With organizations adopting cloud technology, cloud security has become a top concern. Many industrial regulations and laws mandate the implementation of security controls in the cloud. In this regard, adopting a cloud security framework for your cloud environment, such as the Cloud Controls Matrix (CCM), can be very beneficial. But what is the CCM? How does it help cloud vendors and cloud consumers? In this questionnaire-style blog, we'll answer some important questions on the CCM.
The CCM is a cybersecurity controls framework for cloud computing. It lists 17 domains covering the key aspects of cloud technology, under each of which are specific control objectives. The framework has been proposed by the Cloud Security Alliance (CSA) and is aligned to Security Guidance v4, which is a set of best practices for cloud computing. The CCM is currently considered a de-facto standard for cloud security assurance and compliance.
The CSA is a non-profit organization that intends to promote the use of secure cloud computing practices and educate people on how to achieve it. Headquartered in Nevada, USA, it has drafted various industry standards and practices that advocate cloud security such as the Security Guidance, CCM, Consensus Assessments Initiative Questionnaire (CAIQ), and more.
The CCM lists cloud-technology-related domains with a set of control objectives under each domain. These domains are:
These 17 domains have 133 control objectives under them.
The control objectives listed in the CCM are mapped against various industry security standards, regulations, and control frameworks that are concerned with cloud security. Some regulations and frameworks that the CCM helps you adhere to are:
The CCM comes with a set of yes or no questions called the CAIQ. Cloud vendors and security providers can fill out the CAIQ and submit it to the STAR Registry, which is a public registry, to demonstrate compliance to industry standards, frameworks, and regulations. Over 500 organizations currently use the CAIQ to submit self-assessments on the STAR registry.
The CCM can be used as a tool to systematically assess your cloud implementation. It provides guidance on which security controls should be implemented by which actor within the cloud supply chain. A cloud consumer can use the CAIQ to analyze which security controls exist in a cloud solution. They can also verify the completed CAIQs of cloud vendors from the publicly-available STAR Registry.
Have you deployed or are planning to deploy a cloud platform? If yes, the next step would be to secure your cloud environment. Log360, ManageEngine's unified SIEM solution with integrated CASB and DLP features, can help you with securing both single-cloud and multi-cloud environments. Check out Log360's capabilities here.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.