Cloud Security Alliance

  Why? What is our desired outcome? Such a simple question. Such a profound question. I’ve been contemplating writing this post for a while now, but struggled with the framing. Throughout 2025 I started moving from “talking about AI security” to helping advise organizations directly on active projects. Yep, I was surfing the hype wave, but it beats drowning. Thus when I jumped into my morning news feed and saw my friend Nick Selby wrote an article for Inc. entitled “How FOMO Is…

Contributed by Tata Communications. Originally published on Business Today. A decade ago, moving to the cloud was seen as a simple upgrade to help companies work faster, scale easily and reduce costs. But in the last few years, things have changed. Many companies now feel exasperated with the cloud because it can become expensive or complicated if not planned well. Gartner notes that by 2028, one in every four organisations is expected to experience “significant dissatisfaction” with “…

You probably weren’t using it anyway, so might as well cut the cruft and end a lesser-known attack vector. I’m a bit late to the party, but this morning I learned that AWS is ending support for a feature called “SSE-C” for encrypting data in S3 in April. Normally in security when we hear a cloud provider is getting rid of a capability, we get annoyed, but in this case I think it’s a great decision. In this post I’ll quickly cover what SSE-C encryption is, how it was starting to be used …

  Part 1 of 7 in the CSA Series: AI and the Zero Trust Transformation The security landscape has shifted beneath our feet. Generative AI hasn’t just added new tools to the defender’s arsenal. It has fundamentally changed what attackers can do and how quickly they can do it. From deepfakes convincing enough to authorize multimillion-dollar wire transfers to phishing campaigns that scale effortlessly across languages and contexts, the threats we face today look nothing like those …

Written by: Ken Huang, CEO, DistributedApps.AI, CSA Research Fellow Kyriakos “Rock” Lambros, CEO, RockCyber Jerry Huang, Fellow at Kleiner Perkins Yasir Mehmood, Independent Researcher, Germany Hammad Atta, CEO, Qorvex Consulting & Roshan Consulting Joshua Beck, Application Security Architect, SAS Institute Vineeth Sai Narajala, Project Co-Lead OWASP AIVSS Muhammad Zeeshan Baig, Course Director, Wentworth Institute of Higher Education, Machine Learning Professional Muhamm…

Cloud teams often obsess over production systems: hardening workloads, tightening IAM, refining detection rules, and closing misconfigurations before attackers can use them. But there’s another environment hiding in plain sight: your backup storage. The recent discovery of a 4TB publicly accessible SQL Server backup linked to EY demonstrates a harsh reality. Even well-funded, security-mature organizations can unintentionally expose high-value data if backups aren’t governed with the same…

When you think about Zero Trust—particularly what it means in terms of access controls and where to start strengthening your security posture—what comes to mind? For many organizations, the answer focuses on perimeter security: multi-factor authentication (MFA), segmentation, device posture, and the like. But Zero Trust isn’t just about who gets in. Rather, it’s about continuously verifying that the right identities—and only the right identities—have the right access, at the right time,…

  Introduction: A Brief History of AI and Its Cybersecurity Impact Artificial Intelligence (AI) has evolved from theoretical concepts in the 1950s to transformative technologies embedded in every facet of modern enterprise. From Alan Turing’s foundational work to the rise of generative AI, the journey has been marked by breakthroughs in machine learning, deep learning, and natural language processing. Today, AI is both a powerful defense mechanism and a potential attack vector. Cyb…

Contributed by HCL Technologies.   Executive Summary The browser has evolved into the contemporary security perimeter. Every SaaS authentication, developer console, administrative portal, and AI-driven research tool converges within browser tabs, making it a primary attack surface. This technical blueprint repositions the browser as a first-class Policy Enforcement Point  (PEP) within a comprehensive Zero Trust Architecture, unifying least-privileged access contro…

Agentic AI systems take penetration testing to a level far beyond traditional methods. In the words of a former Synack Red Team member and security engineer, Max Moroz, “Traditional pentesting is like checking your locks and windows once a year while a swarm of AI-powered burglars are constantly probing your house.” Companies are now considering pentesting powered by agentic AI to achieve the level of scale, speed and cost effectiveness that attackers are already leve…

The AI Maturity Model for Cybersecurity is the most detailed guide of its kind, grounded in real use cases and expert insight. It empowers CISOs to make strategic decisions, not just about what AI to adopt, but how to do it in a way that strengthens their organization over time and achieves successful outcomes.   AI adoption in cybersecurity: Beyond the hype Security operations today face a paradox. On one hand, artificial intelligence (AI) promises sweeping transformation from a…

As artificial intelligence continues to become widely embedded in critical business decisions, strategies, and processes, it increasingly faces growing scrutiny from regulators, customers, and the public. While AI offers unprecedented opportunities for operational enhancements and innovation, it also introduces new risks. To address these challenges, organizations can no longer rely on informal or ad hoc management practices alone, making a trustworthy AI governance roadmap essential for…

Most organizations are no longer asking whether to use AI. The question now is whether they can secure it. In CSA’s latest survey report, The State of AI Security and Governance, a clear pattern emerges. Organizations with strong AI security governance are: Moving faster Experimenting more Feeling more confident about AI than their peers Instead of slowing innovation down, governance is acting as a maturity multiplier. In this blog, we’ll zoom in on one key theme: you get bette…

As the cybersecurity landscape transforms, the rise of agentic AI is changing how organizations think about machine identities, or Non-Human Identities (NHIs). What happens when machines, powered by autonomous AI, become key actors in your digital ecosystem? The simple answer: you need to rethink how you govern, monitor, and secure them.   Understanding NHIs in Today’s Cloud-Native World NHIs are machine identities—software agents, APIs, automation bots—that use “secrets” (tokens…

Organizations are continuing to move from experimentation to meaningful operational use SEATTLE – Dec. 18, 2025 –The State of AI Security and Governance Survey Report, a new study from the Cloud Security Alliance (CSA), the world’s leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, and Google Cloud, revealed a clear link between mature governance and improved performance across multiple dimensions of AI adoption and security. Results show…

Contributed by Aiceberg.   Agentic AI – Why should you care? Agentic AI isn’t just another tech buzzword it represents a fundamental shift in how intelligent systems operate, make decisions, and interact with the world. As AI agents become more autonomous, they introduce both powerful opportunities and new risks that traditional security and governance can’t fully address. If you care about trust, compliance, and keeping humans in control, understanding agentic AI is essential. …

Originally published by Gomboc.ai. In 2024, the dirty little secret was out: over 60% of AI-generated security fixes still had to be torn apart and rebuilt by engineers before they were safe to ship. That’s not “helping,” that’s creating rework. The reason? Guesswork dressed up as intelligence. In Infrastructure as Code, “close enough” is a liability. One misplaced variable can derail a deployment, trigger a production outage, or crack open a brand-new security hole. And yet, too many …

  AWS re:Invent 2025 Shows What “Shift Left” Can Mean for AI Security Although I wasn’t at AWS re:Invent in person this year (only the second one I’ve missed since 2013), I sat at home closely following the early “pre:Invent” and official conference announcements. While it’s always risky to extrapolate generalized industry trends from one company’s product announcements, I think we are seeing the earliest signs of a “new” angle on AI security. This isn’t exclusive to Amazon, and I…

  Introduction Over the past decade, manufacturing has emerged as one of the most heavily targeted industries for cyberattacks. These environments are inherently complex, built on layers of specialized and often non-standard technologies that rarely align with traditional IT lifecycle practices. Operational technology (OT) systems prioritize availability above all else, making essential cybersecurity activities like patching or routine maintenance far more challenging and potent…

Contributed by Aiceberg.   Part 1 — Why Transparency Is the True Measure of Trust When a medical AI system once recommended denying a patient treatment, the doctors hesitated—but couldn’t explain why. The algorithm’s reasoning was invisible, locked inside a mathematical “black box.” Only later did an audit reveal the model had learned to equate zip codes with health outcomes—unintentionally penalizing people from poorer neighborhoods. This story isn’t about bad actors or…