Newest version reflects real-world security practices, future of cloud computing security
By J.R. Santos, Executive Vice President of Research, Cloud Security Alliance
Today marks a momentous day not only for CSA but for all IT and information security professionals as we release Guidance for Critical Areas of Focus in Cloud Computing 4.0, the first major update to the Guidance since 2011.
As anyone involved in cloud security knows, the landscape we face today is a far cry from what was going on 10, even five, years ago. To keep pace with those changes almost every aspect of the Guidance was reworked. In fact, almost 80 percent of it was rewritten from the ground up, and domains were restructured to better reflect the current state of cloud computing, as well as the direction in which this critical sector is heading.
For those unfamiliar with what is widely considered to be the definitive guide for cloud security, the Guidance acts as a practical, actionable roadmap for individuals and organizations looking to safely and securely adopt the cloud paradigm. This newest version includes significant content updates to address leading-edge cloud security practices and incorporates more of the various applications used in the security environment today.
Guidance 4.0 covers such topics as:
- DevOps, continuous delivery, and secure software development;
- Software Defined Networks, the Software Defined Perimeter and cloud network security.
- Microservices and containers;
- New regulatory guidance and evolving roles of audits and compliance inheritance;
- Using CSA tools such as the CCM, CAIQ, and STAR Registry to inform cloud risk decisions;
- Securing the cloud management plane;
- More practical guidance for hybrid cloud;
- Compute security guidance for containers and serverless, plus updates to managing virtual machine security; and
- The use of immutable, serverless, and “new” cloud architectures.
Today is the culmination of more than a year of input and review from the CSA and information security communities. Guidance 4.0 was drafted using an open research model (a herculean effort for those unfamiliar with the process), and none of it would have been possible without the assistance of Securosis, whose research analysts oversaw the project. We owe them—and everyone involved—a tremendous thanks.
You can learn more about the Guidance and read the updated version here.