We interviewed Daniele Catteddu, Chief Technology Officer at the Cloud Security Alliance, to know more about CSA’s contributions to enhance cloud security globally, examples of collaboration with other stakeholders and how these achievements help broader societal goals.
What is the Cloud Security Alliance (CSA), and what role does it play in shaping cloud security practices globally?
The Cloud Security Alliance (CSA) is a globally recognized nonprofit organization dedicated to defining and promoting best practices for securing cloud computing environments. Founded in 2009, CSA is the world’s leading organization committed to awareness, practical implementation, and certification for the future of cloud and cybersecurity.
One of CSA’s most notable contributions to cloud security is the development of widely adopted, open-access security frameworks and best practices. Notably, CSA developed the Cloud Controls Matrix (CCM), considered to be a de-facto standard for cloud security assurance and compliance, and the Security Guidance for Critical Areas of Cloud Computing, both of which serve as industry benchmarks for cloud security implementation. These publicly available resources provide organizations with clear recommendations for securing cloud services across various industries, influencing policies at both corporate and governmental levels.
CSA is also at the forefront of addressing the security implications of emerging technologies, such as Artificial Intelligence (AI). In collaboration with leading generative AI and cloud service providers, CSA launched the AI Safety Initiative. This coalition includes experts from government entities—for example the Cybersecurity & Infrastructure Security Agency (CISA)—and academia, all working together to develop and openly share reliable guidelines for Generative AI services’ trustworthiness and security. The initiative aims to provide business users—regardless of their size—with the necessary tools, templates, and knowledge to deploy AI in a safe, ethical, and compliant manner.
The results of our collaborative research, frameworks, good practices, and technical specifications are used as the foundation for the CSA training and educational program, which includes certification to support professionals in enhancing their cloud security expertise. The CSA training and certifications portfolio include the award-winning Certificate of Cloud Security Knowledge (CCSK) and Certificate of Competence in Zero Trust (CCZT). Together with the Certificate of Cloud Auditing Knowledge (CCAK), and the STAR Lead Auditor, these programs offer professionals the necessary skills to navigate the evolving cloud security landscape effectively.
Earlier, I mentioned our Cloud Control Matrix, which is a foundational component of CSA’s flagship program, STAR (Security, Trust, Assurance, and Risk). STAR is a compliance, assurance, and transparency program that helps organizations assess and certify their security posture according to CSA and other recognized international standards and evaluate the security posture of their service providers. The program includes a publicly accessible registry that documents the security and privacy controls provided by thousands of cloud computing offerings.
As a thought leader in cloud security, CSA consistently publishes and freely disseminates research reports and industry insights that explore emerging threats, security trends, and innovative strategies. Topics covered in CSA’s research include AI governance, Zero Trust architecture, SaaS security, and quantum computing risks. By providing up-to-date intelligence on evolving cybersecurity challenges, CSA ensures that organizations are well-equipped to protect their cloud environments against sophisticated threats.
CSA also regularly collaborates with international regulatory bodies, governments, and organizations to align cloud security regulations and best practices across the globe. Working closely with entities such as the European Union Agency for Cybersecurity (ENISA), the National Institute of Standards and Technology (NIST), and several national security agencies from the U.S., Italy, Germany, Singapore, and Israel, to name a few, CSA has helped shape policies that enhance cloud security on a global scale, ensuring that businesses can adopt cloud security measures that comply with both regional and international standards.
A key aspect of CSA’s mission is fostering collaboration and education among cloud providers, enterprises, and security professionals.
How does CSA collaborate with industry stakeholders to promote cloud security?
CSA is highly consensus-driven, and our mission is rooted in collaboration with industry stakeholders as we work to enhance cloud security globally. CSA prides itself on being open, transparent, and vendor-agnostic. We work closely with cloud providers, enterprises, regulatory bodies, and security professionals from around the globe to develop frameworks, best practices, and initiatives that address evolving cybersecurity challenges.
Together, we identify relevant technology and industry trends, consult with the community to identify pain points and challenges, and after defining the problem, pool our industry knowledge and research to address it. Our working groups, for instance, are composed of volunteer subject matter experts from across the industry who have dedicated their talent and knowledge to identify best practices that could be valuable for the community at-large.
A good example is the Compliance Automation Revolution, a new initiative we recently rolled out in partnership with several organizations that will fundamentally transform how companies manage their cybersecurity and privacy compliance and assurance. Over the last several years, we have been approached by multiple stakeholders from different markets and geographies, all of which were looking to modernize their compliance approach — to make it more effective and efficient, less resource intensive, and financially sustainable. At CSA we know that the best solutions are ones that are built together as an industry. And so just as we have on other projects such as the CCM, Zero Trust and the AI Safety Initiative, we partnered with a broad-based coalition to solve a real-world problem with a practical, workable solution.
Can you share a specific example of how CSA’s work has directly improved cybersecurity or helped an organization enhance its cloud security posture, and how does that contribute to broader societal goals, such as economic resilience or reducing the global cost of cyberattacks?
CCM and STAR have been adopted by countries such as Italy, Singapore, Turkey, Saudi Arabia, UAE, and others as security standards of reference for public procurement. Similarly, NATO and several industry associations in critical sectors like banking use CCM as a standard of reference.
The STAR Program includes the earlier mentioned, free, publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. The information included in the registry contributes to the transparency of the cloud market and is an important decision factor when measuring the reputability of cloud services from a cybersecurity and privacy standpoint.
Today, thousands of organizations from SMBs to large global enterprises representing every area from child care-center management to software analytics are using CSA’s Consensus Assessments Initiative Questionnaire (CAIQ) for their 3rd-party risk management. (To achieve STAR Level 1, cloud providers must submit their CAIQ to document compliance with CCM.)
Finally, CCZT is widely used in the public sector, for instance by CISA and DoD in the U.S. and is listed in the U.S. General Services Administration Multiple Award Schedule.
CSA has been influential in producing intellectual property like the Cloud Controls Matrix. How is this IP funded and sustained?
CSA is funded and sustained through a combination of membership fees, sponsorships, training and certification programs, and partnerships. Corporate sponsorship opportunities, for instance, allow organizations to contribute to specific research initiatives, projects, webinars, educational initiatives, and both virtual and in-person events, while revenue from CSA’s professional certifications, such as CCSK, CCAK and CCZT and training sessions (e.g., STAR Lead Auditor and CCSK Train the Trainer) help sustain program development.
While CSA counts salaried researchers as among its staff, it also relies on a cadre of volunteers from around the world who lend their insight and expertise to our research initiatives. Falling under the scope of approximately 30 working groups and 100 chapters, volunteer security experts contribute their time and industry expertise to ensure that initiatives like CCM remain a free and globally recognized standard, sustained by continuous contributions from industry professionals.
What would happen if CSA ceased operations? How critical is your work to the cybersecurity community, and what would it take for another organization to fill the gap?
It is difficult to say, as we are active in many areas and offer assistance to different constituencies. Let’s look at the great emphasis given in our economies to supply chain governance, third-party risk management, and cyber compliance and assurance. It is not difficult to imagine that several industries and some countries will feel the void left by CSA as they are leveraging our STAR Program and Cloud Control Matrix as foundational tools for their approaches to governance, risk management, and compliance. Believe me, it won’t be easy transitioning to a new standard, as it takes time to build industry standards, refine, maintain, and support them with awareness and educational campaigns. Additionally, it requires time and patience to build trust, and the main reason why companies worldwide are adopting CSA standards is because they trust us, they trust the quality and soundness of our research, they trust our independence from any countries, industries, and our transparency. That is what your Common Good Cyber effort is about precisely, making sure that all we have achieved so far is sustainable!
