Cloud Security Guidance

SECURITY GUIDANCE
FOR CRITICAL AREAS
OF FOCUS IN CLOUD
COMPUTING V3.0

S ECURIT Y G UIDANC E F O R C RITICA L A REA S O F
F OCUS IN CLOUD COMPUTING V 3.0

INTRODUCTION
The guidance provided herein is the third version of the Cloud Security Alliance document, “Security Guidance for
Critical Areas of Focus in Cloud Computing,” which was originally released in April 2009. The permanentarchive
locations for these documents are:
http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf (this document)
http://www.cloudsecurityalliance.org/guidance/csaguide.v2.1.pdf (version 2 guidance)
http://www.cloudsecurityalliance.org/guidance/csaguide.v1.0.pdf (version 1 guidance)
In a departure from the second version of our guidance, each domain was assigned its own editor and peerreviewed by
industry experts. The structure and numbering of the domains align with industry standards and best practices. We
encourage the adoption of this guidance as a good operating practice in strategic management of cloud services. These
white papers and their release schedule are located at:
http://www.cloudsecurityalliance.org/guidance/
In another change from the second version,there are some updated domain names. We have these changes: Domain
3: Legal Issues: Contracts and Electronic Discovery and Domain 5: Information Management and Data Security. We
now have added another domain, which is Domain 14: Security as a Service.

© 2011 Cloud Security Alliance.
All rights reserved. You may download, store, display on your computer, view, print, and link to the CloudSecurity
Alliance Guidance at http://www.cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf subject to the following: (a) the
Guidance may be used solely for your personal, informational, non-commercial use; (b) the Guidance may not be
modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the trademark, copyright or other
notices may not be removed. You may quoteportions of the Guidance as permitted by the Fair Use provisions of the
United States Copyright Act, provided that you attribute the portions to the Cloud Security Alliance Guidance Version 3.0
(2011).

©201 1 CLOUD SECURITY ALLIANCE | 1

S ECURIT Y G UIDANC E F O R C RITICA L A REA S O F
F OCUS IN CLOUD COMPUTING V 3.0

TABLE OF CONTENTS
Introduction........................................................................................................................................................................... 1
Foreword ................................................................................................................................................................................ 3
Acknowledgments................................................................................................................................................................. 4
Letter from the Editors .......................................................................................................................................................... 6
An Editorial Note on Risk...................................................................................................................................................... 8
Section I. Cloud Architecture ............................................................................................................................................... 11
Domain 1: Cloud Computing Architectural Framework ....................................................................................................... 12Section II. Governing in the Cloud ...................................................................................................................................... 29
Domain 2: Governance and Enterprise Risk Management .................................................................................................. 30
Domain 3: Legal Issues: Contracts and Electronic Discovery...