Cloud Security Services Management
  • Subject matter experts are also welcomed to join the Cloud Security Services Management WG by submitting your request HERE.
  • Read more about Cloud Security Services Management on our CSA Global page HERE.
It is well acknowledged that collaboration and coordination among all stakeholders are critical to secure the cloud platform. The current gap is that there is no defined guideline dividing the security roles and responsibilities between the cloud service providers and cloud customers; on how to secure cloud services in different cloud deployment models. This is especially the case for those who have little cloud security knowledge. Therefore, there is a need to develop a guideline on how to build and manage cloud security services within the cloud computing industry. Cloud security services management is complex and multi-disciplinary; a successful cloud security services management platform should address technical, business, geographical, regulatory/compliance and legal considerations.

Although leading cloud providers are developing their security services management platform aggressively, the gap between cloud providers and security vendors still exists. As such, it is necessary and valuable to set up a platform for cloud providers and security vendors to develop a best practice guideline on how to build and, more importantly, to manage cloud security services. This is especially the case for small and medium business (SMB) vendors, which have no resource doing comprehensive research on geographical and legal requirements in different regions and countries. These SMBs may have no capability to perform compatibility development and testing with multiple partners, either. Hence, we propose to set up the Cloud Security Services Management Working Group (WG), which will look into developing a guideline to solve the need.

​This initiative aims to develop a research whitepaper, focusing on building up a cloud security services management platform. This whitepaper will serve as a guideline for cloud service providers to secure its cloud platform and provide cloud security services to cloud users, for cloud users to select security qualified cloud service providers, for security vendors to develop their cloud-based security products and services. Subsequently, this initiative hopes to develop a platform for cloud providers to publish their security requirements, for security vendors to share their security products and services, and to provide a platform for interoperability testing. This initiative will be especially beneficial to SMBs which are cloud service providers, security vendors and cloud customers. As a result, cloud security service management will become a part of Governance, Risk and Compliance (GRC) implementation.

Scope
  • This initiative will focus on cloud security services management research and best practice guideline development for managing cloud security services.
  • Certification is out of scope in this initiative.
  • This initiative will develop a platform for information sharing among cloud providers and security vendors.
  • This initiative will develop a platform for cloud service providers and security vendors to perform interoperability and conformance testing.

Goals
The objectives of the Cloud Security Services Management (CSSM) will include:
  • To develop a research paper (whitepaper), proposing a method to manage cloud security services. This paper will serve as a best practice guideline for those who wish to select a cloud service provider or a vendor;
  • To develop a platform for information sharing among cloud providers and security vendors and consumers;
  • To develop a platform for cloud service providers and security vendors to perform interoperability and conformance testing.

Ongoing Deliverables

Third Party Security Roles and Responsibilities

The Cloud Security Service Management (CSSM) Working Group published the whitepaper “Guideline on Effectively Managing Security Service in the Cloud” (referred to as the ‘Guideline’) in 2018. The Guideline provides an easy-to-understand guideline to cloud customers on how to design, deploy, and operate a secure cloud service for different cloud service models. In the guideline, it described the third party security service providers providing professional security services on behalf of CSP and/or cloud customers via business contract and agreement.

Is this true or is it the real business best practice?

As the next step, the CSSM WG plans to conduct research and to develop a whitepaper “Third Party Security Roles and Responsibilities”. 

To contribute, join the CSSM WG here.

Artifacts

Mapping of 'The Guidelines' Security Recommendations to CCM

This document contains the additional controls that serves to bridge the gap between CCM V3.0.1 and the controls within 'Guideline on Effectively Managing Security Services in the Cloud' published by Cloud Security Services Working Group.
Release Date: 09/05/2019

Download here

​Gap Analysis Report on Mapping CSA’s Cloud Controls Matrix to ‘Guideline on Effectively Managing Security Service in the Cloud’

The report summarizes the mapping of CCM v3.0.1 to 'Guideline on Effectively Managing Security Services in the Cloud' and provides gap analysis on the results.Release Date: 09/05/2019

Download here

​Guideline on Effectively Managing Security Service in the Cloud

This initiative aims to develop a research whitepaper, focusing on building up a cloud security services management platform. This whitepaper will serve as a guideline for cloud service providers to secure its cloud platform and provide cloud security services to cloud users, for cloud users to select security qualified cloud service providers, for security vendors to develop their cloud-based security products and services.
Release Date: 01/04/2019

​Read more about 'Guidelines to Effectively Managing Security Service in the Cloud' HERE.
Download here