Introduction to CSA, Cloud Governance and Operational Domain of Encryption & Key Management

In this post, I will introduce Cloud Security Alliance (CSA) and the governance and operation domains through which they promote the best security practices in the cloud. I also briefly look at the Encryption and Key Management as one of the parts of the operational domains; and look at the general security concerns, as well as specific concerns of this particular domain.

Cloud Security Alliance (CSA) – Governance and Operational Domain

The Cloud Security Alliance (CSA) is the world’s most recognized organization dedicated to the promotion of best security practices in cloud computing environments.

The Cloud Security Alliance splits the areas of critical focus into two categories: Governance and Operations. The CSA distinguishes five domains in the governance category and eight domains in the operational category. Figure 1 is my attempt to visualize the two domains as well as main areas of concern in each of the domains.

A screenshot of a cell phone Description generated with very high confidence

Figure 1 – CSA domains (Jarosciak, 2017).

According to Cloud Security Alliance, “The governance domains are broad and address strategic and policy issues within a cloud computing environment, while the operational domains focus on more tactical security concerns and implementation within the architecture.” (Cloud Security Alliance, 2017).

Cloud Security Alliance (CSA) – Operational Domain: Encryption & Key Management

The Encryption and Key Management is one of the concerns in the operational domain of cloud security. As can be guessed from the name, this domain concerns itself primarily with the strong encryption and associated key management, which are the primary and fundamental instruments we can employ to ensure the protection of data in Cloud Computing environments. Due to multi-tenant nature of cloud environment, identifying appropriate encryption practices and recognition of problems that may arise from the use of encryption in one of the most critical areas in the cloud security operational model. Even though the encryption and key management cannot completely guarantee to prevent the data loss in the cloud, they are necessary techniques of safeguarding the data in cloud-based systems.

According to Cloud Security Alliance (2017), we could further categorize following subsections of Encryption and Key Management domain:

Encryption for Confidentiality and Integrity

  • Encrypting Data in Transit – These are the data in motion over networks. Encryption of credentials, private keys, credit card and other information essentially ensures the protection of sensitive data in transit; as well as inside the cloud vendor network. It applies equally to all cloud service models: SaaS, PaaS, and IaaS.
  • Encrypting Data at Rest – These are the data stored in a cloud drive. The encryption on disk and in databases safeguards against a malicious data manipulation in the cloud. A common practice is to encrypt the data before storing it as an encrypted text in cloud storage. In such situation, a cloud client holds the crypto keys that allow them to decrypt the information on-premise.
    • IaaS – Data encryption in rest is a typical IaaS solution, embraced by cloud vendors and 3rd party tools.
    • PaaS – Encrypting data stored in PaaS is more intricate because it requires special customizations.
    • SaaS – In rest encryption within SaaS cannot be applied directly, it needs to be provided by the cloud vendor.
  • Encrypting Archived Data – These are essentially the data archived in a cloud drive. Mainly a protection to ensure that data will not be effortlessly stolen if the backup medium is lost or otherwise compromised.

Key Management

  • Secure key stores – Inappropriate storage of encryption keys is usually the main reason behind compromised encrypted data. Thus, encryption keys, same as places that store them, need to be safeguarded against attacks. Each encryption key needs to be protected in storage, in transit, as well as in the backup.
  • Access to key stores. Access to encryption keys must be controlled by policies that govern each of the key stores.
  • Key backup and recoverability – Loss of keys (accidental or not) can lead to loss of the information protected by the encryption. Businesses should concerns themselves with a secure backup of encryption key stores, especially when it comes to valuable production data.

Comparison of Encryption Approaches

According to HubStor ( a company with a patent-pending related to the security of writing data to cloud storage), the following are some of the advantages and disadvantages of cloud storage encryption approaches (Figure 2).

Image result for cloud data encryption at rest in transit

Figure 2 – Cloud Storage and Data Encryption (HubStor, 2016).


Companies large and small need to be extra vigilant about the cloud security. It is mainly because we live in a world where 80% of businesses in some way use the cloud services and where the average cost of each data breach associated with hackers is close to US$5 million and continues to rise (Data on the Edge, 2015).

That said, the security should never be solely just a responsibility of a cloud vendor. When it comes to protection of data in the cloud, I wholeheartedly agree with the statement of Behl & Behl (2012, p.109):

“Cloud security should always be a mutually shared responsibility between the cloud provider and the cloud consumer, where both need to have a trust relationship and complement each other when it comes to secure information at rest and in transit.”




Cloud Security Alliance (2017). [online] Available at: [Accessed 9 Jul. 2017].

HubStor. (2016). Cloud Storage and Data Encryption – How Businesses Can Protect Information in the Cloud | HubStor. [online] Available at: [Accessed 9 Jul. 2017].

Data on the Edge. (2015). Cost of data breach and remediation. [online] Available at: [Accessed 9 Jul. 2017].

Behl, A., & Behl, K. (2012, October). An analysis of cloud computing security issues. In Information and Communication Technologies (WICT), 2012 World Congress on (pp. 109-114). IEEE.