Cloud Security Alliance

The Cloud Controls Matrix (CCM) is a framework of controls that are essential for cloud computing security. You can use CCM to systematically assess and guide the security of any cloud implementation. CCM contains 197 control objectives structured into 17 domains that cover all key aspects of cloud technology:   CCM Domains     Today we’re looking at implementing the twelfth domain of CCM: Infrastructure & Virtualization Security (IVS). This domain applies to bot…

Originally published by ValiCyber. Written by Nathan Montierth.   Ransomware has reshaped the cybersecurity landscape, and a disturbing new trend is emerging: the targeting of ESXi environments. As the core of many organizations’ IT infrastructure, ESXi hypervisors have become a prime target for cybercriminals seeking maximum disruption with minimal effort. This is no coincidence—hypervisors are critical to hosting and managing virtual machines (VMs), making them capable…

Originally published by A-LIGN. Written by Joseph Cortese, Penetration Testing Practice Lead, A-LIGN.   How do you measure the effectiveness of your cybersecurity program? Ask this question of a dozen CISOs and you’ll likely get twelve different answers. That’s because there’s no one-size-fits-all approach to measuring security but a penetration test plays into the most effective cybersecurity strategies. While there may not be a single “right” way of measuring y…

Originally published by CyberArk. Written by Sam Flaster, Director of IT Solutions Strategy, CyberArk and Shaked Rotlevi, Technical Product Marketing Manager, Wiz.   Let’s cut the fluff out of cloud security. As you build and innovate in the cloud, you create a maze of roles, permissions and resources that you must secure thoughtfully. The dirty secret is that as organizations launch and build new infrastructure, they also create a labyrinth of permissions tha…

Written by Vaibhav Dutta, Associate Vice President and Global Head-Cybersecurity Products & Services, Tata Communications. Originally published in Manufacturing Today.   As the world’s supply chains rearrange themselves in the wake of geopolitical uncertainties, climate mandates, and automation acceleration, India has stepped confidently into a new role—one of a global manufacturing anchor. From electronics and EVs to semiconductors and defence, global giants are placing their…

Written by Eyal Estrin.   Why do organizations migrate to the public cloud? This blog post was written in 2025, and it may sound like a simple question, but let’s dive into it.   Historically: The Cost Factor For many traditional organizations, it began with the debate of how to lower the cost of their IT budget. Variable purchase options for consuming services (from pay-as-you-go, saving plans, to Spot) and the ability to easily deploy an entire environment in a…

Originally published by Zenity. Written by Tamir Ishay Sharbat.   Copilot Studio is Microsoft’s no-code platform for building AI Agents. All it takes is writing some instructions in plain English, pressing on a few buttons and you have yourself an agent. Fully autonomous with tools, knowledge sources, the works. But AI agents aren’t safe by design (even if you build them just right) and in the following 2 blogs we’ll together break apart one of Microsoft’s flagship examples o…

Originally published by Aembit. Written by Apurva Davé.   AI identity is not yet a fully formed concept. We have a concept of identity for humans (workforce and customers), and we have  identity for non-humans (applications, workloads, scripts), but as we will explore, AI requires a little bit of both. And that may mean something new entirely. It’s likely your developers are not thinking about what an AI identity is, nor how it should be managed. They are thinking, instead…

Originally published by SkyHawk Security. Written by Jennifer Gill.   There are several reasons why cloud security is so challenging, and the leading issue is roles and responsibilities. In the cloud there are three main groups that interact when securing the cloud: Cloud Security Team, Security Operations Center, and DevOps. These teams do not report to one another or manage one another so clear communication to enable collaboration is key. Additionally, command decision makin…

Originally published by Seiso. Written by Eric Lansbery, Chief Operating Officer, Seiso.   Cloud security isn’t failing—it’s being outpaced.  Attackers have adapted faster than many security programs have matured. As organizations accelerate cloud architecture adoption, the risks are no longer confined to simple misconfigurations. The real threats lie in the seams between identity systems, legacy integrations, and cloud services that were never designed to work tog…

Written by Ken Huang, CSA Fellow, Co-Chair of CSA AI Safety Working Groups and Dr. Ying-Jung Chen, Georgia Institute of Technology.   This implementation guide provides a comprehensive, hands-on walkthrough for building a complete system using the Model Context Protocol (MCP), a framework designed to bridge the gap between Large Language Models (LLMs) and external, real-world tools. Using a tangible use case—a ‘Grid Operations Assistant’—this document details the step-by-step creati…

Originally published by Abnormal. Written by Jade Hill.   Blame has long been placed on people as the biggest vulnerability in cybersecurity. And while it isn’t exactly a hot take, I deeply believe that we can’t blame people for just trying to do their jobs, track a package, or win a contest. How can we blame an employee for simply trying to do their best at work? That might mean an executive assistant buys some gift cards at the request of their boss, or a finance dire…

Written by Eric Olden, Strata.   Why identity is more than just access As the digital landscape rapidly shifts toward Zero Trust architectures, identity has taken on a much more critical role. Once a mechanism for simple verification, identity is now central to enterprise security. Governments, corporations, and institutions rely on identity systems to safeguard data, applications, and users. This transformation means that if your identity infrastructure experiences an outag…

Written by John DiMaria, Chief of Staff, CSA.   The STAR (Security, Trust, Assurance and Risk) program by the Cloud Security Alliance (CSA) is a globally recognized framework for assessing the security posture of cloud service providers (CSPs). The program provides a structured pathway for CSPs to demonstrate their commitment to transparency, security, and best practices. At the heart of the program are its certification levels, with STAR Level 2 certification representing an …

Originally published by Schellman. Written by Jenelle Tamura, Senior Associate, Schellman.   When building out your information security management system (ISMS) which will ultimately become certified, it can be tricky to know where to draw the boundaries of what should be included in your scope. Because the ISO 27001 standard is comprised of requirements that can be applied to any organization regardless of type, size, or nature, this widely applicable approach is not over…

Originally published by Vanta. Written by the Vanta team.   The NIST AI Risk Management Framework (RMF) is one of the most advanced, globally accepted guidelines for the safe and responsible use of AI systems. If your organization implements AI in any capacity, adopting the NIST AI RMF can be a significant move toward future-proofing your operations and strengthening AI trustworthiness among customers. Despite being a relatively new framework, many security teams are lo…

Originally published by Astrix. Written by Alon Berger.   While AI chatbots respond, AI agents act. Both automate tasks, but the security implications differ significantly, primarily due to how they interact with NHIs. Agents make autonomous decisions, through adaptive learning, while Chatbots stick to scripts and predictable interactions. Let’s dive into what sets them apart.   Key differentiations AI Chatbots: predictable, constrained, and easier to secure AI chatb…

Originally published by Valence Security. Written by John Filitz.   Your security team is operating with a dangerous blind spot. Your SaaS environment is likely the most vulnerable aspect of your security posture due to unremediated and escalating cyber risk. Even if you’re using a first generation SaaS Security Posture Management (SSPM) solution, the uncomfortable truth is that you have a significant degree of unremediated risk.  This is because manual remediatio…

The Cloud Controls Matrix (CCM) is a framework of controls that are essential for cloud computing security. The CCM is created and updated by CSA and aligned to CSA best practices. You can use CCM to systematically assess and guide the security of any cloud implementation. CCM also provides guidance on which actors within the cloud supply chain should implement which security controls. Both cloud service customers (CSCs) and cloud service providers (CSPs) use CCM in many ways. CSCs use…

Originally published by CheckRed. Written by Derek Hammack, VP, Operations and Customer Success, CheckRed.   As enterprise security teams work to protect sprawling multi-cloud environments, one foundational layer remains dangerously underprotected: the Domain Name System (DNS). DNS is the backbone of modern digital infrastructure—translating domain names into IP addresses and routing traffic between users, applications, and services. Despite this critical role, DNS is …