Announcements

  • [New Release] Machine Identity in Cybersecurity and IAM

    We are pleased to announce the release of Machine Identity in Cybersecurity and IAM. This latest research from CSA’s IAM Working Group explores the evolution of identity and access management (IAM) to include machine identities, providing insights into their unique characteristics and associated risks. This document offers best practices for governance and risk management, making it a valuable resource for professionals in cybersecurity and IAM fields.

  • CCM New Mapping to PCI DSS v4.0

    The Cloud Controls Matrix (CCM) Working Group is excited to announce an additional mapping aligned with CCM v4 and a new version update to v4.0.9. This update and release incorporates the Payment Card Industry Data Security Standard (PCI DSS) v4.0 into CCM v4. 
  • [New Training] DevSecOps: Automation

    Supercharge your DevSecOps skills with our new online self-paced Cloud Infrastructure Security course, DevSecOps: Automation. Dive into proven processes that seamlessly integrate security into your development cycle. From mastering mitigation techniques to breaking builds, you'll learn to balance speed with security, ensuring your organization stays agile and safe. 

  • [New Release] FaaS Serverless Control Framework (Set) based on NIST 800-53 R5 controls

    Released today, this spreadsheet provides a cybersecurity control framework for Function-as-a-Service (FaaS) serverless deployments. The framework is based on the NIST 800-53 R5 controls and intended to be used by the cloud consumer.
  • [New Training] Zero Trust Implementation

    We're excited to announce the release of Zero Trust Implementation, the sixth course in our Zero Trust Training (ZTT) program. This self-paced course builds upon and extends beyond the concepts discussed in the CSA Zero Trust Planning and Introduction to Zero Trust Architecture courses. Learners will get an in-depth look at the crucial facets of Zero Trust (ZT) implementation, covering project kick-off, disaster planning, network setup, device agent deployment, and automation.

  • Join us for CSA's Virtual Research Summit 2023 - Oct. 17-18

    We’re excited to invite you to the CSA Research Summit, a free virtual event taking place on Oct. 18-19, 2023! On both days of the Summit, experts from our Research Team will provide the latest updates in new and existing research projects, providing critical tools and guidance for the cloud adopting community. Right at your fingertips will be valuable insights on AI, quantum threats, secure DevOps, Zero Trust, Data Security, and more. 
  • [New Research] Communicating the Business Value of Zero Trust

    Released today, Communicating the Business Value of Zero Trust is a whitepaper release candidate that provides security practitioners guidance on how to clearly, succinctly, and directly communicate the business value that a Zero Trust strategy can bring. Security teams need to be able to communicate the value of Zero Trust to non-technical or non-security audiences, all the way up to the Board of Directors. We believe that the infosec industry has not sufficiently enabled security practitioners to clearly, succinctly, and directly communicate the business value that a Zero Trust strategy can bring. The goal of this CSA guidance is to fill that gap.
  • Joe Sullivan to Headline SECtember 2023

    We are excited to announce veteran CSO Joe Sullivan will be a keynote speaker at SECtember 2023! Joe Sullivan is the CEO of Ukraine Friends and has worked at the intersection of government, technology, and security since the mid-1990s. Attend SECtember in-person to hear his perspective on how security leaders can navigate the crossroads of stringent regulations and corporate and personal risk. Register here → https://www.sectember.com/
  • [New Release] Security-Enabled Innovation and Cloud Trends: Survey Report

    We’re excited to announce the release of the findings from our latest survey, Security-Enabled Innovation and Cloud Trends. Commissioned by Expel, this survey captured the perspectives of 1,018 IT and security professionals from a diverse range of organizations. The findings of this survey provide a better understanding of the current views of security professionals on their organization’s relationship with security and innovation.
  • Final Version of Security Implications of ChatGPT Now Available

    The final version of "Security Implications of ChatGPT" has been released! As AI continues to revolutionize industries, managing its risks is essential. This paper provides guidance around managing the risks in leveraging ChatGPT, making it a crucial resource for security professionals. Download here → https://cloudsecurityalliance.org/artifacts/security-implications-of-chatgpt/?utm_source=Circle&utm_medium=AnnouncementPost
  • SECtember Keynote Announced: Shawn Bice, Microsoft's Corporate VP for Cloud Ecosystem Security

    As Microsoft’s Corporate Vice President of the Cloud Ecosystem Security organization, Shawn Bice leads his team through some of the industry’s toughest cybersecurity challenges focusing on the core cloud security platform, AI-powered threat and data intelligence, and more, 

    Shawn will be joined on the SECtember mainstage by Caleb Sima, former CISO at Robinhood and CSA’s Chair for AI Safety Initiative, for a Fireside Chat on the widespread integration of Generative AI within cloud security solutions and what the future may bring.
  • CSA Announces Appointment of Caleb Sima as Chair for AI Safety Initiative

    CSA is pleased to announce the appointment of industry veteran Caleb Sima to the position of Chair of the Cloud Security Alliance AI Safety Initiative. Caleb will work with CSA members and experts from around the world to develop CSA’s AI strategy, as well as a recommended portfolio of guidance to allow for secure and responsible adoption of AI. Join us in giving a big welcome to Caleb Sima! Learn more about Caleb's appointment here → https://cloudsecurityalliance.org/press-releases/2023/07/20/cloud-security-alliance-announces-appointment-of-caleb-sima-as-chair-for-ai-safety-initiative
  • [New Release Candidate]Zero Trust Guiding Principles

    Released today, Zero Trust Guiding Principles is a whitepaper release candidate intended to provide guiding principles that any organization can leverage when scoping or initiating a move toward Zero Trust (ZT). Information Protection practitioners can use these principles to stay on track while managing an organization's ZT journey. Download here → https://cloudsecurityalliance.org/artifacts/zero-trust-guiding-principles
  • [New Release Candidate] Zero Trust Principles and Guidance for Identity and Access Management (IAM)

    Released today, Zero Trust Principles and Guidance for IAM is a whitepaper release candidate intended to provide an understanding of both existing and new identity, access management, and cloud solutions through a Zero Trust (ZT) lens. Topics discussed include ZT implementation methodology, identity proofing and validation, dealing with failed policy decisions, and more: Download here → 
  • [New Research] What is Identity & Access Management (IAM) for the Cloud

    Identity and Access Management (IAM) is a critical component of any organization’s technology stack and security infrastructure, particularly in the cloud. What is IAM for the Cloud, the latest research release by CSA’s IAM Working Group aims to provide an understanding of the challenges and considerations involved in managing IAM in the cloud, as well as the importance of IAM to an organization's overall security strategy. Download and read more → https://cloudsecurityalliance.org/artifacts/what-is-iam-for-the-cloud
  • New DevSecOps Training Available

    CSA developed the Cloud Infrastructure Security Training program, a comprehensive catalog of essential online training courses designed to deliver fundamentals for understanding how to build and protect cloud infrastructure. CSA regularly updates the Cloud Infrastructure Security training catalog on the Knowledge Center. 

    The latest release is DevSecOps: Bridging Compliance & Development, a self-paced course covering key topics in addressing the gap between compliance and development, such as translating compliance objectives into security measures. Learners will also gain knowledge of identifying inflection points in the secure development lifecycle and embedding, automating, measuring, and testing controls. Learn more: https://knowledge.cloudsecurityalliance.org/devsecops-bridging-compliance-development
  • [New Release] Cloud & Compromise: Gamifying of Cloud Security

    It’s time to gather your fellow security friends, colleagues, and a 12-sided dice for a night of threat modeling fun! We’re excited to announce the release of Cloud & Compromise: Gamifying of Cloud Security, the latest guidance from CSA’s Top Threats Working Group. Cloud & Compromise (C&C) provides two gamification scenarios to inspire fun incident response roleplaying:

    • Standard Level Incident Response Game: This level relies on social interaction, where the game facilitator introduces the activity, and teams run the game themselves based on feel.
    • Advanced Level Incident Response Game: Relies on gameplay, where the facilitator introduces the activity and teams run the project with more rigid scoring.
    Roll the die and learn to protect, detect, and respond to cloud threats and threat indicators through gamification. From CISO, to Senior Engineer, to Intern, everyone has a role to play.
  • [New Training] Zero Trust Planning

    CSA is excited to release Zero Trust Planning, the fifth course in our online Zero Trust Training (ZTT) program. This course will provide learners an in-depth look at the crucial facets of Zero Trust (ZT) planning, the ZT maturity model and how it supports an organization's ZT planning process, and use cases for prioritization, scoping, and gap analysis. 
  • Join us virtually Aug. 2-3 for CSA AI Summit

    The Cloud Security Alliance AI Summit brings together experts from around the world to provide key insights on how generative AI can benefit cybersecurity, how malicious attackers are using it and guidelines for responsible usage. The explosive growth of ChatGPT is due in large part to its delivery via the cloud, obligating CSA and its community to take a leading role in articulating the best practices and assurance ecosystem for AI as a Service. Attendees of CSA’s inaugural AI Summit will gain a holistic understanding of the future of AI disciplines and receive pragmatic advice on managing risks and gaining benefits from generative AI today. 
  • New STAR Lead Auditor Self-Paced Training

    Released today, the STAR Lead Auditor training is a six-hour, online, self-paced course jointly developed by CSA and the British Standards Institution (BSI) to help assessors, service providers, and consultants learn how to audit CSPs against the STAR Certification scheme. STAR Lead Auditor training expands auditors traditional skills into the field of cloud security auditing while also teaching IT and security personnel how to implement cloud security controls in an audit-friendly way.

    The training covers a range of topics, including the STAR Certification scheme, cloud security, auditing principles and techniques, mapping, reporting, and legal concepts. Besides the Certificate of Cloud Auditing Knowledge (CCAK), STAR Lead Auditor training is another way that assessors can become qualified to provide CSA STAR Certification audits.
  • [New Survey Report] State of Financial Services in the Cloud

    We’re excited to announce the release of the findings from our latest survey, State of Financial Services in the Cloud. The study—which compared the current state of cloud adoption to the industry’s readiness in 2020 when CSA conducted a similar survey (Cloud Usage in the Financial Services Sector)—identifies the issues and opportunities that financial services industry leaders are currently addressing as they work to advance their use of cloud services.
    The survey found that while the use of cloud services is increasing, the pace of adoption is dependent on the speed at which cloud service providers (CSP) and financial services can demonstrate both adherence to regulations and overall data protection and what staff are comfortable with managing.
  • [New Research] State of SaaS Security: 2023 Survey Report

    Released today, SaaS Security Survey Report: 2024 Plans & Priorities shares the results of responses from 1000+ C-level security executives and professionals from all over the world. Commissioned by Adaptive Shield, this new CSA survey report finds that SaaS security has become a top priority for 80% of the organizations surveyed and more than half of security executives have experienced a SaaS security incident.
  • Just released: High-Performance Computing (HPC) Tabletop Guide

    Released today, this guide lays out the framework necessary to host an HPC-focused cyberattack tabletop exercise (TTX) so that organizations can begin to have these conversations around HPC security. The guide takes readers through an example tabletop exercise designed to assist stakeholders in discussing HPC security as an incident unfolds and establish common ground on actions that can be taken to improve the security of the HPC systems as well as develop incident response (IR) processes around HPC systems.
  • Hardware Security Module as a Service (HSMaaS) Survey


    Help us identify Hardware Security Module as a Service (HSMaaS) adoption drivers for businesses through this short survey released by the CSA Cloud Key Management Working Group. The survey will collect insights that will be used for the production of an upcoming HSMaaS whitepaper. 
  • Registration for SECtember 2023 is now open!



    Join us in Bellevue, WA on Sept. 18-22 to hear from leading experts at the forefront of cloud security. Our interactive sessions will cover the hottest technology trends and vetted best practices that keep some of our most iconic brands secure. From AI to Zero Trust, we will deliver the knowledge and networking you need to stay ahead of the cybersecurity curve. 
  • Surveys

    SaaS Security and Threats Survey

    Length: 28 questions, 9 minutes

    Deadline: March 19

    Participate Here → https://csaurl.org/6ysco7

  • Open Peer Reviews

    Game of Threats

    Open Until: 3/16/2023

    Learn More → https://csaurl.org/wd35k0

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline

    Open Until: 3/31/2023

    Learn More → https://csaurl.org/2wstxx

    High Performance Computing Tabletop Guide

    Open Until: 4/7/23

    Learn More → https://csaurl.org/w3njwj

    CCPA - CSA Code of Conduct Gap Resolution

    Open Until: 4/10/23

    Learn More → https://csaurl.org/bikb1z

    Annex 10 to the CSA Code of Conduct for GDPR Compliance

    Open Until: 4/10/23

    Learn More → https://csaurl.org/lsxk19

    CCMV4-Lite

    Open Until: 5/15/23

    Learn More → https://csaurl.org/5vrprp

  • March Research Releases

    Data Loss Prevention and Data Security Survey Report

    Release Date: 3/14/23

    Summary: As the traditional perimeter is reduced or eliminated with the move to remote and hybrid work, and as Zero Trust strategies gain popularity, data security in cloud computing has had to adapt and improve. Data loss prevention (DLP) solutions are often an integral part of these new data security strategies, but organizations are still struggling with the implementation of these solutions, especially for how complicated legacy DLP solutions are to manage and maintain.

    Netskope commissioned CSA to develop this survey report to better understand the industry’s knowledge, attitudes, and opinions regarding DLP security in cloud-first technology environments. The survey was conducted in October and November of 2022 and received 2,673 responses from IT and security professionals. Topics covered in the survey included DLP strategies, Zero Trust and DLP, DLP pain points and challenges, and DLP strategies with remote workers.

    Download this Resource → https://csaurl.org/p5188j

    Internet of Things (IoT) Working Group Charter 2023

    Release Date: 3/12/23

    Summary: This charter lays out the scope, responsibilities, and roadmap for the Internet of Things Working Group. The Cloud Security Alliance Internet of Things (IoT) Working Group plans to publish reports and best practices that aid enterprise organizations in understanding and mitigating threats to IoT systems’ confidentiality, integrity, availability, and safety. These reports and best practices are practical to provide actionable guidance for security practitioners to secure their networks. 

    Download this Resource → https://csaurl.org/wvuj0w

    Quantum-Safe Security Working Group Charter 2023

    Release Date: 3/10/23

    Summary: The focus of the Quantum‐Safe Security Working Group is on cryptographic methods that will remain safe after the widespread availability of the quantum computer. This working group will be a forum for corporations, organizations, and individuals who are interested in the topic of quantum‐safe security. The goal in forming this working group is to educate, increase awareness, and spark discussions on projects and issues regarding securing communications for which current encryption methods will not be safe anymore when, in the near future, quantum computers are available. The working group will also be open to welcoming external/outside collaborations with like-minded 3rd parties for joint development of research artifacts and standards.

    Download this Resource → https://csaurl.org/fntn50

    Health Information Management Working Group Charter 2023

    Release Date: 3/7/23

    Summary: The Health Information Management Working Group aims to directly influence how health information service providers deliver secure cloud solutions (services, transport, applications, and storage) to their clients and foster cloud awareness within all aspects of healthcare and related industries.

    Download this Resource → https://csaurl.org/q8i6ne

  • Upcoming Cloudbytes Webinars

    Hidden Cloud Security Challenges Are a Barrier to Zero Trust

    Date: 3/21/23

    Time: 1:00 PM CDT

    Register Here → https://csaurl.org/3ubq6o

  • March Research Releases

    Health Information Management Working Group Charter 2023

    Release Date: 3/7/23

    Summary: The Health Information Management Working Group aims to directly influence how health information service providers deliver secure cloud solutions (services, transport, applications, and storage) to their clients and foster cloud awareness within all aspects of healthcare and related industries.

    Download this Resource → https://csaurl.org/q8i6ne

  • Surveys

    SaaS Security and Threats Survey

    Length: 28 questions, 9 minutes

    Deadline: March 19

    Participate Here → https://csaurl.org/6ysco7

  • Open Peer Reviews

    Game of Threats

    Open Until: 3/16/2023

    Learn More → https://csaurl.org/wd35k0

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline

    Open Until: 3/31/2023

    Learn More → https://csaurl.org/2wstxx

    High Performance Computing Tabletop Guide

    Open Until: 5/8/23

    Learn More → https://csaurl.org/w3njwj

  • Upcoming Cloudbytes Webinars

    Cloud Data Controls - From Compensation to Mitigation

    Date: 3/14/23

    Time: 12:00 PM CDT

    Register Here → https://csaurl.org/nu6zgc

    3 Key Pillars to Securing Your Hybrid Environment

    Date: 3/15/23

    Time: 12:00 PM CDT

    Register Here → https://csaurl.org/egubtj

    Education for Cloud Security and DevSecOps

    Date: 3/16/23

    Time: 5:00 AM CDT

    Register Here → https://csaurl.org/udzmu1

    Dig Deeper! Prioritize Cloud Vulnerabilities and Reduce Container Spending

    Date: 3/16/23

    Time: 12:00 PM CDT

    Register Here → https://csaurl.org/2nfjol

  • Open Peer Reviews

    Medical Devices in A Zero Trust Architecture

    Open Until: 3/9/2023

    Learn More → https://csaurl.org/j0l94a

    An Agile Data Doctrine for a Secure Data Lake

    Open Until: 3/12/2023

    Learn More → https://csaurl.org/1fcyf0

    Game of Threats

    Open Until: 3/16/2023

    Learn More → https://csaurl.org/wd35k0

    SaaS Security and Threats Survey

    Open Until: 3/19/2023

    Learn More → https://csaurl.org/azh9jz

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline

    Open Until: 3/31/2023

    Learn More → https://csaurl.org/2wstxx

  • Upcoming Cloudbytes Webinars

    External Cyber Defense for When Your Attack Surface is Everywhere

    Date: 3/9/23

    Time: 1:00 PM CST

    Register Here → https://csaurl.org/5ubi7v

  • February Research Releases

    STAR Enabled Solutions FAQ
    Release Date: 2/1/23
    Summary: A STAR Enabled Solution is a product or service that utilizes the CCM framework or the Consensus Assessment Initiative Questionnaire (CAIQ). Their technologies and tools have been assessed and found to meet the security requirements outlined by CSA. This vetting process allows enterprises to more easily deploy tools that align or comply with STAR, the CCM framework, and best practices.
    Download this Resource → https://csaurl.org/1z3q00

  • January Research Releases

    Telesurgery Tabletop Guide Book
    Release Date: 1/30/23
    Summary: The purpose of this guidebook is to assist healthcare providers in planning and facilitating a discussion and evaluation of the procedural response actions to a security incident in which a Robotic Assisted Surgery (RAS) is targeted. This guidebook should accompany the CERT Attack Flows here in GitHub. Healthcare professionals should utilize this resource as a planning guide and checklist for each stage of exercise development. 
    Download this Resource → https://csaurl.org/gedhma

    CSA Data Lake Threat Modeling
    Release Date: 1/26/23
    Summary: As cloud platforms expand further and further into business uses, the need to understand the attack surface to your data becomes much more apparent. With the help from NTT Data and Marymount University, CSA has released for peer review our Data Lake threat modeling exercise spreadsheet. In this document, numerous elements of data lakes have been taken into consideration and have been applied a specific threat scenario. Each one of these scenarios has been applied to the STRIDE framework, as well as been provided countermeasures for possible corrections and controls. Lastly, you will be able to see the mapping of each threat scenario to its specific attack library framework. 
    Download this Resource → https://csaurl.org/k15wcb

    ACSP Training Course Outline | CSA
    Release Date: 1/17/23
    Summary: An outline of the topics covered and what you'll be building in the labs each day of the Advanced Cloud Security Practitioner (ACSP) Training. 
    Download this Resource → https://csaurl.org/u4djra

  • Upcoming Cloudbytes Webinars

    Secure-by-default: Scaling your IaC Security Program
    Date: 2/28/23
    Time: 10:00 AM CST
    Register Here → https://csaurl.org/s5m9e1

  • Open Peer Reviews

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline
    Open Until: 3/31/2023
    Learn More → https://csaurl.org/2wstxx

  • Upcoming Cloudbyte Webinars

    How to Automate Security, Governance & Privacy for Cloud Data Innovation
    Date: 1/31/23
    Time: 10:00 AM CST
    Register Here → https://csaurl.org/fdvob2

  • January Research Releases

    ACSP Training Course Outline | CSA
    Release Date: 1/17/23
    Summary: An outline of the topics covered and what you'll be building in the labs each day of the Advanced Cloud Security Practitioner (ACSP) Training. 
    Download this Resource → https://csaurl.org/u4djra

    CSA Data Lake Threat Modeling
    Release Date: 1/26/23
    Summary: As cloud platforms expand further and further into business uses, the need to understand the attack surface to your data becomes much more apparent. With the help from NTT Data and Marymount University, CSA has released for peer review our Data Lake threat modeling exercise spreadsheet. In this document, numerous elements of data lakes have been taken into consideration and have been applied a specific threat scenario. Each one of these scenarios has been applied to the STRIDE framework, as well as been provided countermeasures for possible corrections and controls. Lastly, you will be able to see the mapping of each threat scenario to its specific attack library framework. 
    Download this Resource → https://csaurl.org/k15wcb

  • December Research Releases

    CSA CCM v4.0 Addendum - Spain National Security Framework (ENS)
    Release Date: 12/8/22
    Summary: This document is an addendum to the CCM V4.0 that contains controls mapping between the CSA CCM and Spain's National Security Framework (ENS). The document aims to help ENS compliant organizations meet CCM requirements. This is achieved by identifying compliance gaps in ENS in relation to the CCM. This document contains the following information:
    • Controls Mapping
    • Gap Analysis
    • Gap Identification (i.e., Partial, Full or No Gap)
    Download this Resource → https://csaurl.org/1pcz2v

    The Six Pillars of DevSecOps - Pragmatic Implementation
    Release Date: 12/14/22
    Summary: This document provides a high-level overview of the various tools and processes that should be considered when building out a successful DevSecOps program. It takes a wide range of DevSecOps activities and turns them into a cookbook for teams to reference when considering different approaches. It also is broken down to allow a reader with a specific role to hone in on the sections relevant to their area of expertise and responsibility. Follow-up papers will take this high-level overview, and provide specific guidance for various use-cases, as well as recommendations on which order to focus on implementation to see the greatest returns for the reader’s context. 
    Download this Resource → https://csaurl.org/ik6g8n

    Deconstructing Application Connectivity Challenges in a Complex Cloud Environment
    Release Date: 12/14/22
    Summary: The production and use of SaaS applications in organizations has grown exponentially over the past several years. Application Security has become an integral part of many organizations' security strategies. However, there are still many pain points organizations face with application connectivity security and risk management.
    Download this Resource → https://csaurl.org/6frk22

  • Upcoming Cloudbyte Webinars

    Using Zero Trust to Mitigate Ransomware Threats
    Date: 1/17/23
    Time: 10:00 AM CST
    Register Here → https://csaurl.org/vxbu5w

    Crawl, Walk, Run: Operationalizing IaC Security
    Date: 1/18/23
    Time: 11:00 AM CST
    Register Here → https://csaurl.org/bafyx2

    Prioritizing Risk Among the Chaos of Cloud Development
    Date: 1/19/23
    Time: 11:00 AM CST
    Register Here → https://csaurl.org/ainjft

    CSP Perspective Working with Financial Services
    Date: 1/20/23
    Time: 10:00 AM CST
    Register Here → https://csaurl.org/914urn

  • Open Peer Reviews

    Proposal for a Standard Cloud Service Agreement Template
    Open Until: 1/15/2023
    Learn More → https://csaurl.org/77n68j

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline
    Open Until: 3/31/2023
    Learn More → https://csaurl.org/2wstxx

  • Upcoming Cloudbytes Webinars

    Panel: CISO’s Guide to Security Strategy During a Recession
    Date: 1/9/23
    Time: 12:00 PM CST
    Register Here → https://csaurl.org/5topfv

    Confidence in Software Supply Chains with Continuous Security
    Date: 1/10/23
    Time: 12:00 PM CST
    Register Here → https://csaurl.org/liskze

  • Open Peer Reviews

    Proposal for a Standard Cloud Service Agreement Template
    Open Until: 1/15/2023
    Learn More → https://csaurl.org/77n68j

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline
    Open Until: 3/31/2023
    Learn More → https://csaurl.org/2wstxx

  • December Research Releases

    CSA CCM v4.0 Addendum - Spain National Security Framework (ENS)
    Release Date: 12/8/22
    Summary: This document is an addendum to the CCM V4.0 that contains controls mapping between the CSA CCM and Spain's National Security Framework (ENS). The document aims to help ENS compliant organizations meet CCM requirements. This is achieved by identifying compliance gaps in ENS in relation to the CCM. This document contains the following information:
    • Controls Mapping
    • Gap Analysis
    • Gap Identification (i.e., Partial, Full or No Gap)
    Download this Resource → https://csaurl.org/1pcz2v

    The Six Pillars of DevSecOps - Pragmatic Implementation
    Release Date: 12/14/22
    Summary: This document provides a high-level overview of the various tools and processes that should be considered when building out a successful DevSecOps program. It takes a wide range of DevSecOps activities and turns them into a cookbook for teams to reference when considering different approaches. It also is broken down to allow a reader with a specific role to hone in on the sections relevant to their area of expertise and responsibility. Follow-up papers will take this high-level overview, and provide specific guidance for various use-cases, as well as recommendations on which order to focus on implementation to see the greatest returns for the reader’s context. 
    Download this Resource → https://csaurl.org/ik6g8n

    Deconstructing Application Connectivity Challenges in a Complex Cloud Environment
    Release Date: 12/14/22
    Summary: The production and use of SaaS applications in organizations has grown exponentially over the past several years. Application Security has become an integral part of many organizations' security strategies. However, there are still many pain points organizations face with application connectivity security and risk management.
    Download this Resource → https://csaurl.org/6frk22

  • Open Peer Reviews

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Section 2: Organization Management
    Open Until: 12/18/2022
    Learn More → https://csaurl.org/2zbqqg

    ATT&CK & D3FEND with a CAVEAT
    Open Until: 12/23/2022
    Learn More → https://csaurl.org/sgwvdq

    NTT Threat Modeling
    Open Until: 12/23/2022
    Learn More → https://csaurl.org/0rnvw2

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline
    Open Until: 3/31/2023
    Learn More → https://csaurl.org/2wstxx

  • Upcoming Cloudbytes Webinars

    Adobe CCF & FedRAMP Moderate: Building a Secure Compliant Environment
    Date: 12/12/22
    Time: 11:00 AM CST
    Register Here → https://csaurl.org/txovqf

    Continuously Monitoring First and Third Parties against the CCM Framework
    Date: 12/13/22
    Time: 12:00 PM CST
    Register Here → https://csaurl.org/z3fvlf

    Cloud Attacks Are Here: Threat Actors Like Containers Too!
    Date: 12/14/22
    Time: 12:00 PM CST
    Register Here → https://csaurl.org/5e5zn3

  • November Research Releases

    Top Threats to Cloud Computing - Pandemic Eleven - Japanese Translation
    Release Date: 11/16/22
    Summary: The Top Threats reports have traditionally aimed to raise awareness of threats, risks, and vulnerabilities in the cloud. Such issues are often the result of the shared, on-demand nature of cloud computing. In this sixth installment, we surveyed 703 industry experts on security issues in the cloud industry. This year our respondents identified eleven salient threats, risks, and vulnerabilities in their cloud environments. The Top Threats Working Group used the survey results and its expertise to create the 2022 Top Cloud Threats report - the ‘Pandemic Eleven’. 
    Download this Resource → https://csaurl.org/f6mo0a

    Zero Trust as a Security Philosophy
    Release Date: 11/14/22
    Summary: This paper takes both a vendor-neutral and technology-solution-neutral look at what Zero Trust means for your organization and provides recommendations to develop a strategy and the supporting architecture that supports the organization and its workflows; aligning IT to business goals and outcomes.
    Download this Resource → https://csaurl.org/x37jur

  • Open Peer Reviews

    Telesurgery Tabletop Guide Book
    Open Until: 12/16/2022
    Learn More → https://csaurl.org/8ynvbi

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Section 2: Organization Management
    Open Until: 12/18/2022
    Learn More → https://csaurl.org/2zbqqg

    ATT&CK & D3FEND with a CAVEAT
    Open Until: 1/14/2023
    Learn More → https://csaurl.org/sgwvdq

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline
    Open Until: 3/31/2023
    Learn More → https://csaurl.org/2wstxx

  • Surveys

    Cloud Key Management Topic Selection Survey
    Length: 15 questions, 2 minutes
    Deadline: December 10
    Participate Here → https://csaurl.org/z97j95

  • Upcoming Cloudbyte Webinars

    Ermetic - How Does Your Cloud Security Compare, and Where Do You Go From Here?
    Date: 12/5/22
    Time: 6:00 PM UTC
    Register Here → https://csaurl.org/dr0crt

    Microsoft - Achieving the Principle of Least Privilege Across Multicloud with CIEM!
    Date: 12/6/22
    Time: 10:00 AM CST
    Register Here → https://csaurl.org/nemtcm

    AppOmni - Is PHI Secure in SaaS Applications - And Their Ecosystems?
    Date: 12/7/22
    Time: 1:00 PM CST
    Register Here → https://csaurl.org/adcdwe

    Rubrik - A Fireside Chat: The Human Effects of Cybercrime
    Date: 12/8/22
    Time: 1:00 PM CST
    Register Here → https://csaurl.org/29hfbr

  • November Research Releases

    Top Threats to Cloud Computing - Pandemic Eleven - Japanese Translation
    Release Date: 11/16/22
    Summary: The Top Threats reports have traditionally aimed to raise awareness of threats, risks, and vulnerabilities in the cloud. Such issues are often the result of the shared, on-demand nature of cloud computing. In this sixth installment, we surveyed 703 industry experts on security issues in the cloud industry. This year our respondents identified eleven salient threats, risks, and vulnerabilities in their cloud environments. The Top Threats Working Group used the survey results and its expertise to create the 2022 Top Cloud Threats report - the ‘Pandemic Eleven’. 
    Download this Resource → https://csaurl.org/f6mo0a

    Zero Trust as a Security Philosophy
    Release Date: 11/14/22
    Summary: This paper takes both a vendor-neutral and technology-solution-neutral look at what Zero Trust means for your organization and provides recommendations to develop a strategy and the supporting architecture that supports the organization and its workflows; aligning IT to business goals and outcomes.
    Download this Resource → https://csaurl.org/x37jur

  • Open Peer Reviews

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Outline
    Open Until: 12/07/2022
    Learn More → https://csaurl.org/r47b8i

    Telesurgery Tabletop Guide Book
    Open Until: 12/16/2022
    Learn More → https://csaurl.org/8ynvbi

    Security Guidance for Critical Areas of Focus in Cloud Computing v5 - Section 2: Organization Management
    Open Until: 12/18/2022
    Learn More → https://csaurl.org/2zbqqg

  • Surveys

    State of Financial Services 2022
    Length: 31 questions, 10 minutes
    Deadline: Nov 30
    Participate Here → https://csaurl.org/dbmy7d

    Cloud Key Management Topic Selection Survey
    Length: 15 questions, 2 minutes
    Deadline: December 10
    Participate Here → https://csaurl.org/z97j95

  • CSA’s Trusted Cloud Consultant Program

    CSA is excited to launch the Trusted Cloud Consultant (TCC) Program designed to connect enterprise organizations with qualified professional consulting services. The TCC Program allows cybersecurity consulting organizations and professionals to enhance cloud relevance by enabling them with a broad understanding of CSA’s tools and best practices. Trusted Cloud Consultants are qualified sources that are able to provide cloud security assessment and remediation services to enterprise organizations that need to improve their cloud security postures. 

    Virtually all organizations use the cloud, yet 51% of enterprises use no vendors or tools to quantify risk. Cloud usage and cybersecurity cannot be ignored. The CSA TCC Program makes it easier for organizations to source and connect with recognized, trusted consultants that leverage CSA best practices. 

    To learn more about becoming a Trusted Cloud Consultant or how to connect with one, email [email protected].

    Learn More (https://e.cloudsecurityalliance.org/trusted-cloud-consultant)
  • ZTT M3 release

    The Cloud Security Alliance is excited to release Key Features & Technologies of Software-Defined Perimeter, the third course in our online Zero Trust Training (ZTT) program.  This new course will provide learners with an in-depth look at the key features and technologies of SDP for securing today’s and tomorrow’s IT infrastructures—whether they are on-premises, in the cloud, a hybrid of the two, or a case with multiple cloud service providers. 

    [Take the Course

    Learners will be introduced to the principles of Least Privilege and Need to Know, policy-based authorization and access controls, and the similarities and differences between SDP and SDN.

    This course is a great fit for users in any of the following roles:

    • C-Suite (CEO, CTO, CISO, CIO)
    • Managers and Decision Makers
    • Cybersecurity Analysts
    • Security Engineers and Architects
    • Enterprise Architects
    • Security Administrators
    • Compliance Managers
    • Systems Engineers
    • Developers

    The ZTT program covers eight areas of Zero Trust knowledge and will be rolled out in a series of six courses available on CSA’s Knowledge Center. To learn more about CSA’s Zero Trust Training program, download the ZTT overview and get started.  

    Special offer for CSA Members! 

    Through December 31, CSA corporate members receive 50% off the ZTT bundle on the Knowledge Center, which includes six online ZTT courses and one exam token. Fill out this form to claim 50% off the ZTT bundle or learn how you can create a custom ZTT package for your team that meets the unique needs of your organization.