Announcements

  • [New Research] State of SaaS Security: 2023 Survey Report

    Released today, SaaS Security Survey Report: 2024 Plans & Priorities shares the results of responses from 1000+ C-level security executives and professionals from all over the world. Commissioned by Adaptive Shield, this new CSA survey report finds that SaaS security has become a top priority for 80% of the organizations surveyed and more than half of security executives have experienced a SaaS security incident.
  • Just released: High-Performance Computing (HPC) Tabletop Guide

    Released today, this guide lays out the framework necessary to host an HPC-focused cyberattack tabletop exercise (TTX) so that organizations can begin to have these conversations around HPC security. The guide takes readers through an example tabletop exercise designed to assist stakeholders in discussing HPC security as an incident unfolds and establish common ground on actions that can be taken to improve the security of the HPC systems as well as develop incident response (IR) processes around HPC systems.
  • Hardware Security Module as a Service (HSMaaS) Survey


    Help us identify Hardware Security Module as a Service (HSMaaS) adoption drivers for businesses through this short survey released by the CSA Cloud Key Management Working Group. The survey will collect insights that will be used for the production of an upcoming HSMaaS whitepaper. 
  • Registration for SECtember 2023 is now open!



    Join us in Bellevue, WA on Sept. 18-22 to hear from leading experts at the forefront of cloud security. Our interactive sessions will cover the hottest technology trends and vetted best practices that keep some of our most iconic brands secure. From AI to Zero Trust, we will deliver the knowledge and networking you need to stay ahead of the cybersecurity curve. 
  • Surveys

    SaaS Security and Threats Survey

    Length: 28 questions, 9 minutes

    Deadline: March 19

    Participate Here → https://csaurl.org/6ysco7

  • Open Peer Reviews

    Game of Threats

    Open Until: 3/16/2023

    Learn More → https://csaurl.org/wd35k0

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline

    Open Until: 3/31/2023

    Learn More → https://csaurl.org/2wstxx

    High Performance Computing Tabletop Guide

    Open Until: 4/7/23

    Learn More → https://csaurl.org/w3njwj

    CCPA - CSA Code of Conduct Gap Resolution

    Open Until: 4/10/23

    Learn More → https://csaurl.org/bikb1z

    Annex 10 to the CSA Code of Conduct for GDPR Compliance

    Open Until: 4/10/23

    Learn More → https://csaurl.org/lsxk19

    CCMV4-Lite

    Open Until: 5/15/23

    Learn More → https://csaurl.org/5vrprp

  • March Research Releases

    Data Loss Prevention and Data Security Survey Report

    Release Date: 3/14/23

    Summary: As the traditional perimeter is reduced or eliminated with the move to remote and hybrid work, and as Zero Trust strategies gain popularity, data security in cloud computing has had to adapt and improve. Data loss prevention (DLP) solutions are often an integral part of these new data security strategies, but organizations are still struggling with the implementation of these solutions, especially for how complicated legacy DLP solutions are to manage and maintain.

    Netskope commissioned CSA to develop this survey report to better understand the industry’s knowledge, attitudes, and opinions regarding DLP security in cloud-first technology environments. The survey was conducted in October and November of 2022 and received 2,673 responses from IT and security professionals. Topics covered in the survey included DLP strategies, Zero Trust and DLP, DLP pain points and challenges, and DLP strategies with remote workers.

    Download this Resource → https://csaurl.org/p5188j

    Internet of Things (IoT) Working Group Charter 2023

    Release Date: 3/12/23

    Summary: This charter lays out the scope, responsibilities, and roadmap for the Internet of Things Working Group. The Cloud Security Alliance Internet of Things (IoT) Working Group plans to publish reports and best practices that aid enterprise organizations in understanding and mitigating threats to IoT systems’ confidentiality, integrity, availability, and safety. These reports and best practices are practical to provide actionable guidance for security practitioners to secure their networks. 

    Download this Resource → https://csaurl.org/wvuj0w

    Quantum-Safe Security Working Group Charter 2023

    Release Date: 3/10/23

    Summary: The focus of the Quantum‐Safe Security Working Group is on cryptographic methods that will remain safe after the widespread availability of the quantum computer. This working group will be a forum for corporations, organizations, and individuals who are interested in the topic of quantum‐safe security. The goal in forming this working group is to educate, increase awareness, and spark discussions on projects and issues regarding securing communications for which current encryption methods will not be safe anymore when, in the near future, quantum computers are available. The working group will also be open to welcoming external/outside collaborations with like-minded 3rd parties for joint development of research artifacts and standards.

    Download this Resource → https://csaurl.org/fntn50

    Health Information Management Working Group Charter 2023

    Release Date: 3/7/23

    Summary: The Health Information Management Working Group aims to directly influence how health information service providers deliver secure cloud solutions (services, transport, applications, and storage) to their clients and foster cloud awareness within all aspects of healthcare and related industries.

    Download this Resource → https://csaurl.org/q8i6ne

  • Upcoming Cloudbytes Webinars

    Hidden Cloud Security Challenges Are a Barrier to Zero Trust

    Date: 3/21/23

    Time: 1:00 PM CDT

    Register Here → https://csaurl.org/3ubq6o

  • March Research Releases

    Health Information Management Working Group Charter 2023

    Release Date: 3/7/23

    Summary: The Health Information Management Working Group aims to directly influence how health information service providers deliver secure cloud solutions (services, transport, applications, and storage) to their clients and foster cloud awareness within all aspects of healthcare and related industries.

    Download this Resource → https://csaurl.org/q8i6ne

  • Surveys

    SaaS Security and Threats Survey

    Length: 28 questions, 9 minutes

    Deadline: March 19

    Participate Here → https://csaurl.org/6ysco7

  • Open Peer Reviews

    Game of Threats

    Open Until: 3/16/2023

    Learn More → https://csaurl.org/wd35k0

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline

    Open Until: 3/31/2023

    Learn More → https://csaurl.org/2wstxx

    High Performance Computing Tabletop Guide

    Open Until: 5/8/23

    Learn More → https://csaurl.org/w3njwj

  • Upcoming Cloudbytes Webinars

    Cloud Data Controls - From Compensation to Mitigation

    Date: 3/14/23

    Time: 12:00 PM CDT

    Register Here → https://csaurl.org/nu6zgc

    3 Key Pillars to Securing Your Hybrid Environment

    Date: 3/15/23

    Time: 12:00 PM CDT

    Register Here → https://csaurl.org/egubtj

    Education for Cloud Security and DevSecOps

    Date: 3/16/23

    Time: 5:00 AM CDT

    Register Here → https://csaurl.org/udzmu1

    Dig Deeper! Prioritize Cloud Vulnerabilities and Reduce Container Spending

    Date: 3/16/23

    Time: 12:00 PM CDT

    Register Here → https://csaurl.org/2nfjol

  • Open Peer Reviews

    Medical Devices in A Zero Trust Architecture

    Open Until: 3/9/2023

    Learn More → https://csaurl.org/j0l94a

    An Agile Data Doctrine for a Secure Data Lake

    Open Until: 3/12/2023

    Learn More → https://csaurl.org/1fcyf0

    Game of Threats

    Open Until: 3/16/2023

    Learn More → https://csaurl.org/wd35k0

    SaaS Security and Threats Survey

    Open Until: 3/19/2023

    Learn More → https://csaurl.org/azh9jz

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline

    Open Until: 3/31/2023

    Learn More → https://csaurl.org/2wstxx

  • Upcoming Cloudbytes Webinars

    External Cyber Defense for When Your Attack Surface is Everywhere

    Date: 3/9/23

    Time: 1:00 PM CST

    Register Here → https://csaurl.org/5ubi7v

  • February Research Releases

    STAR Enabled Solutions FAQ
    Release Date: 2/1/23
    Summary: A STAR Enabled Solution is a product or service that utilizes the CCM framework or the Consensus Assessment Initiative Questionnaire (CAIQ). Their technologies and tools have been assessed and found to meet the security requirements outlined by CSA. This vetting process allows enterprises to more easily deploy tools that align or comply with STAR, the CCM framework, and best practices.
    Download this Resource → https://csaurl.org/1z3q00

  • January Research Releases

    Telesurgery Tabletop Guide Book
    Release Date: 1/30/23
    Summary: The purpose of this guidebook is to assist healthcare providers in planning and facilitating a discussion and evaluation of the procedural response actions to a security incident in which a Robotic Assisted Surgery (RAS) is targeted. This guidebook should accompany the CERT Attack Flows here in GitHub. Healthcare professionals should utilize this resource as a planning guide and checklist for each stage of exercise development. 
    Download this Resource → https://csaurl.org/gedhma

    CSA Data Lake Threat Modeling
    Release Date: 1/26/23
    Summary: As cloud platforms expand further and further into business uses, the need to understand the attack surface to your data becomes much more apparent. With the help from NTT Data and Marymount University, CSA has released for peer review our Data Lake threat modeling exercise spreadsheet. In this document, numerous elements of data lakes have been taken into consideration and have been applied a specific threat scenario. Each one of these scenarios has been applied to the STRIDE framework, as well as been provided countermeasures for possible corrections and controls. Lastly, you will be able to see the mapping of each threat scenario to its specific attack library framework. 
    Download this Resource → https://csaurl.org/k15wcb

    ACSP Training Course Outline | CSA
    Release Date: 1/17/23
    Summary: An outline of the topics covered and what you'll be building in the labs each day of the Advanced Cloud Security Practitioner (ACSP) Training. 
    Download this Resource → https://csaurl.org/u4djra

  • Upcoming Cloudbytes Webinars

    Secure-by-default: Scaling your IaC Security Program
    Date: 2/28/23
    Time: 10:00 AM CST
    Register Here → https://csaurl.org/s5m9e1

  • Open Peer Reviews

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline
    Open Until: 3/31/2023
    Learn More → https://csaurl.org/2wstxx

  • Upcoming Cloudbyte Webinars

    How to Automate Security, Governance & Privacy for Cloud Data Innovation
    Date: 1/31/23
    Time: 10:00 AM CST
    Register Here → https://csaurl.org/fdvob2

  • January Research Releases

    ACSP Training Course Outline | CSA
    Release Date: 1/17/23
    Summary: An outline of the topics covered and what you'll be building in the labs each day of the Advanced Cloud Security Practitioner (ACSP) Training. 
    Download this Resource → https://csaurl.org/u4djra

    CSA Data Lake Threat Modeling
    Release Date: 1/26/23
    Summary: As cloud platforms expand further and further into business uses, the need to understand the attack surface to your data becomes much more apparent. With the help from NTT Data and Marymount University, CSA has released for peer review our Data Lake threat modeling exercise spreadsheet. In this document, numerous elements of data lakes have been taken into consideration and have been applied a specific threat scenario. Each one of these scenarios has been applied to the STRIDE framework, as well as been provided countermeasures for possible corrections and controls. Lastly, you will be able to see the mapping of each threat scenario to its specific attack library framework. 
    Download this Resource → https://csaurl.org/k15wcb

  • December Research Releases

    CSA CCM v4.0 Addendum - Spain National Security Framework (ENS)
    Release Date: 12/8/22
    Summary: This document is an addendum to the CCM V4.0 that contains controls mapping between the CSA CCM and Spain's National Security Framework (ENS). The document aims to help ENS compliant organizations meet CCM requirements. This is achieved by identifying compliance gaps in ENS in relation to the CCM. This document contains the following information:
    • Controls Mapping
    • Gap Analysis
    • Gap Identification (i.e., Partial, Full or No Gap)
    Download this Resource → https://csaurl.org/1pcz2v

    The Six Pillars of DevSecOps - Pragmatic Implementation
    Release Date: 12/14/22
    Summary: This document provides a high-level overview of the various tools and processes that should be considered when building out a successful DevSecOps program. It takes a wide range of DevSecOps activities and turns them into a cookbook for teams to reference when considering different approaches. It also is broken down to allow a reader with a specific role to hone in on the sections relevant to their area of expertise and responsibility. Follow-up papers will take this high-level overview, and provide specific guidance for various use-cases, as well as recommendations on which order to focus on implementation to see the greatest returns for the reader’s context. 
    Download this Resource → https://csaurl.org/ik6g8n

    Deconstructing Application Connectivity Challenges in a Complex Cloud Environment
    Release Date: 12/14/22
    Summary: The production and use of SaaS applications in organizations has grown exponentially over the past several years. Application Security has become an integral part of many organizations' security strategies. However, there are still many pain points organizations face with application connectivity security and risk management.
    Download this Resource → https://csaurl.org/6frk22

  • Upcoming Cloudbyte Webinars

    Using Zero Trust to Mitigate Ransomware Threats
    Date: 1/17/23
    Time: 10:00 AM CST
    Register Here → https://csaurl.org/vxbu5w

    Crawl, Walk, Run: Operationalizing IaC Security
    Date: 1/18/23
    Time: 11:00 AM CST
    Register Here → https://csaurl.org/bafyx2

    Prioritizing Risk Among the Chaos of Cloud Development
    Date: 1/19/23
    Time: 11:00 AM CST
    Register Here → https://csaurl.org/ainjft

    CSP Perspective Working with Financial Services
    Date: 1/20/23
    Time: 10:00 AM CST
    Register Here → https://csaurl.org/914urn

  • Open Peer Reviews

    Proposal for a Standard Cloud Service Agreement Template
    Open Until: 1/15/2023
    Learn More → https://csaurl.org/77n68j

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline
    Open Until: 3/31/2023
    Learn More → https://csaurl.org/2wstxx

  • Upcoming Cloudbytes Webinars

    Panel: CISO’s Guide to Security Strategy During a Recession
    Date: 1/9/23
    Time: 12:00 PM CST
    Register Here → https://csaurl.org/5topfv

    Confidence in Software Supply Chains with Continuous Security
    Date: 1/10/23
    Time: 12:00 PM CST
    Register Here → https://csaurl.org/liskze

  • Open Peer Reviews

    Proposal for a Standard Cloud Service Agreement Template
    Open Until: 1/15/2023
    Learn More → https://csaurl.org/77n68j

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline
    Open Until: 3/31/2023
    Learn More → https://csaurl.org/2wstxx

  • December Research Releases

    CSA CCM v4.0 Addendum - Spain National Security Framework (ENS)
    Release Date: 12/8/22
    Summary: This document is an addendum to the CCM V4.0 that contains controls mapping between the CSA CCM and Spain's National Security Framework (ENS). The document aims to help ENS compliant organizations meet CCM requirements. This is achieved by identifying compliance gaps in ENS in relation to the CCM. This document contains the following information:
    • Controls Mapping
    • Gap Analysis
    • Gap Identification (i.e., Partial, Full or No Gap)
    Download this Resource → https://csaurl.org/1pcz2v

    The Six Pillars of DevSecOps - Pragmatic Implementation
    Release Date: 12/14/22
    Summary: This document provides a high-level overview of the various tools and processes that should be considered when building out a successful DevSecOps program. It takes a wide range of DevSecOps activities and turns them into a cookbook for teams to reference when considering different approaches. It also is broken down to allow a reader with a specific role to hone in on the sections relevant to their area of expertise and responsibility. Follow-up papers will take this high-level overview, and provide specific guidance for various use-cases, as well as recommendations on which order to focus on implementation to see the greatest returns for the reader’s context. 
    Download this Resource → https://csaurl.org/ik6g8n

    Deconstructing Application Connectivity Challenges in a Complex Cloud Environment
    Release Date: 12/14/22
    Summary: The production and use of SaaS applications in organizations has grown exponentially over the past several years. Application Security has become an integral part of many organizations' security strategies. However, there are still many pain points organizations face with application connectivity security and risk management.
    Download this Resource → https://csaurl.org/6frk22

  • Open Peer Reviews

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Section 2: Organization Management
    Open Until: 12/18/2022
    Learn More → https://csaurl.org/2zbqqg

    ATT&CK & D3FEND with a CAVEAT
    Open Until: 12/23/2022
    Learn More → https://csaurl.org/sgwvdq

    NTT Threat Modeling
    Open Until: 12/23/2022
    Learn More → https://csaurl.org/0rnvw2

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline
    Open Until: 3/31/2023
    Learn More → https://csaurl.org/2wstxx

  • Upcoming Cloudbytes Webinars

    Adobe CCF & FedRAMP Moderate: Building a Secure Compliant Environment
    Date: 12/12/22
    Time: 11:00 AM CST
    Register Here → https://csaurl.org/txovqf

    Continuously Monitoring First and Third Parties against the CCM Framework
    Date: 12/13/22
    Time: 12:00 PM CST
    Register Here → https://csaurl.org/z3fvlf

    Cloud Attacks Are Here: Threat Actors Like Containers Too!
    Date: 12/14/22
    Time: 12:00 PM CST
    Register Here → https://csaurl.org/5e5zn3

  • November Research Releases

    Top Threats to Cloud Computing - Pandemic Eleven - Japanese Translation
    Release Date: 11/16/22
    Summary: The Top Threats reports have traditionally aimed to raise awareness of threats, risks, and vulnerabilities in the cloud. Such issues are often the result of the shared, on-demand nature of cloud computing. In this sixth installment, we surveyed 703 industry experts on security issues in the cloud industry. This year our respondents identified eleven salient threats, risks, and vulnerabilities in their cloud environments. The Top Threats Working Group used the survey results and its expertise to create the 2022 Top Cloud Threats report - the ‘Pandemic Eleven’. 
    Download this Resource → https://csaurl.org/f6mo0a

    Zero Trust as a Security Philosophy
    Release Date: 11/14/22
    Summary: This paper takes both a vendor-neutral and technology-solution-neutral look at what Zero Trust means for your organization and provides recommendations to develop a strategy and the supporting architecture that supports the organization and its workflows; aligning IT to business goals and outcomes.
    Download this Resource → https://csaurl.org/x37jur

  • Open Peer Reviews

    Telesurgery Tabletop Guide Book
    Open Until: 12/16/2022
    Learn More → https://csaurl.org/8ynvbi

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Section 2: Organization Management
    Open Until: 12/18/2022
    Learn More → https://csaurl.org/2zbqqg

    ATT&CK & D3FEND with a CAVEAT
    Open Until: 1/14/2023
    Learn More → https://csaurl.org/sgwvdq

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline
    Open Until: 3/31/2023
    Learn More → https://csaurl.org/2wstxx

  • Surveys

    Cloud Key Management Topic Selection Survey
    Length: 15 questions, 2 minutes
    Deadline: December 10
    Participate Here → https://csaurl.org/z97j95

  • Upcoming Cloudbyte Webinars

    Ermetic - How Does Your Cloud Security Compare, and Where Do You Go From Here?
    Date: 12/5/22
    Time: 6:00 PM UTC
    Register Here → https://csaurl.org/dr0crt

    Microsoft - Achieving the Principle of Least Privilege Across Multicloud with CIEM!
    Date: 12/6/22
    Time: 10:00 AM CST
    Register Here → https://csaurl.org/nemtcm

    AppOmni - Is PHI Secure in SaaS Applications - And Their Ecosystems?
    Date: 12/7/22
    Time: 1:00 PM CST
    Register Here → https://csaurl.org/adcdwe

    Rubrik - A Fireside Chat: The Human Effects of Cybercrime
    Date: 12/8/22
    Time: 1:00 PM CST
    Register Here → https://csaurl.org/29hfbr

  • November Research Releases

    Top Threats to Cloud Computing - Pandemic Eleven - Japanese Translation
    Release Date: 11/16/22
    Summary: The Top Threats reports have traditionally aimed to raise awareness of threats, risks, and vulnerabilities in the cloud. Such issues are often the result of the shared, on-demand nature of cloud computing. In this sixth installment, we surveyed 703 industry experts on security issues in the cloud industry. This year our respondents identified eleven salient threats, risks, and vulnerabilities in their cloud environments. The Top Threats Working Group used the survey results and its expertise to create the 2022 Top Cloud Threats report - the ‘Pandemic Eleven’. 
    Download this Resource → https://csaurl.org/f6mo0a

    Zero Trust as a Security Philosophy
    Release Date: 11/14/22
    Summary: This paper takes both a vendor-neutral and technology-solution-neutral look at what Zero Trust means for your organization and provides recommendations to develop a strategy and the supporting architecture that supports the organization and its workflows; aligning IT to business goals and outcomes.
    Download this Resource → https://csaurl.org/x37jur

  • Open Peer Reviews

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline
    Open Until: 12/07/2022
    Learn More → https://csaurl.org/r47b8i

    Telesurgery Tabletop Guide Book
    Open Until: 12/16/2022
    Learn More → https://csaurl.org/8ynvbi

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Section 2: Organization Management
    Open Until: 12/18/2022
    Learn More → https://csaurl.org/2zbqqg

  • Surveys

    State of Financial Services 2022
    Length: 31 questions, 10 minutes
    Deadline: Nov 30
    Participate Here → https://csaurl.org/dbmy7d

    Cloud Key Management Topic Selection Survey
    Length: 15 questions, 2 minutes
    Deadline: December 10
    Participate Here → https://csaurl.org/z97j95

  • CSA’s Trusted Cloud Consultant Program

    CSA is excited to launch the Trusted Cloud Consultant (TCC) Program designed to connect enterprise organizations with qualified professional consulting services. The TCC Program allows cybersecurity consulting organizations and professionals to enhance cloud relevance by enabling them with a broad understanding of CSA’s tools and best practices. Trusted Cloud Consultants are qualified sources that are able to provide cloud security assessment and remediation services to enterprise organizations that need to improve their cloud security postures. 

    Virtually all organizations use the cloud, yet 51% of enterprises use no vendors or tools to quantify risk. Cloud usage and cybersecurity cannot be ignored. The CSA TCC Program makes it easier for organizations to source and connect with recognized, trusted consultants that leverage CSA best practices. 

    To learn more about becoming a Trusted Cloud Consultant or how to connect with one, email [email protected].

    Learn More (https://e.cloudsecurityalliance.org/trusted-cloud-consultant)
  • ZTT M3 release

    The Cloud Security Alliance is excited to release Key Features & Technologies of Software-Defined Perimeter, the third course in our online Zero Trust Training (ZTT) program.  This new course will provide learners with an in-depth look at the key features and technologies of SDP for securing today’s and tomorrow’s IT infrastructures—whether they are on-premises, in the cloud, a hybrid of the two, or a case with multiple cloud service providers. 

    [Take the Course

    Learners will be introduced to the principles of Least Privilege and Need to Know, policy-based authorization and access controls, and the similarities and differences between SDP and SDN.

    This course is a great fit for users in any of the following roles:

    • C-Suite (CEO, CTO, CISO, CIO)
    • Managers and Decision Makers
    • Cybersecurity Analysts
    • Security Engineers and Architects
    • Enterprise Architects
    • Security Administrators
    • Compliance Managers
    • Systems Engineers
    • Developers

    The ZTT program covers eight areas of Zero Trust knowledge and will be rolled out in a series of six courses available on CSA’s Knowledge Center. To learn more about CSA’s Zero Trust Training program, download the ZTT overview and get started.  

    Special offer for CSA Members! 

    Through December 31, CSA corporate members receive 50% off the ZTT bundle on the Knowledge Center, which includes six online ZTT courses and one exam token. Fill out this form to claim 50% off the ZTT bundle or learn how you can create a custom ZTT package for your team that meets the unique needs of your organization.