By Derrick Rice and Matt Bonfre
First off, what is the CSA?
The Cloud Security Alliance (CSA) is an industry-leading organization dedicated to developing best practices, awareness, standards and certifications for security in cloud computing environments. They were one of the first to recognize the risks unique to cloud implementations. CSA offers a variety of resources to organizations and security professionals for cloud security, including certifications, training and guidance for best practices.
So, what is CCM? And why do people look to it for guidance and governance?
The CSA released the Cloud Controls Matrix (CCM) as a control framework for securing cloud computing environments. On January 21st, 2021, CSA released an updated version (v4.0) of the Cloud Control Matrix. This new version of the CCM offers a substantial update to industry best practices when it comes the Cloud Security and Governance, especially considering v3.0 was initially released in 2013. While there have been slight updates and the introduction of control mapping to other industry-accepted standards added throughout the past several years, v4.0 is a big step forward.
What’s new in version 4.0?
With the release of version 4.0, CCM now features a total of 17 domains with the addition of Logging & Monitoring. It also includes modifications to a number of existing domains, including Audit & Assurance, Governance, Risk Management & Compliance, Cryptography, Encryption & Key Management and Universal Endpoint Management. With the addition of 64 controls in v4, these domains are comprised of 197 controls to encompass the aspects of a cloud environment. The control comparison is shown below:
|CCM v4.0||CCM v3.0.1|
|Domain||Control Count||Domain||Control Count|
|Audit & Assurance||6||Audit Assurance & Compliance||3|
|Application & Interface Security||7||Application & Interface Security||4|
|Business Continuity Management & Operational Resilience||11||Business Continuity Management & Operational Resilience||11|
|Change Control & Configuration Management||9||Change Control & Configuration Management||5|
|Cryptography, Encryption & Key Management||21||Encryption & Key Management||4|
|Datacenter Security||15||Datacenter Security||9|
|Data Security & Privacy Lifecycle Management||19||Data Security & Privacy Lifecycle Management||7|
|Governance, Risk Management & Compliance||8||Governance and Risk Management||11|
|Human Resources||13||Human Resources||11|
|Identity & Access Management||16||Identity & Access Management||13|
|Interoperability & Portability||4||Interoperability & Portability||5|
|Infrastructure & Virtualization Security||9||Infrastructure & Virtualization Security||13|
|Logging & Monitoring||13||NA|
|Security Incident Management, E-Discovery, & Cloud Forensics||8||Security Incident Management, E-Discovery, & Cloud Forensics||5|
|Supply Chain Management, Transparency & Accountability||14||Supply Chain Management, Transparency, and Accountability||9|
|Threat & Vulnerability Management||10||Threat & Vulnerability Management||3|
|Universal Endpoint Management||14||Mobile Security||20|
How can version 4.0 of the CCM help you?
If your organization would like to adapt an existing control framework to the cloud, the CCM provides a crosswalk against a variety of industry-accepted standards and frameworks including: NIST 800, PCI DSS, COBIT, ISO 27001/27002, CIS and more. It also includes guidance for the responsibilities of controls for the different cloud service models including: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Server (IaaS).
Threats to cloud implementations are growing rapidly, and many security tools and controls may not extend past the traditional on-premise infrastructure. Cloud environments not only offer unparalleled flexibility, but also additional complexities that should be addressed. While organizations must assess their own unique risks to cloud environments and form a plan to address them, the CSA CCM can help provide a roadmap for best practices when it comes to building and maintaining a cloud security program.
About the Authors
Derrick Rice CISSP, CISA, CCSK, QSA is a Director in Frazier & Deeter’s Process, Risk & Governance Practice, where he focuses on information and technology systems management, design, security and support. Derrick provides subject matter expertise and manages the delivery of various security assessments, including PCI, HITRUST and HIPAA.
Matt Bonfre CISA, CCSK is a Senior Associate in the Process, Risk, & Governance Practice, where he has experience in industries ranging from retail and healthcare to technology and financial services. Matthew performs internal control assessments including SOC 1, SOC 2, PCI, HITRUST and SOX for both IT and business processes.