Decoding the Cloud Security Alliance's Cloud Controls Matrix

With organizations adopting cloud technology, cloud security has become a top concern. Many industrial regulations and laws mandate the implementation of security controls in the cloud. In this regard, adopting a cloud security framework for your cloud environment, such as the Cloud Controls Matrix (CCM), can be very beneficial. But what is the CCM? How does it help cloud vendors and cloud consumers? In this questionnaire-style blog, we'll answer some important questions on the CCM.

What is the CCM?

The CCM is a cybersecurity controls framework for cloud computing. It lists 17 domains covering the key aspects of cloud technology, under each of which are specific control objectives. The framework has been proposed by the Cloud Security Alliance (CSA) and is aligned to Security Guidance v4, which is a set of best practices for cloud computing. The CCM is currently considered a de-facto standard for cloud security assurance and compliance.

What is the CSA?

The CSA is a non-profit organization that intends to promote the use of secure cloud computing practices and educate people on how to achieve it. Headquartered in Nevada, USA, it has drafted various industry standards and practices that advocate cloud security such as the Security Guidance, CCM, Consensus Assessments Initiative Questionnaire (CAIQ), and more.

What industry domains does the CCM cover?

The CCM lists cloud-technology-related domains with a set of control objectives under each domain. These domains are:

1. Application & Interface Security
2. Audit and Assurance
3. Business Continuity Mgmt & Op Resilience
4. Change Control & Configuration Management
5. Data Security & Privacy Lifecycle Management
6. Datacenter Security
7. Cryptography, Encryption and Key Management
8. Governance, Risk Management and Compliance
9. Human Resources Security
10. Identity & Access Management
11. Security Infrastructure & Virtualization
12. Interoperability & Portability
13. Universal EndPoint Management
14. Security Incident Management, E-Discovery & Cloud Forensics
15. Supply Chain Management, Transparency & Accountability
16. Threat & Vulnerability Management
17. Logging and Monitoring

These 17 domains have 133 control objectives under them.

What industry frameworks does the CCM cover?

The control objectives listed in the CCM are mapped against various industry security standards, regulations, and control frameworks that are concerned with cloud security. Some regulations and frameworks that the CCM helps you adhere to are:

• ISO 27001/27002/27017/27018
• NIST SP 800-53
• AICPA TSC
• German BSI C5
• PCI DSS
• ISACA COBIT
• NERC CIP
• FedRamp
• CIS v8
• ISO/IEC 27001/27002/27017/27018

The CCM comes with a set of yes or no questions called the CAIQ. Cloud vendors and security providers can fill out the CAIQ and submit it to the STAR Registry, which is a public registry, to demonstrate compliance to industry standards, frameworks, and regulations. Over 500 organizations currently use the CAIQ to submit self-assessments on the STAR registry.

As a cloud consumer, how can I use the CCM?

The CCM can be used as a tool to systematically assess your cloud implementation. It provides guidance on which security controls should be implemented by which actor within the cloud supply chain. A cloud consumer can use the CAIQ to analyze which security controls exist in a cloud solution. They can also verify the completed CAIQs of cloud vendors from the publicly-available STAR Registry.

Are you looking to secure your cloud infrastructure?

Have you deployed or are planning to deploy a cloud platform? If yes, the next step would be to secure your cloud environment. Log360, ManageEngine's unified SIEM solution with integrated CASB and DLP features, can help you with securing both single-cloud and multi-cloud environments. Check out Log360's capabilities here.