What is the Cloud Controls Matrix?
The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. Unlike HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry) or OSFI (Office of the Superintendent of Financial Institutions), CCM is not a mandated industry standard, but rather a framework for governance, risk management and compliance security controls. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry.
Organizations can use the CCM as a form of RFP (request for proposal) as it is a standardized metric on which various Cloud Service Providers (CSPs) can evaluate themselves, and customers rank prospective CSPs. The CCM is a set of roughly 100 controls and assessment guidelines that cover a broad range of security best practices, as well as compliance and regulatory mandates. The CSA CCM categorizes its 16 domains into 3 areas of best practice, which are also named in the CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing. These 3 areas include:
- Cloud Architecture
- Governing in the Cloud
- Operating in the Cloud
The CCM is not only a framework for CSPs, but is also mapped to many compliance standards to best show CSPs the relation of being compliant and implementing a security mandate. The CCM is mapped to NIST CSF, FedRAMP specifications, CoBIT, Sarbanes-Oxley (SOX), PCI, HIPAA, ISO 27001 and BITS Shared Assessments, as well as several others.
For more information on the new controls in the most recent version, click here.
Here are the 16 domains that the CCM covers:
- Application & Interface Security (AIS)
- Audit Assurance & Compliance (AAC)
- Business Continuity Management & Operational Resilience (BCR)
- Change Control & Configuration Management (CCC)
- Data Security & Information Lifecycle Management (DSI)
- Datacenter Security (DCS)
- Encryption & Key Management (EKM)
- Governance & Risk Management (GRM)
- Human Resources (HRS)
- Identity & Access Management (IAM)
- Infrastructure & Virtualization Security (IVS)
- Interoperability & Portability (IPY)
- Mobile Security (MOS)
- Security Incident Management, E-Discovery, & Cloud Forensics (SEF)
- Supply Chain Management, Transparency, and Accountability (STA)
- Threat & Vulnerability Management
Why it’s important to follow a framework, even if it’s not an industry standard:
Much like an industry standard, frameworks like the CCM, are intended to set a baseline of what organizations should be doing for a cybersecurity strategy. The intent is to get companies to think about security for human resources, mobile security and for supply chain management, amongst other disciplines. CCM, unlike other frameworks, is meant to give customers metrics in which they can compare various cloud security providers; whereas other frameworks are simply suggested guidelines. Moreover, the benefit to following the CCM is that in doing so, you’re already preparing your organization to follow some required standards, including: NIST, HIPAA, PCI, ISO 27001, and more. Since the CCM is mapped out based on such standards, it means that fulfillment of one category in the CCM leads to fulfillment of a comparable category in another standard/framework.
Learn more about incorporating different standards into your organization to achieve compliance. Download our free guide below.