Welcome to the fourth version of the Cloud Security Alliance’s Security Guidance for Critical Areas of
Focus in Cloud Computing. The rise of cloud computing as an ever-evolving technology brings with it a
number of opportunities and challenges. With this document, we aim to provide both guidance and
inspiration to support business goals while managing and mitigating the risks associated with the
adoption of cloud computing technology.
The Cloud Security Alliance promotes implementing best practices for providing security assurance
within the domain of cloud computing and has delivered a practical, actionable roadmap for
organizations seeking to adopt the cloud paradigm. The fourth version of the Security Guidance for
Critical Areas of Focus in Cloud Computing is built on previous iterations of the security guidance,
dedicated research, and public participation from the Cloud Security Alliance members, working
groups, and the industry experts within our community. This version incorporates advances in cloud,
security, and supporting technologies; reflects on real-world cloud security practices; integrates the
latest Cloud Security Alliance research projects; and offers guidance for related technologies.
The advancement toward secure cloud computing requires active participation from a broad
set of globally-distributed stakeholders. CSA brings together this diverse community of industry
partnerships, international chapters, working groups, and individuals. We are profoundly grateful to
all who contributed to this release.
Please visit cloudsecurityalliance.com to learn how you can work with us to identify and promote
best practices to ensure a secure cloud computing environment.
Best regards,
Luciano (J.R.) Santos
Executive Vice President of Research
Cloud Security Alliance
Introduction
This domain provides the conceptual framework for the rest of the Cloud Security Alliance’s
guidance. It describes and defines cloud computing, sets our baseline terminology, and details the
overall logical and architectural frameworks used in the rest of the document.
There are many different ways of viewing cloud computing: It’s a technology, a collection of
technologies, an operational model, a business model, just to name a few. It is, at its essence,
transformative and disruptive. It’s also growing very, very quickly, and shows no signs of slowing
down. While the reference models we included in the first version of this Guidance are still relatively
accurate, they are most certainly no longer complete. And even this update can’t possibly account
for every possible evolution in the coming years.
Cloud computing offers tremendous potential benefits in agility, resiliency, and economy.
Organizations can move faster (since they don’t have to purchase and provision hardware, and
everything is software defined), reduce downtime (thanks to inherent elasticity and other cloud
characteristics), and save money (due to reduced capital expenses and better demand and capacity
matching). We also see security benefits since cloud providers have significant economic incentives
to protect customers.
However, these benefits only appear if you understand and adopt cloud-native models and adjust
your architectures and controls to align with the features and capabilities of cloud platforms. In fact,
taking an existing application or asset and simply moving it to a cloud provider without any changes
will often reduce agility, resiliency, and even security, all while increasing costs.
The goal of this domain is to build the foundation that the rest of the document and its
recommendations are based on. The intent is to provide a common language and understanding
of cloud computing for security professionals, begin highlighting the differences between cloud
and traditional computing, and help guide security professionals towards adopting cloud-native
approaches that result in better security (and those other benefits), instead of creating more risks.
This domain includes 4 sections:
• Defining cloud computing
• The cloud logical model
• Cloud conceptual, architectural, and reference model
• Cloud security and compliance scope, responsibilities, and models
The Cloud Security Alliance isn’t setting out to create an entriely new taxonomy or reference model. Our
objective is to distill and harmonize existing models—most notably the work in NIST Special Publication
800-145, ISO/IEC 17788 and ISO/IEC 17789—and focus on what’s most relevant to security professionals.