The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. https://cloudsecurityalliance.org/feed en Wed, 15 Apr 2026 15:56:09 -0700 https://cloudsecurityalliance.org/articles/more-than-half-of-organizations-experience-ai-agent-scope-violations-cloud-security-alliance-study-finds https://cloudsecurityalliance.org/articles/more-than-half-of-organizations-experience-ai-agent-scope-violations-cloud-security-alliance-study-finds New research shows rapid AI adoption is outpacing governance, with unintended AI agent behavior becoming common across enterprises    SEATTLE – April 16, 2026 – A new study conducted by the Cloud Security Alliance (CSA), the world’s leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, found that the risk posed by AI agent scope violations is no longer theoretical but increasingly common. Commissioned by Zenity, the leading security... Tue, 14 Apr 2026 05:42:40 -0700 https://cloudsecurityalliance.org/articles/sans-institute-cloud-security-alliance-un-prompted-and-owasp-genai-security-project-release-emergency-strategy-briefing-as-ai-driven-vulnerability-discovery-compresses-exploit-timelines-from-weeks-to-hours https://cloudsecurityalliance.org/articles/sans-institute-cloud-security-alliance-un-prompted-and-owasp-genai-security-project-release-emergency-strategy-briefing-as-ai-driven-vulnerability-discovery-compresses-exploit-timelines-from-weeks-to-hours “The AI Vulnerability Storm: Building a Mythos-Ready Security Program” delivers a risk register, 11 priority actions, and board briefing framework built by 60+ contributors and reviewed by 250+ CISOs in a single weekend April 14, 2026. SANS Institute and the Cloud Security Alliance (CSA), alongside [un]prompted and the OWASP GenAI Security Project, today released “The AI Vulnerability Storm: Building a Mythos-Ready Security Program,” a free strategy briefing that gives CISOs and security... Wed, 08 Apr 2026 12:17:48 -0700 https://cloudsecurityalliance.org/articles/ai-agents-are-talking-are-you-listening https://cloudsecurityalliance.org/articles/ai-agents-are-talking-are-you-listening If you ask most security teams who has access to their customer data, they can usually give you a clear answer. They can point to OAuth scopes, user permissions, API keys, and audit logs to back it up. However, if you ask which AI agents are exchanging that same data across tools like Salesforce, Slack, Google Drive, and Microsoft Teams, the answer is far less clear. These agent-to-agent trust relationships form when a chain executes and disappear when it completes. Individual API calls ... Wed, 08 Apr 2026 11:32:33 -0700 https://cloudsecurityalliance.org/articles/when-ai-agents-serve-shared-workspaces-authorization-must-follow-the-audience https://cloudsecurityalliance.org/articles/when-ai-agents-serve-shared-workspaces-authorization-must-follow-the-audience This is the sixth blog in a seven-part series on identity security as AI security. TL;DR: AI agents retrieve data using the permissions of whoever they authenticate as (checked), but output to shared workspaces where recipients have mixed permissions (not checked). For example, a CFO's agent in a Slack channel can expose executive compensation to junior analysts. Four critical vulnerabilities (CVSS 9.3-9.4) hit Anthropic, Microsoft, ServiceNow, and Salesfo... Wed, 08 Apr 2026 11:31:28 -0700 https://cloudsecurityalliance.org/articles/a-ciso-s-guide-to-cloud-security-architecture https://cloudsecurityalliance.org/articles/a-ciso-s-guide-to-cloud-security-architecture   The Importance of Securing Cloud Architecture: Safeguarding Data and Ensuring Business Continuity You may think migrating to cloud computing is just a trend, but this isn’t the case. It’s actually a necessity for organizations who want to stay competitive (and who wouldn’t?) As businesses embrace cloud services, it’s Chief Information Security Officers (CISOs) job to ensure that this transition doesn’t impact security. It’s undeniable that the cloud offers sig... Tue, 07 Apr 2026 17:35:18 -0700 https://cloudsecurityalliance.org/articles/anthropic-s-mythos-is-here-defending-from-the-vulnpocalypse https://cloudsecurityalliance.org/articles/anthropic-s-mythos-is-here-defending-from-the-vulnpocalypse I don't really know who coined it, but for the past six months or so we've been tossing around the term "Vulnpocalypse." We use it to describe the inflection point where LLMs are able to discover zero day vulnerabilities, and create zero day exploits, faster than we can patch. It's the core asymmetry that drove me to write my Core Collapse blog post. Our very own CISO in Residence (and CEO of Knostic), Gadi Evron, was one of the first to change my thinking about this based on a LinkedIn ... Tue, 07 Apr 2026 17:35:13 -0700 https://cloudsecurityalliance.org/articles/who-s-behind-that-action-the-ai-agent-identity-crisis https://cloudsecurityalliance.org/articles/who-s-behind-that-action-the-ai-agent-identity-crisis In collaboration with Aembit, CSA has released a new survey report about identity and access for AI agents. The report shows that AI agents are already operating across internal applications, APIs, SaaS platforms, cloud infrastructure, data platforms, and development pipelines. In other words, they are appearing in exactly the places where access decisions matter most. That growth creates an uncomfortable question: When an AI agent operates in an enterprise environment, who is it, exactl... Tue, 07 Apr 2026 17:34:55 -0700 https://cloudsecurityalliance.org/articles/standardizing-the-saas-ecosystem-the-case-for-sscf-adoption https://cloudsecurityalliance.org/articles/standardizing-the-saas-ecosystem-the-case-for-sscf-adoption The rapid proliferation of SaaS platforms, compounded by the emergence of Agentic AI, has created a critical visibility and control gap within the enterprise for SaaS. While the Cloud Controls Matrix (CCM) effectively addresses vendor-side security, a definitive void remains regarding the customer’s responsibility in SaaS security configurations. To bridge this gap, the industry must move toward a unified standard. The SaaS Security Configuration Framework (SSCF), established through CSA... Thu, 02 Apr 2026 15:49:46 -0700 https://cloudsecurityalliance.org/articles/ai-security-risks-start-with-poor-data-visibility https://cloudsecurityalliance.org/articles/ai-security-risks-start-with-poor-data-visibility For a lot of organizations, AI has become the answer to almost every security question. Need faster detection? Add AI. Need better prioritization? Add AI. Need help managing an exploding volume of files, messages, logs, and documents? Definitely add AI. But CSA’s new survey report, commissioned by Thales, offers a more grounded takeaway. AI can help improve security, but only if the fundamentals are already in place. For unstructured data security, the real story is not simply that A... Tue, 31 Mar 2026 15:28:11 -0700 https://cloudsecurityalliance.org/articles/from-compliance-to-credibility-how-to-turn-ccm-caiq-work-into-content-people-actually-cite https://cloudsecurityalliance.org/articles/from-compliance-to-credibility-how-to-turn-ccm-caiq-work-into-content-people-actually-cite You can do a lot of honest work in CCM and CAIQ and still end up with one frustrating outcome: nobody outside your audit circle ever sees it. Meanwhile, a competitor with thinner controls looks “more credible” because their proof is easier to find, easier to understand, and easier to reference in a slide deck, a questionnaire, or a procurement email. Credibility isn’t only what you’ve built. It’s what you can show – in a format that someone else can cite without doing extra work. If yo... Tue, 31 Mar 2026 15:27:36 -0700 https://cloudsecurityalliance.org/articles/the-state-of-cybersecurity-in-the-finance-sector-six-trends-to-watch https://cloudsecurityalliance.org/articles/the-state-of-cybersecurity-in-the-finance-sector-six-trends-to-watch Financial institutions are facing a threat landscape shaped by identity-led intrusion, pre-disclosure exploitation, data-first ransomware, and growing cloud and AI governance blind spots. This blog explores the key threats and trends redefining cyber risk across the finance sector and what defenders must adapt to next.   The evolving cybersecurity threat landscape in finance The financial sector, encompassing commercial banks, credit unions, financial services providers, and crypt... Tue, 31 Mar 2026 15:27:25 -0700 https://cloudsecurityalliance.org/articles/ai-security-in-the-cloud-how-to-move-from-visibility-gaps-to-exposure-management https://cloudsecurityalliance.org/articles/ai-security-in-the-cloud-how-to-move-from-visibility-gaps-to-exposure-management   TL; DR Unify AI and cloud exposures into a clear and manageable security view — before your board asks why your organization is moving so fast without AI and cloud security guardrails. Key takeaways Protect business value by prioritizing attack paths over vulnerability lists. Use governance frameworks as guardrails that enable AI and cloud adoption. Consolidate your cybersecurity tool stack to eliminate blind spots between siloed security tools and teams.   Manual s... Tue, 31 Mar 2026 15:26:48 -0700 https://cloudsecurityalliance.org/articles/every-rsac-keynote-asked-the-same-five-questions-here-s-the-framework-that-answers-them https://cloudsecurityalliance.org/articles/every-rsac-keynote-asked-the-same-five-questions-here-s-the-framework-that-answers-them Something unusual happened at RSAC 2026. Not unusual in the "new product launch" sense. Unusual in the "everyone independently said the same thing without coordinating" sense. Microsoft's Vasu Jakkal: "Zero Trust must extend to AI." Cisco's Jeetu Patel: "Move from access control to action control. Authorize every single action." CrowdStrike's George Kurtz: the biggest governance gap in enterprise technology is around AI. Splunk's John Morgan called for "an agentic trust and governance ... Tue, 31 Mar 2026 15:26:27 -0700 https://cloudsecurityalliance.org/articles/cybersecurity-needs-a-new-data-architecture https://cloudsecurityalliance.org/articles/cybersecurity-needs-a-new-data-architecture Enterprise organizations are dealing with an unprecedented volume of increasingly dense and complex data. SecOps teams must determine the best way to collect, organize, and use that data so they can identify, prioritize, and respond to threats efficiently and effectively. The lack of data management solutions that are both scalable and cost-effective often leads to a trade-off between visibility, latency, and costs. To optimize data architecture for SecOps, organizations need to re-think... Tue, 31 Mar 2026 15:26:26 -0700 https://cloudsecurityalliance.org/articles/csa-star-v4-1-explained-key-updates-for-cloud-security-and-assurance https://cloudsecurityalliance.org/articles/csa-star-v4-1-explained-key-updates-for-cloud-security-and-assurance The Cloud Security Alliance (CSA) created the Security, Trust, Assurance, and Risk (STAR) program in August of 2011 to improve transparency and security within cloud computing. This program was built upon the Cloud Controls Matrix (CCM), a selection of cloud controls designed to secure cloud service providers and customers, and is mapped to major standards like ISO 27001. Furthering their mission, CSA STAR became a public registry for cloud providers to submit self-assessments and has co... Tue, 31 Mar 2026 14:44:18 -0700 https://cloudsecurityalliance.org/articles/not-every-ai-can-do-this-defense-depends-on-the-creator https://cloudsecurityalliance.org/articles/not-every-ai-can-do-this-defense-depends-on-the-creator   AI Alone Is Not Enough The market is flooded with AI-powered security tools. Most share the same limitation: they were trained on public datasets, known attacks, and textbook patterns. They detect what they have seen before. But modern malware does not repeat itself. APT groups like APT36, Seedworm, and Lazarus do not reuse old payloads. They generate new variants for each target. An AI trained only on yesterday’s attacks will always be one step behind. During the developmen... Mon, 30 Mar 2026 15:12:04 -0700 https://cloudsecurityalliance.org/articles/unstructured-data-surges-as-enterprises-struggle-to-maintain-visibility-and-security-cloud-security-alliance-study-finds https://cloudsecurityalliance.org/articles/unstructured-data-surges-as-enterprises-struggle-to-maintain-visibility-and-security-cloud-security-alliance-study-finds Despite growing awareness of unstructured data risks, many organizations lag in scalable security as cloud, AI, and automation deployments accelerate SEATTLE – March 31, 2026 – The Rise in Unstructured Data and AI Security Risks, a new survey report from the Cloud Security Alliance (CSA), the world’s leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, has revealed that traditional security and governance practices are straining to keep pace... Fri, 27 Mar 2026 12:59:30 -0700 https://cloudsecurityalliance.org/articles/sc-media-names-cloud-security-alliance-s-trusted-ai-safety-expert-taise-certificate-a-winner-of-the-2026-sc-awards https://cloudsecurityalliance.org/articles/sc-media-names-cloud-security-alliance-s-trusted-ai-safety-expert-taise-certificate-a-winner-of-the-2026-sc-awards Recognition underscores the growing need for trusted AI security expertise as organizations accelerate adoption and seek to responsibly secure AI at scale SEATTLE — March 30, 2026 — The Cloud Security Alliance (CSA), the world’s leading not-for-profit organization committed to AI, cloud, and Zero Trust cybersecurity education, today announced that its Trusted AI Safety Expert (TAISE)—the world’s first comprehensive, research-backed AI safety certification program—has been named Best Profe... Wed, 18 Mar 2026 14:15:49 -0700 https://cloudsecurityalliance.org/articles/how-an-exposed-aws-access-key-can-lead-to-full-account-takeover https://cloudsecurityalliance.org/articles/how-an-exposed-aws-access-key-can-lead-to-full-account-takeover Cloud breaches rarely begin with advanced exploits or unknown vulnerabilities. Most start with something far more ordinary: a misconfiguration. A recent real-world incident illustrates how quickly a single exposed credential can compromise an entire cloud environment. Attackers discovered AWS access keys stored in a publicly accessible S3 bucket and escalated their way to full administrative control of an AWS account in under ten minutes. The takeaway is uncomfortable but clear: in clou... Wed, 18 Mar 2026 14:15:05 -0700 https://cloudsecurityalliance.org/articles/post-quantum-cryptographic-migration-for-cloud-native-zero-trust-architectures-what-csa-members-need-to-deploy-now https://cloudsecurityalliance.org/articles/post-quantum-cryptographic-migration-for-cloud-native-zero-trust-architectures-what-csa-members-need-to-deploy-now Written by Sunil Gentyala, Lead Cybersecurity and AI Security Consultant at HCLTech.   Cloud PQC Migration Priority Matrix: Urgency vs Implementation Complexity for 11 cloud security components. Upper-left quadrant (DO FIRST) items are actionable within current quarter using available tooling. Cloud PQC Migration Priority Matrix: Urgency vs Implementation Complexity for 11 cloud security migration components. Upper-left quadrant items (TLS at ALB/NLB, Cloud KMS key wrappi...