Non-human identities like API keys and OAuth tokens are a major concern within Identity and Access Management. Understand current perceptions and concerns.| cloudsecurityalliance.org
“The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.” - Sun Tzu “Resilience is the ability to remain viable amidst adversity." Historically, we believed as an industry we could prevent incidents by the deliberate implementation of defenses. The few that got through would easily be addressed by the techni...| Cloud Security Alliance
Compliance frameworks establish essential security baselines. The challenge: They often fall short of addressing the nuanced and ever-changing nature of cyber risks. This underscores the necessity of integrating risk-based security measures to enhance an organization’s overall security posture. Understanding Compliance-Based Security Compliance-based security revolves around conforming to specific mandates set forth by laws, regulations, or industry standards. These frameworks...| Cloud Security Alliance
As generative AI technologies continue to advance at a breakneck pace, they bring unprecedented opportunities for personalization and efficiency. However, they also introduce profound risks to personal privacy and security particularly in the realm of digital identities. From voice cloning and behavioral mimicry to unauthorized monetization of biometric data, AI systems can replicate human likenesses with alarming accuracy, often without consent or oversight. This vulnerabilit...| Cloud Security Alliance
Introducing CSA’s MCP Security Resource Center — the first open industry hub for securing the Model Context Protocol and the broader agentic AI control plane. How fast can a technology standard be adopted? The Model Context Protocol (MCP) gives us the answer. Its core specification and reference implementation came together in just over a week and were released publicly only a few months later. Within eight months there were more than 70 public MCP clients — including virtual...| Cloud Security Alliance
Today, CSA is releasing the official mapping of the AI Controls Matrix (AICM v1.0) to ISO/IEC 42001:2023—with companion references to ISO/IEC 27001 and 27002. This practical guide helps organizations integrate AI-specific controls into existing ISMS programs, accelerate gap analysis, and build confidence in responsible AI. At the same time, we’re unveiling the next evolution of assurance for AI: STAR for AI 42001—a pragmatic on-ramp to third-party assurance that meets organizations wher...| Cloud Security Alliance
In an era where data breaches and privacy concerns are prevalent, understanding HIPAA regulations is crucial for safeguarding sensitive health information. What is HIPAA and Why It Matters The Health Insurance Portability and Accountability Act (HIPAA) is a critical piece of legislation enacted in 1996 to ensure the protection and confidential handling of protected health information (PHI). Managed by the U.S. Department of Health and Human Services, HIPAA sets the standards for...| Cloud Security Alliance
There is no shortage of exaggerated claims about artificial intelligence, but some of the most consequential developments remain poorly understood. AI agents, autonomous software systems designed to reason, plan, and act across digital environments, are quietly reshaping how work gets done. They are also introducing identity and security challenges that most organizations are not prepared to address. Unlike earlier forms of automation, AI agents are not limited to repetitive, scripted ta...| Cloud Security Alliance
Over the last six months, the world has gone from zero to 60 mph on agentic AI. I’ve been a fairly avid LLM user (for software development, polishing text, and other needs). However, I’ve barely touched on agentic AI, model context protocol (MCP), and other modern approaches that have popped up recently. For those of you like me who aren’t yet deep into this topic: agentic AI is about giving AI the ability to take action, not just respond to prompts like traditional chatbots. It can ...| Cloud Security Alliance
Originally published by Vali Cyber. Healthcare organizations increasingly rely on virtualization to consolidate infrastructure, streamline IT, and improve patient care. But this shift comes with a growing risk: hypervisors have become key targets for ransomware groups exploiting the very systems that support critical care delivery. This blog explores how and why healthcare’s growing reliance on virtual infrastructure has introduced a new class of threats—and what steps can be ta...| Cloud Security Alliance
In 2025, SOC 2 is no longer the badge of excellence it once was — it’s the bare minimum. A staggering 92% of organizations now conduct at least two audits annually, and 58% go through four or more. It reflects how critical compliance has become to win customer trust and stay in business. More companies are under pressure to demonstrate not just whether they’re secure but also how well their controls operate in real environments. That’s where a high-quality SOC 2 audit shines. In fact,...| Cloud Security Alliance
If we’re in AI’s Wild West, this much is clear: When it comes to vulnerability management, agentic AI technologies need human wranglers. (Though the humans need not ride horseback.) AI agents are upending vuln management by scaling up identification of suspected software flaws. They can clearly cover more of organizations’ attack surfaces, faster. But humans still have the edge when it comes to validating business-critical vulnerabilities and discovering complex ...| Cloud Security Alliance
ISO 27001 is the international standard for information security management, providing a structured, risk-based framework for identifying threats, implementing effective security controls, and safeguarding sensitive data. By pursuing ISO 27001 certification, organizations demonstrate their commitment to protecting information assets and managing security risks with intention and discipline. But like other ISO certifications, the holistic nature of ISO 27001 entails a significant commitm...| Cloud Security Alliance
We’ve all felt it—RBAC isn’t holding the line like it used to. I had an interesting conversation with a CISO last week that crystallized something I’ve been thinking about for a while. We were discussing their access governance challenges when she said: “We have developers jumping between six different projects, each with different data sensitivity levels. Our marketing team is suddenly neck-deep in customer analytics tools. And don’t even get me started on all the service a...| Cloud Security Alliance
Cybersecurity teams are stuck in a paradox: the faster organizations innovate, the more vulnerabilities they create. Yet the traditional "scan-and-block" playbook—layering on tools after code is written or infrastructure deployed—isn’t just inefficient; it’s obsolete. We’ve all seen the fallout: breaches caused by misconfigured cloud buckets, ransomware exploiting unpatched dependencies, or insider threats slipping through fragmented access controls. The problem isn’t a lack of to...| Cloud Security Alliance
CSA’s Top Threats to Cloud Computing Deep Dive 2025 reflects on eight recent real-world security breaches. The report presents the narrative of each incident, as well as the relevant cloud security risks and mitigations. Today we’re reflecting on the sixth incident covered in the Deep Dive: Retool 2023. An unidentified threat actor launched a sophisticated social engineering campaign involving smishing, credential harvesting, and vishing tactics. They took advantage of Retool’s ...| Cloud Security Alliance
Agentic AI is a different kind of AI. It’s not like the generative AI everyone’s talking about—the one that stitches together an answer based on what it knows or guesses when it doesn’t. That’s great for content creation, for generating reports, for summarizing data, or for writing code. But that’s not what Agentic AI is here to do. Agentic AI isn’t about crafting answers. It’s about taking action. It’s about getting things done. Think of it as execution-first AI. It doesn...| Cloud Security Alliance
Money talks—and cybercriminals are listening. The financial services (FinServ) industry is becoming an increasingly popular target for advanced email attacks, as a single successful breach can unlock millions in assets and compromise the financial security of countless individuals. As artificial intelligence democratizes sophisticated attack techniques and automation scales criminal operations, the stakes have never been higher. From credential phishing that opens the door to account t...| Cloud Security Alliance
As revealed in Cerby’s 2025 Identity Automation Gap Report, 46% of security and IT leaders say their organization has already experienced a security, compliance, or operational issue directly caused by manual identity workflow execution. Why do manual identity workflows continue to exist, when the consequences of getting them wrong are so serious and when automation tooling is increasingly common? Looking a bit deeper, how do manual identity workflows create or contribute to securit...| Cloud Security Alliance
Originally published by Reemo. Virtualization brings undeniable flexibility and scalability to IT infrastructures. However, these advantages come with significant risks if security and management practices are not modernized accordingly. Virtualized Environments: Specific Risks to Address While traditional security principles remain relevant, virtual environments introduce unique challenges. A compromised hypervisor can endanger all hosted resources. Weak network segm...| Cloud Security Alliance
The Cloud Security Alliance (CSA) is evolving in how we connect, collaborate, and engage with our community. Over the past few years, our Circle community has served as a central hub for working groups, chapters, and training communities. While it’s been a valuable platform, we’re moving toward a more streamlined experience across our main website and Slack channels.This transition will create clearer pathways to join working groups, connect with local chapters, and engage with train...| Cloud Security Alliance
.png)
In today’s digital landscape, SaaS has emerged as a vital lifeline for operations in organizations big and small. As businesses entrust the cloud with their invaluable data, security of these applications and the information they harbor takes center stage. While SaaS applications are secure by| CSA
Cloud Controls Matrix (CCM)| CSA