This week we start one of the cooler projects in the history of Securosis. The Cloud Security Alliance contracted Securosis to write the next version of the CSA Guidance.

(Okay, the full title is “Guidance for Critical Areas of Focus in Cloud Computing”). The Guidance is a foundational document at the CSA, used by a ton of organizations to define security programs when they start jumping into the world of cloud. It’s currently on version 3, which is long in the tooth, so we are starting version 4.

One of the problems with the previous version is that it was compiled from materials developed by over a dozen working groups. The editors did their best, but there are overlaps, gaps, and readability issues. To address those the CSA hired us to come in and write the new version. But a cornerstone of the CSA is community involvement, so we have come up with a hybrid approach for the next version. During each major stage we will combine our Totally Transparent Research process with community involvement. Here are the details:

  • Right now the CSA is collecting feedback on the existing Guidance. The landing page is here, and it directs you to a Google document of the current version where anyone can make suggestions. This is the only phase of the project in Google Docs, because we only have a Word version of the existing Guidance.
  • We (Securosis) will take the public feedback and outline each domain for the new version. These will be posted for feedback on GitHub (exact project address TBD).
  • After we get input on the outlines we will write first drafts, also on GitHub. Then the CSA will collect another round of feedback and suggestions.
  • Based on those, we will write a “near final” version and put that out for final review.

GitHub not only allows us to collect input, but also to keep the entire writing and editing process public.

In terms of writing, most of the Securosis team is involved. We have also contracted two highly experienced professional tech writers and editors to maintain voice and consistency. Pure community projects are often hard to manage, keep on schedule, and keep consistent… so we hope this open, transparent approach, backed by professional analysts and writers with cloud security experience, will help keep things on track, while still fully engaging the community.

We won’t be blogging this content, but we will post notes here as we move between major phases of the project. For now, take a look at the current version and let the CSA know about what major changes you would like to see.