Cloud Security Alliance

Before I get into the meat of this post, I want to emphasize that I am a huge fan of MCP (Model Context Protocol) servers and I believe the technology offers more than enough value to justify its use in the enterprise. But, like everything else on the planet, MCP is a double edged sword. And our job in security is to make even risky things as safe as possible. Okay, so why the big disclaimer up front? Because I don’t want you to think this is all negative and I’m telling you to not use …

Resiliency through multicloud looks great on paper, but the reality is far more complex (and expensive). Thanks to Amazon, Microsoft, and Google, my calendar over the past few weeks spiked with members calling to discuss cloud resiliency. Each of these outages was rare, and none of them shared any relationship or commonality, but we humans have this pesky habit of getting worried when there’s an uptick in similar-sounding incidents. (It’s probably tied to a deep survival instinct to rec…

Microsoft and Zendesk recognized as first organizations to achieve STAR for AI Level 2 certification SEATTLE – November 20, 2025 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the availability of STAR for AI Level 2 and the companion Valid-AI-ted for AI service. These developments mark a major milestone in CSA’s global effort to delive…

Originally published by Schellman. With proven real-life use cases, it’s a no-brainer that companies are looking for ways to integrate large language models (LLMs) into their existing offerings to generate content. A combination that’s often referred to as Generative AI, LLMs enable chat interfaces to have a human-like, complex conversation with customers and respond dynamically, saving you time and money. However, with all these new, exciting bits of technology come related security r…

Written by Ben Brigida, Expel. This blog is based on a recent session where Ray and I (Ben) discussed the key aspects to measuring security operations center (SOC) effectiveness. Over the years leading SOCs, I’ve learned that measuring success is one of the toughest challenges we face. A SOC requires both speed and quality, and balancing those can sometimes feel like an oxymoron. The stakes couldn’t be higher. Poor SOC efficiency and performance can cause burnout, human error, missed…

The landscape of AI governance continues to evolve rapidly, presenting significant challenges for organizations trying to establish robust compliance frameworks. The Cloud Security Alliance (CSA) has introduced an initial version of the STAR for AI Level 2 designation, which leverages ISO/IEC 42001, to address the immediate need for structured AI security guidance while all industry participants learn more about managing the risks of AI, new assessment technologies are developed,&n…

The Cloud Controls Matrix (CCM) is a framework of controls that are essential for cloud computing security. Created by CSA, the CCM aligns with CSA best practices. You can use CCM to assess and guide the security of any cloud service. CCM also provides guidance on which actors within the cloud supply chain should implement which controls. Both cloud service customers (CSCs) and cloud service providers (CSPs) use CCM in many ways. CSCs use CCM to: Assess the security posture of cloud …

Written by Sunil Gentyala, Lead Cybersecurity & AI Security Engineer, HCLTech.   Abstract The proliferation of distributed applications across public cloud, hybrid cloud, private cloud, and on-premises infrastructure necessitates advanced security mechanisms to protect inter-application communications. Traditional firewall architectures prove inadequate against sophisticated zero-day attacks, behavioral anomalies, and AI-specific threats such as prompt injection and goa…

Originally published by TrojAI.   The new security blind spot Voice-driven AI is moving quickly from science fiction to daily reality as we move from GenAI models to more sophisticated applications and agents. Once relegated to smart speakers and novelty gadgets, voice AI now drives banking transactions, healthcare triage, retail service, enterprise reporting, and even government interactions. For millions of people, the first interaction with an organization is no longer a web …

“Store Now, Decrypt Later,” or SNDL, attacks are a unique brand of attack that you need to keep top-of-mind in the coming years. Our new publication, A Practitioner’s Guide to Post-Quantum Cryptography, lays out why SNDL is so different. Exploitation may start today and only completes when Cryptographically Relevant Quantum Computers (CRQCs) arrive. That time factor means an adversary could harvest data in motion right now and decrypt it later, once they gain access to stronger co…

As AI becomes more powerful and accessible, the stakes around data privacy and protection are higher than ever. For instance, a single employee, seeking to leverage AI’s ability to read and understand a PDF, can easily upload a confidential document to an LLM and, in doing so, mistakenly expose PII or trade secrets. Worse, these private data may be stored and used to train and improve future models, eroding any data-related competitive advantages an enterprise has.  Data privacy r…

If you still run threat modeling as a one-time design activity, you’re missing the whole point of the cloud. Modern environments are elastic, multi-account, API-driven, and (thanks to AI) constantly changing. The attack surface is always reshaping itself. CSA’s new Cloud Threat Modeling 2025 publication makes a clear call: continuous threat modeling is essential. Below, learn what continuous threat modeling entails and discover the practical triggers that should force a model refresh. &…

Capabilities-Based Risk Assessment framework measures key autonomous risk factors DALLAS, TX — November 12, 2025 — The Cloud Security Alliance (CSA) today announced the release of its latest research whitepaper, Capabilities-Based Risk Assessment (CBRA), a groundbreaking framework developed by the AI Safety Initiative CISO Council to help organizations measure and manage risks stemming from autonomous and agentic AI systems. As enterprises increasingly deploy AI systems that think, act, …

Originally published by Schellman.   The EU Cyber Resilience Act (CRA) sets a new regulatory benchmark for product cybersecurity, impacting manufacturers, importers, and distributors worldwide. In this article, we’ll explain the Act’s scope, key requirements, and timeline to help your organization understand what’s changing and how to prepare with a readiness assessment.   What is the EU Cyber Resilience Act?  The EU CRA was adopted in 2024 and sets cybersecurity…

Written by Itzik Alvas, Entro Security.   One in every five exposed enterprise secrets originated from SharePoint. It wasn’t the result of a zero-day or a sophisticated exploit. Instead, the exposure traced back to something far more ordinary — a default OneDrive auto-sync feature silently moving local files from user desktops into SharePoint. In this blog, we’ll unpack how this happens, why it matters, and what security teams can do about it.   The Silent Sync Problem Th…

Originally published by Aembit. The chatbot that once asked “Press 1 for billing” can now autonomously process your refund, update your account, and schedule a follow-up call. What we’re witnessing is the fourth major evolution in AI-human interaction, from rigid rule-following systems to autonomous agents that can reason, adapt, and take action across complex workflows. This progression from rule-based chatbots to conversational AI to generative AI to agentic AI represents a natural …

Originally published by TrojAI.   As GenAI systems become more complex and their use more widespread, the need to protect them is increasingly urgent. Unfortunately, traditional cybersecurity defenses are not designed to protect AI models, applications, and agents. Traditional cybersecurity is designed to protect static systems, not dynamic, semi-autonomous systems that process massive amounts of data in real time. New technologies require new defenses. In this blog, we define G…

Written by Ashwin Chaudhary, CEO, Accedere. If you’ve ever been part of a cloud compliance audit, you will know the drill of countless spreadsheets, endless evidence collection, and a lot of back-and-forth emails that can trench both time and patience. Now, imagine if half of that audit process happens automatically, and you only have to review the results instead of meticulously developing them from scratch. That’s the reality AI and automation are making it possible.   Why Cl…

Securing remote and hybrid work on unmanaged devices has never been about one silver‑bullet product. It’s about choosing a control pattern that fits your risk surface, then proving that choice with auditable evidence. In 2025, that means aligning device‑agnostic access with Zero Trust principles, minimizing blast radius, and designing for graceful failure when laptops go missing, browsers are poisoned, or contractors use machines you don’t control. This playbook offers a vendor‑neutral …

  Introduction I wrote my first data-driven guidance and measurement app when I founded my first software company three decades ago. Back then, AI was described as a “knowledge-based system!” It became obvious that if I wanted to create an AI-assisted implementation for my cybersecurity software or any other topic, I needed to understand the nature of the beast. In the challenging journey into the unknown that we are all facing, I rapidly discovered that using GenAI alone was ne…