Industry Experts Blog

One Audience. One Topic. Multiple Experts.

CSA Security Guidance v4.0 – A Review of the Differences Between v3.0 and v4.0

by Graham Thompson | August 3, 2017 | Research

With the release of the new Cloud Security Alliance (CSA) Security Guidance v4.0, I thought it would be of value if I broke down what differences there are between this new version (v4) and the previous version (v3).

My intent is not to rewrite the guidance, nor is it to explain in detail the new content.  The goal of this is to clearly outline what is new and what is removed so those who are familiar with the 3.0 content can save time by focusing on the changes if preparing for the future CCSK 4.0 exam, want to stay current, or whatever other reason.

CSA Security Guidance v4.0 - Intrinsec
Image copyright Cloud Security Alliance

First off, I think the Cloud Security Alliance did an amazing job with this refreshed version.  They refreshed all the graphics, do a better job of clarifying topics and introduce new topics that bring it up to today’s standards.  Bravo, Cloud Security Alliance and the fine folks at Securosis.

A List of General Changes

  • Many more links to expanded reading opportunities (NIST, Wikipedia, ISO, etc).
  • Look and feel is gorgeous. Lost a little weight:  Comes in at 152 pages to 177 from before.
  • Improved flow. Whereas 3.0 had the feeling that multiple people worked in a silo and everything was stitched together, the style in 4.0 is the same across the board.
  • Many more call outs to ISO documentation (10 standards vs 4)
  • Removal of standards that never gained wide acceptance (e.g. x.1500, Cybex, ws-*, etc)
  • More global viewpoint
  • Deeper discussion on actual regulations
  • Greatly improved definitions and purpose statements.
  • Still 14 domains, however topics have been rearranged and new modules created.
  • General emphasis change to “How does cloud change things” rather than generalities of a particular topic.
  • Most, if not all technical aspects are completely re-written to better reflect realities and updated to include new technologies. Much more “real-world” and less academic.
  • No longer need a thesaurus to understand some modules.

Comparing CSA Security Guidance v3.0 to v4.0

The structure of the new Cloud Security Alliance (CSA) Security Guidance v4.0 is similar to previous v3.0 edition.  Many of the domain names are similar, but the information reviewed within them are generally much more organized than before.  For example, Identity, Entitlement and Access Management concepts are all in one domain rather than spread out across a couple of domains like it used to be.  Here is the guidance structure compared side-by-side to the previous version:

Reviewing the Domains in the CSA Security Guidance v4.0

The following section will take a look at each of the 14 domains that are featured in the CSA Security Guidance v4.0.  I try to give an opinion on the amount of new material from the previous version and point you to particular sections that are very much worth reading due to them being introduced for the first time or significantly changed.

Domain 1: Cloud Computing Concepts and Architectures
Graham’s Thoughts:
  • Still talks about the basics, but highlights that “forklifting” won’t lead to automatic success. Must build for cloud.
  • Key terms are the same. Some better explanations and more “real-world”. For example, a Hybrid cloud remains defined as “composed of two or more clouds” (technical definition), but acknowledges real-world by adding “is commonly used to describe a non-cloud data center bridged directly to a cloud provider.”
  • New discussion on logical model of cloud services (1.1.4).
  • New discussion on Cloud Security Models (1.2.2)
  • New callout for Cloud Security Alliance Enterprise Architecture document.
Change Significance Rating (out of 5): 2/5
Domain 2: Governance and Enterprise Risk Management
Graham’s Thoughts:
  • Clearer discussion of aspects of Governance with callouts to ISO and ISACA documentation.
  • Discussion of service and deployment models impact on governance and risk (2.1.3).
  • New cloud risk management and tools discussion (
  • Cyber-Insurance discussion in regards to risk transfer.
Change Significance Rating: 1/5
Domain 3: Legal Issues, Contracts and Electronic Discovery
Graham’s Thoughts:
  • This domain appears to have been completely re-written. Greatly expanded discussion on all aspects from previous version and much more of a global viewpoint than before.
  • Increased discussion on global impacts of cloud computing such as:
    • Cross-border data transfers (
    • Regional examples including a discussion of upcoming GDPR (
  • Expanded talk of American federal and state laws covering data and privacy as well as breach disclosures.
  • Sources of protection requirements outside of regulations (3.1.2)
  • Internal ( and external ( due diligence impacting cloud storage.
  • Expanded discussion on Electronic Discovery (3.1.3) and non-US preservation laws (
Change Significance Rating: 4/5
Domain 4: Compliance and Audit Management
Graham’s Thoughts:
  • New term: Pass-Through Audits (use of provider certifications to address provider part of shared responsibility) (4.1.1)
  • New emphasis on individual services consumed from a provider needing certification (4.1.1)
  • Removed all references to ITU-T standards
  • Removed Maturity Models discussions
Change Significance Rating: 2/5
Domain 5: Information Governance
Graham’s Thoughts:
  • Overall, very few changes to this domain.
  • Moved all the technical discussions (storage types, encryption at rest, DRM, DLP, etc) to domain 11.
  • Data Security Lifecycle remains untouched.
Change Significance Rating: 1/5
Domain 6: Management Plane and Business Continuity
Graham’s Thoughts:
  • New domain. Takes portions from various domains in old version and adds new material.
  • Management Plane access and security (6.1.1)
  • BCP and DR moved into this domain (from domain 7)
  • Focus on logical stack introduced in domain 1 for BCP/DR
  • New emphasis on software defined infrastructure (
  • New discussion on “Chaos Engineering” (think Netflix Simian army) (
  • New discussion of using DNS redirection as part of BCP/DR (
  • Much less emphasis on portability & interoperability (including all standards such as OVF and OVA which is a good thing as it wasn’t applicable in real-life anyways).
Change Significance Rating: 5/5
Domain 7: Infrastructure Security
Graham’s Thoughts:
  • New module with tons of new content. Complete new study material.
  • Removal of all physical and HR security discussion
  • New emphasis on network virtualization (SDN, SDP, Microsegmentation)
  • New emphasis on virtual appliances
  • New emphasis on workload security (incl. immutable workloads. Think “Nuke and Pave” or “re-hydration”)
Change Significance Rating: 5/5
Domain 8: Virtualization and Containers
Graham’s Thoughts:
  • New Domain focused on some original concepts (virtual firewalls) and new concepts (containers)
  • More emphasis on provider vs consumer responsibilities when dealing with a virtual environment
  • Discussion on serverless computing and impact on monitoring and security controls (
  • Discussion on containers and security of containers (8.1.4)
Change Significance Rating: 3/5
Domain 9: Incident Response
Graham’s Thoughts:
  • Very similar to previous guidance on Incident Response
  • Removal of standards discussion such as IODEF, RID, CYBEX.
  • More of a “real-world” emphasis, including management plane discussion and steps to take when recovering from an incident
Change Significance Rating: 1/5
Domain 10: Application Security
Graham’s Thoughts:
  • Addition of training to the SSDLC phases (10.1.2)
  • Addition of DevOps (and DevSecOps) discussion (10.1.7)
  • Removal of many non-cloud specific topics (e.g. maturity models, interoperability testing, metrics
  • New discussion of cloud impact on application design and architecture
  • Moved Identity Entitlement and Access Management discussion to domain 12
Change Significance Rating: 1/5
Domain 11: Data Security and Encryption
Graham’s Thoughts:
  • All in all, very few changes in this domain with the exception of the following:
    • More detailed discussion of the differences between encryption, tokenization and Format Preserving Encryption. (
    • Clearer wording and explanations of concepts.
    • Addition of CASB technology overview and features. (
    • Added emphasis on impact of encryption in some deployment models (mostly SaaS).
Change Significance Rating: 2/5
Domain 12: Identity, Entitlement and Access Management
Graham’s Thoughts:
  • Removal of deprecated IAM standards such as ws-*, SPML.
  • More detailed discussion on Federation, oAuth and OpenID. (12.1.1)
  • More focus on cloud specific IAM aspects.
  • New reference to FIDO standard (12.1.3)
  • New reference to Attribute-Based Access Controls as the preferred model for cloud. (12.1.4)
Change Significance Rating: 3/5
Domain 13: Security as a Service
Graham’s Thoughts:
  • Security as a Service content has been moved from domain 14
  • Security as a Service offerings have been updated (e.g. CASB, WAF, DDoS) (all of 13.1.2)
  • Added emphasis on dealing with regulated data in SECaaS (
Change Significance Rating: 3/5
Domain 14: Related Technologies
Graham’s Thoughts:
  • New Domain. Addresses new technologies that are outside of guidance concepts but still good to know about due to their prevalence in cloud technologies.
  • Big Data, Internet of Things, Mobile and Serverless computing are all discussed in this domain.
  • Main emphasis on all these technologies is security issues.
  • As Serverless computing is mentioned often though the guidance, I would probably read that section before the rest of the guidance. (14.1.4)
Change Significance Rating: 5/5

Further Information

For further reading, you should download the guidance if you haven’t already.  Also, check out our Official Cloud Security Alliance (CSA) CCSK training.  If you think we missed something, we would love to hear from you.  Send a note at social (at)

CSA Security Guidance V4.0 Download Link:

CSA Training Link:

A Special Note For Our Former CCSK Students

If you took the course with us, you’ll notice the new guidance actually addresses a lot of topics that your instructor covered during the course as “extra material”.  All the same, we’re making a video on the changes between the 3.1 course and the 4.0 guidance.  It will be made available to you via your student portal and an email will be sent out advising you of its availability.

Graham Thompson

Graham Thompson

Cloud Security Trainer and Architect

Graham’s the cloud security SME and principal trainer for Intrinsec. He’s logged over 20 years of IT experience assessing, recommending, designing and implementing secure system and network solutions for Fortune 500 companies and Government agencies. Since 2010, Graham’s been a leader in delivering cloud training and performing cloud security solutions across North America.


Sign In

Share This