CloudSA stresses customer workload ownership
- Cloud Security Alliance said cloud providers secure the underlying platform, while customers must secure their own workloads, identities, configurations, and stored data. - CSA tied that message to its Cloud Controls Matrix and Shared Security Responsibility Model, which map controls across IaaS, PaaS, and SaaS. - CSA also positions CCSK as a benchmark cloud-security credential covering governance, workload, and data protection basics. (cloudsecurityalliance.org)
Cloud Security Alliance says the cloud provider secures the cloud itself, but the customer still owns security for workloads, identities, configurations, and data. (cloudsecurityalliance.org) That division is the shared responsibility model, the rulebook cloud teams use to decide who patches what, who configures what, and who answers for gaps. (cloudsecurityalliance.org) CSA’s Cloud Controls Matrix is the checklist behind that rulebook. The current matrix is structured across 17 domains and 197 control objectives for cloud security assurance and compliance. (cloudsecurityalliance.org) CSA said its newer introductory guidance maps those controls to cloud service providers and cloud service customers across infrastructure as a service, platform as a service, and software as a service. (cloudsecurityalliance.org) The split changes with the service model. In infrastructure as a service, customers carry much more of the operating system, application, and data burden than they do in software as a service. (cloudsecurityalliance.org) Data protection stays on the customer side more often than many teams assume. CSA’s data protection guidance calls out controls for data in transit, at rest, and in use, including masking, encryption, and certificates. (cloudsecurityalliance.org) Encryption is only part of that job. CSA’s cryptography guidance says providers supply encryption services and secure key storage, while customers still have to manage policies, usage, and governance around their own data. (cloudsecurityalliance.org) CSA is also using the moment to point people toward training. Its Certificate of Cloud Security Knowledge, or CCSK, is described by the group as a benchmark credential and a first step toward broader cloud-security work. (cloudsecurityalliance.org) (training.cloudsecurityalliance.org) The current CCSK v5 curriculum spans 12 domains, including governance, identity and access management, security monitoring, cloud workloads, and data security. (cloudsecurityalliance.org) CSA’s point is narrower than “secure the cloud.” It is that renting infrastructure does not transfer ownership of the workload, the settings, or the consequences of getting them wrong. (cloudsecurityalliance.org)
