Solving Tomorrow’s Problems Today: How the Cloud Security Alliance is Furthering Best Practices in Cloud Computing

TL; DR: The Cloud Security Alliance (CSA), founded in 2008, is a worldwide organization dedicated to defining and advancing best practices in cloud computing. Through research projects, working groups, education, certification, and events, the nonprofit fosters a collaborative community of diverse parties interested in maintaining a trusted cloud ecosystem. Now, as CSA expands its reach to establish an Internet of Things control framework, the organization aims to serve an even broader membership circle.

Jim Reavis and Nils Puhlmann faced reactions ranging from skepticism to laughter upon outlining their plans for the Cloud Security Alliance at the 2008 Information System Security Association CISO Forum in Las Vegas.

“We had identified a disruptor in our industry, and we needed to build an ecosystem of trust within cloud environments,” said J.R. Santos, EVP of Research at CSA. “Still, 80% of the room laughed at the idea and said, ‘There’s no way in heck we’re going to cloud.’”

With only a handful of people on board, CSA was born.

“They were like, ‘I think you’re onto something,’” J.R. said. “That’s when it all started: The foundation was there, but we needed to develop best practices and guidance to address this new thing called the cloud.”

A series of administrative meetings with industry leaders in early December 2008 formalized CSA’s founding, and the nonprofit quickly began work on its first white paper: Security Guidance for Critical Areas of Cloud Computing.

Today, CSA has completed Version 4 of that foundational white paper and has expanded its efforts into additional research projects, working groups, educational and training opportunities, and events. To encourage participation from a broad spectrum of relevant parties, CSA is also diving into new areas of research, including IoT and DevSecOps. “Cloud security remains our foundation, but we have evolved into related technologies as well,” J.R. said. “We believe the cloud is the backbone of our future as security professionals.”

J.R. told us CSA’s vendor-neutral research program is based on global collaboration with industry practitioners, educational institutions, and government agencies.

“Our research is unique in that it’s consensus-driven and developed by our community to enable our industry to solve tomorrow’s problems today,” J.R. said. “We pride ourselves on the relationships we have with organizations and government agencies: We want to be the glue to bring everything together.”

J.R. also values the nonprofit’s agile approach to problem-solving. As a small organization, CSA is able to pivot as needed to accomplish its goals efficiently, as compared to government agencies or some standards development organizations.

“We want to be part of the solution,” J.R. said. “We’re not one of those groups that spend five or six years sitting in conference rooms, arguing about who’s right, who’s wrong, and what country they represent.”

The nonprofit’s industry partnerships ensure CSA isn’t wasting time duplicating the work of others. Since J.R. took the helm at CSA’s research arm, the group has produced over 300 unique research artifacts that are now available for free within the CSA community. “We don’t want to reinvent the wheel,” J.R. said. “For me, it’s helpful to focus on areas that aren’t being addressed.”

J.R. said CSA also boasts more than 30 active working groups that research specific initiatives in areas ranging from big data and the Internet of Things (IoT) to privacy-level agreements and security guidance. Most groups are open to public participation.

It’s no secret that the cloud security industry is continually evolving — and professionals need access to the tools and guidance required to grow in step with such changes. “Whatever role you play in the industry, you have an opportunity to contribute, consume research, and educate yourself,” J.R. said.

The nonprofit also provides various certification opportunities. In 2010, CSA launched the industry’s first cloud security user certification, the Certificate of Cloud Security Knowledge (CCSK), establishing a benchmark for proficiency. The group also runs the popular CSA Security, Trust & Assurance Registry (STAR), a three-part certification program that includes self-assessment, a third-party audit, and continuous monitoring.

Looking for updates on new technologies, research, and trending topics related to cloud computing? CSA’s CloudBytes is an ongoing series of one-hour webinars chock-full of best practices on relevant security issues such as gaining visibility into containers.

“We’ve been creating more content to help people understand different use cases and technologies relevant to their cloud journey,” J.R. said.

Overall CSA’s mission is to “promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing.”

J.R. said this covers a variety of scenarios.

“If, for example, you want to start a vendor management program within your organization, we have a framework that is mapped to significant industry standards,” J.R. said. “Or, if you feel like there’s something security-related that’s not being addressed, we can vet it through the community and decide whether or not it’s something we should pursue.”

The CSA boasts an impressive global presence, with offices, partnerships, member organizations, or chapters in every continent except Antarctica. In addition to its geographical diversity, the member-driven organization aims to serve a wide range of individuals, startups, enterprises, and solution providers.

“When it comes down to it, everybody needs a seat at the table, and we don’t discriminate,” J.R. said. “In some standards development organizations, you could have 20 years’ experience and not get invited to a meeting. In our area, you can be anything from a fly on the wall educating yourself or a contributing subject matter expert.”

The material is free for individuals based on a minimum level of participation — a surprisingly affordable deal considering that CSA’s various research channels help accelerate career growth.

“You can choose to contribute as much as you want, and you won’t be judged,” J.P. said. “In terms of personal development, you might be able to interact with, for example, the CSO at a Fortune 500 company or other senior-level executives,” he said.

Paid memberships, such as CSA’s Executive and Corporate options, provide organizations a variety of benefits, including vendor-neutral advice from security experts, access to the Enterprise User Council, free tokens for training opportunities, and complimentary seats to industry events.

The cloud computing community is ever-growing, and CSA is continually adjusting its path forward in accordance with changing industry demands. Recently, the organization announced it is opening a new CSA Europe headquarters in response to rapid membership growth throughout the region.

“We’ve been involved in Europe for quite some time, mainly in European Commission grants, but now we’re following the model that we have in the U.S. with corporate membership,” J.P. said. “It’s neat to see a shift in the EMEA region and get a little more traction in that space.”

The CSA will also coordinate its GDPR activities through a new General Data Protection Regulation (GDPR) Center of Excellence for cloud computing in Berlin, Germany. “Our Founding Members — Google, OneTrust, Netskope, eGov Consulting and Development, Zscaler, and Qualys — helped us establish the GDPR Center of Excellence,” J.P. said. “There’s a lot of opportunity for education in this space that impacts many global organizations.”

J.P. is also excited about plans to establish an IoT framework to address specific areas of security. Considering how rapidly our regulatory and technical landscape is shifting, CSA predicts IoT security will be a game-changer.

And while folks may have scoffed at the idea to form the Cloud Security Alliance in 2008, it’s fair to say history won’t repeat itself in terms of this prediction. “If you think about it, we’re all introducing wearable technology into our enterprise environments because people take their personal stuff to work, and that’s acceptable,” he said. “We have to embrace the fact that the IoT is going to be a part of our world and figure out how to protect it.”