On November 16th, the Cloud Security Alliance released the 3rd version of their Cloud Security Standard, developed by a committee of professionals from 120 enterprises that volunteered to collaborate. In a departure from previous versions, each domain within the standard was assigned its own editor and peer reviewed by industry experts. Version 3.0 extends the content included in previous versions with practical recommendations and requirements that can be measured and audited.
If you are a vendor or consumer of Cloud services, this document will be a challenge to comprehend and apply. At 176 pages, it will take up a fair bit of time just reading and absorbing it. As the document points out: “The path to secure cloud computing is surely a long one”. It sets out just about everything needed to apply security to the Cloud, offering advice on everything from risk assessment to business continuity. Still, expect to read a considerable number of other referenced papers in order to understand the whole picture.
Key updates in Version 3.0 include:
- Domains rewritten to emphasize security, stability and privacy, ensuring corporate privacy in a multi-tenant environment.
- Guidance assumes a structural maturity in parallel with multinational cloud standards development in both structure and content.
- The addition of Domain 14 – Security as a Service
Most IT and Security managers will probably want to hire a consultant to assess the implications, perform a detailed compliance gap analysis, and develop an adoption roadmap. What would have been really useful to the strategic and tactical planners amongst us is an addendum that says “Cloud security is the same as regular network and information security, except for these dozen or so major issues”. With that short list in hand, we could take what we already know and have hopefully applied to our IT environments, and apply an easier to compile and manage checklist to the Cloud.