X
X

Find Your Specialist

X

Contact Us

    Go Back

    Cloud Security Alliance’s New Cloud Controls Matrix: Establishing Best Practices for Cloud Security

    By Derrick Rice and Matt Bonfre

    First off, what is the CSA?

    The Cloud Security Alliance (CSA) is an industry-leading organization dedicated to developing best practices, awareness, standards and certifications for security in cloud computing environments. They were one of the first to recognize the risks unique to cloud implementations. CSA offers a variety of resources to organizations and security professionals for cloud security, including certifications, training and guidance for best practices.

    So, what is CCM? And why do people look to it for guidance and governance?

    The CSA released the Cloud Controls Matrix (CCM) as a control framework for securing cloud computing environments. On January 21st, 2021, CSA released an updated version (v4.0) of the Cloud Control Matrix. This new version of the CCM offers a substantial update to industry best practices when it comes the Cloud Security and Governance, especially considering v3.0 was initially released in 2013. While there have been slight updates and the introduction of control mapping to other industry-accepted standards added throughout the past several years, v4.0 is a big step forward.

    What’s new in version 4.0?

    With the release of version 4.0, CCM now features a total of 17 domains with the addition of Logging & Monitoring. It also includes modifications to a number of existing domains, including Audit & Assurance, Governance, Risk Management & Compliance, Cryptography, Encryption & Key Management and Universal Endpoint Management. With the addition of 64 controls in v4, these domains are comprised of 197 controls to encompass the aspects of a cloud environment. The control comparison is shown below:

    Domain Changes
    CCM v4.0 CCM v3.0.1
    Domain Control Count Domain Control Count
    Audit & Assurance 6 Audit Assurance & Compliance 3
    Application & Interface Security 7 Application & Interface Security 4
    Business Continuity Management & Operational Resilience 11 Business Continuity Management & Operational Resilience 11
    Change Control & Configuration Management 9 Change Control & Configuration Management 5
    Cryptography, Encryption & Key Management 21 Encryption & Key Management 4
    Datacenter Security 15 Datacenter Security 9
    Data Security & Privacy Lifecycle Management 19 Data Security & Privacy Lifecycle Management 7
    Governance, Risk Management & Compliance 8 Governance and Risk Management 11
    Human Resources 13 Human Resources 11
    Identity & Access Management 16 Identity & Access Management 13
    Interoperability & Portability 4 Interoperability & Portability 5
    Infrastructure & Virtualization Security 9 Infrastructure & Virtualization Security 13
    Logging & Monitoring 13 NA
    Security Incident Management, E-Discovery, & Cloud Forensics 8 Security Incident Management, E-Discovery, & Cloud Forensics 5
    Supply Chain Management, Transparency & Accountability 14 Supply Chain Management, Transparency, and Accountability 9
    Threat & Vulnerability Management 10 Threat & Vulnerability Management 3
    Universal Endpoint Management 14 Mobile Security 20
    Total 197 Total 133

     

    How can version 4.0 of the CCM help you?

    If your organization would like to adapt an existing control framework to the cloud, the CCM provides a crosswalk against a variety of industry-accepted standards and frameworks including: NIST 800, PCI DSS, COBIT, ISO 27001/27002, CIS and more. It also includes guidance for the responsibilities of controls for the different cloud service models including: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Server (IaaS).

    Threats to cloud implementations are growing rapidly, and many security tools and controls may not extend past the traditional on-premise infrastructure. Cloud environments not only offer unparalleled flexibility, but also additional complexities that should be addressed. While organizations must assess their own unique risks to cloud environments and form a plan to address them, the CSA CCM can help provide a roadmap for best practices when it comes to building and maintaining a cloud security program.

     

    About the Authors

    Derrick Rice CISSP, CISA, CCSK, QSA is a Director in Frazier & Deeter’s Process, Risk & Governance Practice, where he focuses on information and technology systems management, design, security and support. Derrick provides subject matter expertise and manages the delivery of various security assessments, including PCI, HITRUST and HIPAA.

    Matt Bonfre CISA, CCSK is a Senior Associate in the Process, Risk, & Governance Practice, where he has experience in industries ranging from retail and healthcare to technology and financial services. Matthew performs internal control assessments including SOC 1, SOC 2, PCI, HITRUST and SOX for both IT and business processes.

    Related Articles

    Privacy Overview

    When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

    You can enable or disable our use of cookies per category.
    Always Enabled