- Architectural framework: provides a conceptual framework focusing on cloud computing.
- Governance and enterprise risk management: ability of an organization to govern and measure.
- Legal and electronic discovery: potential legal issues including protection requirements for information and computer systems.
- Compliance and audit: proving compliance when using cloud computing during an audit.
- Information life cycle management: managing data that is placed in the cloud and determining responsibility for data confidentiality, integrity, and availability.
- Portability and interoperability: the ability to move data and services from one provider to another or bring it back in-house.
- Traditional security, business continuity, and disaster recovery: identifying where cloud computing may assist in lowering security risks, while potentially increasing it in other areas.
- Data center operations: common data center characteristics that could be detrimental to ongoing services, and those that are fundamental to long-term stability.
- Incident response, notification, and remediation: addresses complexities that cloud computing brings to an incident handling program and forensics for both the provider and customer.
- Application security: securing application software that is either running on or being developed in the cloud.
- Encryption and key management: identifying proper encryption usage and scalable key management.
- Identity and access management: focuses on issues encountered when extending an organization’s identity into the cloud.
- Virtualization: risks associated with items such as multitenancy, or the sharing of computing resources by different organizations.
On November 14, 2011, the CSA issued the Security Guidance for Critical Areas of Focus in Cloud Computing Version 3.0.
- ↑ Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 (Dec. 2009) (full-text).