The Cloud Security Alliance is a multi-stakeholder effort that is all about (surprise, surprise) securing the cloud. While the CSA has been active for years, it's still a challenge to keep up with cloud, as both use cases and cloud security threats continue to evolve.

At the RSA Conference in San Francisco today, the Cloud Security Alliance announced a new Global Advisory Board to help it tackle the continuing evolution of cloud security threats and best practices.

"The Global Advisory Board is not intended to replace the CSA Board of Directors," Luciano (JR) Santos, EVP of Research for CSA, told eSecurityPlanet. "The Global Advisory Board was constituted to represent the views of the IT end-users and articulate the perspective of the consumers of cloud computing as it relates to the topic of security and privacy."

The 10 members of the new Global Advisory Board include executives from Citi, British Petroleum, AIG, ADP, Hertz, UnitedHealth Group, Lucas Films and Caterpillar.

The new advisory board will not impact the governance of CSA, Santos said. 

"It will just encourage the cloud end user community to collaborate and speak with an amplified voice to ensure that their key security issues are heard and addressed."

Securing NFV

This week the CSA is also wrestling with ideas on how to better secure network function virtualization (NFV). While NFV is now starting to be deployed by major carriers in the cloud, there hasn't been a tremendous amount of rigor and process yet defined for related security best practices.

"As the Software Defined Networking (SDN) landscape matures we may explore other research projects to provide additional guidance around securing SDN concepts," Santos said.


Another emerging use case for the cloud is to use it as a platform to deliver security, or security-as-a-service (SECaaS). The CSA has now formed a working group to help define SECaaS and the best ways to secure it. The SECaaS Working Group is bringing the security community together to develop clear categorization and definitions of security-as-a-service, Santos explained.

That said, given the fact that SECcaaS is just a category that can fit under software-as-a-service (SaaS), Santos said that existing existing security controls for SaaS can be applied.

While work on NFV and SECaaS is now getting started, the CSA is putting another effort on hold. In June 2015, CSA announced an effort to help secure and define APIs that would benefit the cloud access security broker (CASB) market.

"Due to change in leadership, the work group has been put on hold," Santos said. "We plan to host a call this quarter to re-engage the work group. It's definitely on our roadmap to increase activities for this topic in 2016."

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.