The Cloud Security Alliance Delivers the Best Practices You Need to Safeguard Cloud Server Infrastructure

TL; DR: The Cloud Security Alliance (CSA), formed in 2008, is a global nonprofit committed to defining and promoting best practices for securing cloud computing environments. The organization is currently in a unique position to help its community embrace the digital transformation spurred by the ongoing coronavirus crisis via highly digestible content and training solutions. Moving forward, CSA will continue to expand its guidelines and frameworks in accordance with emerging technologies in the IoT, blockchain, and business intelligence spaces, among others.

It’s easy to assume that new ideas and advancements in technology are always met with eagerness on the part of individuals and the organizations they run. But research goes back decades theorizing that, regardless of the obvious benefits afforded by innovation, acceptance falls on a persona-based spectrum.

Communication theorist and sociologist Everett Rogers put the phenomenon into perspective in his 1962 book, “Diffusion of Innovations.” In his research, Rogers identified five categories of adopters: innovators, early adopters, early majority, late majority, and laggards.

At one end of the spectrum, innovators typically have tolerance for risk and are the first to adopt new technology. At the opposite end are laggards, who often demonstrate an aversion to change and are last to embrace innovation.

According to John Yeoh, Global Vice President of Research at the Cloud Security Alliance (CSA), the ongoing coronavirus crisis has put businesses with laggard tendencies in a sink-or-swim predicament. Fortunately for them, CSA is throwing out life preservers in the form of content, education, and training solutions focused on cloud security.

“COVID-19 has set a precedent for the work-from-home model, and that’s been the biggest thing we have been reacting to, both with members and those new to CSA,” John told us. “They’re dealing with these swift moves to virtual workforces. To maintain these competitive business operations, we’re seeing laggards forced to kind of catch up with those who chose to move fast digitally.”

Since the beginning of March, the nonprofit has seen a spike in demand for CSA tools, such as Security Trust Assurance and Risk (STAR), a cloud governance and compliance program that consists of three levels of security assurance based upon the CSA Cloud Controls Matrix (CCM), the Consensus Assessments Initiative Questionnaire (CAIQ), and the CSA Code of Conduct for GDPR Compliance.

Since its inception in 2008, CSA has leveraged the knowledge of corporate and individual members, industry experts, associations, and governments to offer certification, education, events, research, training, and products related to securing cloud server infrastructure. These resources and networking activities benefit everyone from cloud providers to entrepreneurs and the cloud assurance industry.

When the pandemic hit, John told us that CSA focused on ensuring that its tools are presented in a user-friendly manner to help companies that need to make a swift and secure move to the cloud or a virtual workforce do so as easily as possible.

“We have historically had a lot of cloud governance, risk, and compliance tools available if you scour our website, but we didn’t do a very good job of packaging it together,” he said. “What was missing, I think, were some strategic documents that helped connect the dots for people looking to accomplish their digitalization goals.”

To that end, CSA has been working to present its tools in a way that helps members and website readers, for example, develop a solid enterprise cloud operating model, explain the need for a cloud strategy to an executive board, or demonstrate how the technology reduces overhead.

“With the content that we have, we’re trying to leverage more storyboarding so that people who come to our website and members that are engaged with CSA have a much clearer message,” John said. “The goal is to better present what we have to the public for consumption.”

John told us there are many ways to get involved with CSA. To start, a whopping 99% of the nonprofit’s content is available for free.

“We have this amazing community model where we crowdsource experts from all over the world who focus on 32 different areas of research, and then we develop content out of that, he said. “So I think if you’re looking just to dip your toe into CSA, leveraging our content to gain industry knowledge is the best way to do it.”

The second step, he said, is to get involved through joining a working group as a member and contributing to CSA research publications, white papers, and reports. All research is developed according to the stages of the CSA Research Lifecycle: proposal, approval, execution, peer review, publication, and dissemination.

“Our publications are a snapshot of all the discussions that happened among our research working groups,” John said. “You can grow through the process of building a document and delivering it in the form of a publication.”

Businesses and individuals can join CSA via three membership levels. A Startup Membership is available for emerging solution providers looking to see if the nonprofit is a good fit for a reduced cost.

Solution Provider Membership allows companies to showcase their offerings while sharing expertise and guiding the industry. Finally, Enterprise Membership is available for those looking to manage provider relationships and help secure the cloud server ecosystem.

CSA’s membership currently comprises executive-level members, including Google, Huawei, Microsoft, IBM Security, and Oracle Cloud. Corporate-level members include Adobe, Amazon Web Services, AT&T, Cisco, Citrix, Intel, and Webroot.

“For corporate members, it comes down to networking with different companies and organizations that are going through similar things,” John said.

CSA’s educational tools include training and certifications via the CSA Knowledge Center, which hosts numerous resources, including access to everything from mini-courses to full certifications designed to help users better understand the process of securing cloud server infrastructure.

For nearly a decade, the nonprofit has offered the Certificate of Cloud Security Knowledge (CCSK), which is widely recognized as the standard of cloud security expertise, providing learners with the foundations needed to secure data in the cloud.

In August, CSA announced that it will be partnering with ISACA to bring a new certification, the Certificate of Cloud Auditing Knowledge (CCAK), to the market. The CCAK is scheduled for completion in Q4 2020,

“We’re taking a step further to the auditing side of things, just because auditing the cloud is so different when you don’t own the server infrastructure,” John said. “Auditing goes beyond just your Internet of Things (IoT) and third-party auditors, and a lot of stakeholders, a lot of business owners within the enterprise, need to understand that piece.”

In addition to new material, the CCAK will incorporate elements of the CCM, CAIQ, and the STAR program. ISACA and CSA will announce detailed availability and pricing of the CCAK offerings later this year.

When it comes to new certifications, frameworks, and educational resources, John said CSA leans heavily on feedback from its members. “We have a staff of about 100 people who manage and orchestrate our 400 core members, 7,000 research contributors, and more than 100,000 general members.

“In addition to that, we have industry experts that act as co-chairs for certain technologies,” he said. “But the goal is to listen, understand our members, and move with the current versus against it.”

If 2020 has taught us anything, it’s that paradigms can change overnight. That’s why, moving forward, CSA will continue to take a forward-thinking approach to emerging technologies in areas like the IoT, blockchain, and business intelligence.

“It’s about developing security frameworks that are leading-edge rather than based on lessons learned,” John said. “We’re certainly continuing to be forward-thinking with the IoT framework that we have, updating it to meet the latest ICS, exploring attack frameworks for blockchain, artificial intelligence, machine learning, and deep learning.”

As businesses further their digital transformation strategies and accumulate growing amounts of data, John said he’s also excited about taking a deep dive into attack vectors, indicators of compromise, and the business intelligence side of the cloud.

“The proliferation of tools that have been put into place for managing intelligence and security is huge these days,” he said. “We want to better understand how people take a pragmatic approach to security intelligence and cloud intelligence — and use that as business intelligence.”

Ultimately, CSA’s goal is to maintain its status as a trusted and authoritative source on securing cloud server infrastructure.

“In order to do that, we have to make sure that our resources are consumed the right way and that we’re continuing to look at the most innovative aspects of the cloud and next-generation technology.”