Security Guidance v4.0 © Copyright 2017, Cloud Security Alliance. All rights reserved
2
The permanent and ocial location for Cloud Security Alliance’s Security Guidance for Critical Areas of
Focus in Cloud Computing v4.0 is https://cloudsecurityalliance.org/document/security-guidance-
for-critical-areas-of-focus-in-cloud-computing-v4-0/.
Ocial Study Guide for the
© 2017 Cloud Security Alliance – All Rights Reserved.
You may download, store, display on your computer, view, print, and link to Security Guidance for
Critical Areas of Focus in Cloud Computing v4.0 at https://cloudsecurityalliance.org/document/
security-guidance-for-critical-areas-of-focus-in-cloud-computing-v4-0/, subject to the following:
(a) the Report may be used solely for your personal, informational, non-commercial use; (b) the
Report may not be modied or altered in any way; (c) the Report may not be redistributed; and
(d) the trademark, copyright or other notices may not be removed. You may quote portions of the
Report as permitted by the Fair Use provisions of the United States Copyright Act, provided that you
attribute the portions to Security Guidance for Critical Areas of Focus in Cloud Computing v4.0.
Security Guidance v4.0 © Copyright 2017, Cloud Security Alliance. All rights reserved
3
FOREWORD
Welcome to the fourth version of the Cloud Security Alliance’s Security Guidance for Critical Areas of
Focus in Cloud Computing. The rise of cloud computing as an ever-evolving technology brings with it a
number of opportunities and challenges. With this document, we aim to provide both guidance and
inspiration to support business goals while managing and mitigating the risks associated with the
adoption of cloud computing technology.
The Cloud Security Alliance promotes implementing best practices for providing security assurance
within the domain of cloud computing and has delivered a practical, actionable roadmap for
organizations seeking to adopt the cloud paradigm. The fourth version of the Security Guidance for
Critical Areas of Focus in Cloud Computing is built on previous iterations of the security guidance,
dedicated research, and public participation from the Cloud Security Alliance members, working
groups, and the industry experts within our community. This version incorporates advances in cloud,
security, and supporting technologies; reects on real-world cloud security practices; integrates the
latest Cloud Security Alliance research projects; and oers guidance for related technologies.
The advancement toward secure cloud computing requires active participation from a broad
set of globally-distributed stakeholders. CSA brings together this diverse community of industry
partnerships, international chapters, working groups, and individuals. We are profoundly grateful to
all who contributed to this release.
Please visit cloudsecurityalliance.com to learn how you can work with us to identify and promote
best practices to ensure a secure cloud computing environment.
Best regards,
Luciano (J.R.) Santos
Executive Vice President of Research
Cloud Security Alliance
Security Guidance v4.0 © Copyright 2017, Cloud Security Alliance. All rights reserved
4
ACKNOWLEDGEMENTS
Lead Authors
James Arlen
Francoise Gilbert
Adrian Lane
Rich Mogull
David Mortman
Gunnar Peterson
Mike Rothman
Editors
John Moltz
Dan Moren
CSA Sta
Hillary Baron
Ryan Bergsma
Daniele Catteddu
Victor Chin
Frank Guanco
Stephen Lumpe (Design)
Jim Reavis
Luciano (J.R.) Santos
Contributors
On behalf of the CSA Board of Directors and the CSA Executive Team, we would like to thank all of
the individuals who contributed time and feedback to this version of the CSA Security Guidance for
Critical Areas of Focus in Cloud Computing. We value your volunteer contributions and believe that
the devotion of volunteers like you will continue to lead the Cloud Security Alliance into the future.
Security Guidance v4.0 © Copyright 2017, Cloud Security Alliance. All rights reserved
5
LETTER FROM THE CEO
I am thrilled by this latest contribution to the community’s knowledge base of cloud security best
practices that began with Cloud Security Alliance’s initial guidance document released in April
of 2009. We hope that you will carefully study the issues and recommendations outlined here,
compare with your own experiences and provide us with your feedback. A big thank you goes out to
all who participated in this research.
Recently, I had the opportunity to spend a day with one of the industry experts who helped found
Cloud Security Alliance. He reected that for the most part CSA has completed its initial mission,
which was to prove that cloud computing could be made secure and to provide the necessary tools
to that end. Not only did CSA help make cloud computing a credible secure option for information
technology, but today cloud computing has become the default choice for IT and is remaking the
modern business world in very profound ways.
The resounding success of cloud computing and CSA’s role in leading the trusted cloud ecosystem
brings with it even greater challenges and urgency into our renewed mission. Cloud is now
becoming the back end for all forms of computing, including the ubiquitous Internet of Things. Cloud
computing is the foundation for the information security industry. New ways of organizing compute,
such as containerization and DevOps are inseparable from cloud and accelerating our revolution.
At Cloud Security Alliance, we are committed to providing you the essential security knowledge you
need for this fast moving IT landscape and staying at the forefront of next-generation assurance and
trust trends. We welcome your participation in our community, always.
Best regards,
Jim Reavis
Co-Founder & CEO
Cloud Security Alliance