice breaker to get ideas flowing John. Can I bring one fact to the table? This guidance is not going to be a standalone document but will be used in conjunction with CAIQ. I still think that Option 1 is "granular" enough given this fact and also that - cloud architectures can have several permuation/ combinations. It does sound a looong list in Option 1 but I think its more "manageable" if you get what I mean. Let's keep those thoughts coming.

    ------------------------------
    Rajeev Gupta Risk Taker
    ------------------------------



  • 8.  RE: CSA Security Guidance [version 5] Proposals

    Posted 8 days ago
    Edited by Erik Johnson 8 days ago
    I'd recommend that significantly enhancing cloud Shared Security Responsibility Model (SSRM) guidance to align with and support the SSRM STA controls and corresponding CCM and CAIQ template content should be a top priority. In developing that CCM & CAIQ content we identified the need for more comprehensive SSRM guidance (above and beyond individual control guidance) to support proper execution and management of the SSRM over the full service lifecycle for all the different service models by the applicable roles (CSP, CSC, audit/assessment, etc.). The CSA Security Guidance doc definitely seems like the right home for it.

    The CSA has long been a champion (and even a pioneer?) in the SSRM space.  It's time to take SSRM guidance to the next level.  I'd be glad to assist in its development.

    To this end I'd suggest the Hybrid option #3.​

    ------------------------------
    Erik Johnson CISSP, CCSK, CCSP, PMP
    Erik Johnson | LinkedIn
    ------------------------------



  • 9.  RE: CSA Security Guidance [version 5] Proposals

    Posted 8 days ago
    Hi, all.

    I vote for option 3.

    In my opinion, Operational security is a mandatory part. Operational security is ultimately responsible for the protection of cloud infrastructure. Too broad definitions of governance, risk and compliance are of little help for engineers. There should be tangible recommendations for engineers.

    I like that Serverless and Containers security have their own sections in the 3rd option.

    Best regards,
    Dmitrijs Mohoviks

    ------------------------------
    Dmitrijs Mohoviks
    Head of Security Operations
    4finance
    ------------------------------



  • 10.  RE: CSA Security Guidance [version 5] Proposals

    Posted 6 days ago
    Hello John,

    I agree with you that the CSA Security Guidance v4 has become the go-to guide for cloud security best practices.  Aligning it with the upcoming version 4 of the CCM and CAIQ makes sense.

    I feel that the five high level areas in the option#2 make the guidance easier to understand since it maps well with the organizational security programs across the industry.

    Also, I like the option#2 since, Infrastructure and Platform Security is a separate domain and not included as part of operational security, as in option#3.

    ------------------------------
    Vani Murthy, CISSP CRISC PMP ITIL
    Cloud Security Architect
    Akamai Technologies, MA, USA
    ------------------------------



  • 11.  RE: CSA Security Guidance [version 5] Proposals

    Posted 2 days ago
    Hello John
    I like Option 2 as it is aligned with CCM v4 Domains. I'd recommend to add the cloud Shared Security Responsibility Model (SSRM) as Erik Johnson suggested.

    ------------------------------
    Mamane IBRAHIM
    ------------------------------



  • 12.  RE: CSA Security Guidance [version 5] Proposals

    Posted 2 days ago
    Hi John,

    Option 2 appears to be the best of all because of its alignment and clarity.

    Thank you!

    ------------------------------
    Michael Bayere
    Principal Officer
    CAS Assurance, LLC (CPA)
    Miramar FL
    ------------------------------



  • 13.  RE: CSA Security Guidance [version 5] Proposals

    Posted an hour ago
    I like option 2.

    ------------------------------
    Brian Dorsey
    ------------------------------