This week the Cloud Security Alliance (CSA) released the latest iteration of the Cloud Controls Matrix (CCM), the first major update in two years. The CCM is considered by many to be the go-to standard for cloud risk assessments. As part of best practice, all organizations should use the matrix when evaluating whether a cloud service meets their requirements. In this article, we provide an overview of the matrix, why it is important and how to use it in conjunction with other CSA tools.

Best practice with the Cloud Security Alliance

The Cloud Security Alliance is a non-profit organization dedicated to promoting best practices for providing security assurances for cloud services. As well as producing thought leadership content, such as the concept of Software-Defined Perimeters, they have created a suite of tools to help organizations evaluate cloud providers.

The core benefit of the CSA’s Cloud Controls Matrix is its broad applicability:

  • The CCM simplifies cloud security by mapping numerous industry-accepted standards such as ISO 27001, PCI and NIST into a single framework.
  • The matrix indicates whether it is the provider or client who is responsible for fulfilling the each component of a standard for different cloud model types (IaaS, PaaS, SaaS) or cloud environments (public, hybrid, private).
  • The different components are classified into 18 security domains including Application and Interface Security, Governance, Risk and Compliance, and Longing and Monitoring. The security requirements for each component are laid out clearly, as well as the organizational department that it is relevant to.

Using the Cloud Control Matrix

The CCM can be used in conjunction with two other tools produced by the CSA. Below is a brief summary of how the tools can be used:

  • Cloud Control Matrix – Use the matrix to identify the components of cloud security that your organization requires to be fulfilled in order for it to be compliant with the standards and regulations that you are subject to. This will allow you to prioritize the questions and responses that you ask of a cloud provider.
  • Consensus Assessment Initiative Questionnaire – This prebuilt questionnaire aligns with the CCM, it can be submitted directly to prospective cloud providers or tailored to any additional requirements that your organization may have. The responses to the questionnaire can then be referenced to CCM to confirm whether a cloud provider is able to fulfill your security needs.
  • STAR Registry – The registry is a repository of responses to the Consensus Assessment Initiative Questionnaire that have been submitted to the CSA. Reviewing the submitted responses will help build an understanding of what the norms are and what components of security to expect cloud providers to be able to fulfill.

Building best practice with the CSA

Using the tools produced by the CSA can facilitate organization’s evaluate the security of cloud providers. Organizations should not limit themselves to only consulting providers that are in the STAR Registry. Instead, organizations should use it to compare any questionnaire responses they receive with ones in the registry. Using these templates will help ensure that organizations follow best practices, and are compliant with regulations and industry standards.