What is CSA Cloud Controls Matrix?

The CSA Cloud Controls Matrix or CCM is considered the de-facto standard for cloud security and privacy. This cybersecurity control framework is designed to help prospective cloud customers assess the security risk of potential cloud providers.

The Cloud Controls Matrix is a spreadsheet of 197 controls structured under 17 domains. These are:

  • Typical Control Applicability and Ownership
    • IaaS
    • PaaS
    • SaaS
  • Architecture Relevance – Cloud Stack Components
    • Physical
    • Network
    • Storage
    • Application
    • Data
  • Organizational Relevance
    • Cybersecurity
    • Internal Audit
    • Architecture Team
    • Software Development
    • Operations
    • Legal/Privacy
    • GRC Team
    • Supply Chain Management
    • HR

The CCM aligns with Security Guidance v4.0, a set of cloud computing best practices designed by the Cloud Security Alliance (CSA). The Security Guidance functions as a practical action roadmap for organizations looking to move to the cloud safely and securely.

In addition, the controls listed in the latest version of CCM (V4) are also mapped against other industry-standard data security guidelines, regulations, and control frameworks, including:

  • CCM V3.0.1
  • ISO 27001/27002/27017/27018
  • NIST SP 800-53
  • FedRamp
  • CIS

So, by fulfilling the CCM V4 security controls, organizations can also fulfill the requirements for the other security standards/regulations that those controls are mapped to. Moreover, with this interoperability, organizations can see all the standard cloud controls in one place, which simplifies and speeds up cloud security compliance.

Who Does CSA Cloud Controls Matrix Apply To?

Organizations looking to migrate to the cloud expect prospective cloud service providers to manage their information security control environments in a way that matches the organization’s security needs. 

With the CCM, organizations can assess the security risk of cloud providers, analyze their commitment to cloud security, and confirm if these vendors can match the organization’s security requirements.

The vendors can also use the CCM as a guide to strengthening their existing information security control environment.

What are the 8 Control Areas in the Governance and Risk Management Domain of the Cloud Controls Matrix?

The  Governance, Risk, and Compliance (GRC) domain of the Cloud Controls Matrix. This lists eight controls. These are:

  • Governance Program Policy and Procedures
  • Risk management Program
  • Organizational Policy Reviews
  • Policy Exception Process
  • Information security Program
  • Governance Responsibility Model
  • Information System Regulatory Mapping
  • Special Interest Groups

CCM V4 lists a control specification for each of these controls. For example, under the “Governance Program Policy and Procedures” control, the CCM states that organizations should establish and maintain a governance program and review it manually. 

Similarly, the Risk management Program control establishes a formal Enterprise Risk management (ERM) program with policies and procedures to identify, evaluate, treat and accept the privacy and cloud security risks.

CCM V3.0.1 – which since early 2021 has been replaced by CCM V4 – included a control called “Governance and Risk management” with 11 controls to implement, manage and maintain a GRC and ERM program for cloud security and privacy:

  • Baseline Requirements
  • Data Focus Risk Assessments
  • Management Oversight
  • Management Program
  • Management Support/Involvement
  • Policy
  • Policy Enforcement
  • Policy Impact on Risk Assessments
  • Policy Reviews
  • Risk Assessments
  • Risk management Framework

What is a Cloud Maturity Model?

A Cloud Maturity Model or CMM provides a comprehensive, systematic, and structured way to help organizations migrate to the cloud securely. 

While the Cloud Controls Matrix provides guidance to enable organizations to address specific issues that are critical to cloud security, the maturity model assesses how well control activities are managed. Thus, they work hand-in-hand to provide a robust cloud adoption strategy for organizations.

Organizations can leverage a CMM to develop their cloud strategy, minimize risks, and accelerate cloud adoption.

How to Get CSA Certification

Organizations (cloud vendors) can apply for CSA CCM certification through the CSA Security, Trust, Assurance, and Risk (STAR) registry. The CCM standard is used to assess the security posture of cloud solution providers in this registry. 

The CCM maps with third-party certifications to ease the compliance burden on cloud vendors; similarly, the CSA STAR program also promotes certifications that integrate with third-party assessments to avoid the duplication of effort and cost. 

The registry also documents the security and privacy controls provided by various cloud service providers (CSPs) so cloud customers can make better decisions about their cloud investments.

CSPs can achieve CCM V4 compliance by submitting the Consensus Assessment Initiative Questionnaire (CAIQ) to the STAR registry (starting August 2021). The CAIQ is the basis for STAR Level 1 (STAR Self-assessment) and several other cloud vendor evaluation programs. 

Submitting the CAIQ available to the STAR registry makes it publicly available to all current and prospective cloud customers. This enables customers to streamline their vendor/third-party management process and build a robust cloud security, privacy, and accountability program.

Key Takeaways

  • CSA Cloud Controls Matrix (CCM) is the de-facto standard for cloud security and privacy
  • The CCM aligns with Security Guidance v4.0, a set of cloud computing best practices designed by the Cloud Security Alliance (CSA)
  • The controls in CCM V4 map against various industry-standard security guidelines and regulations, including CCM V3.0.1 and ISO 27001
  • CCM applies to any cloud vendor looking to do business with a government entity and/or security-conscious firms
  • CCM helps cloud customers assess the security posture of cloud vendors
  • Cloud vendors looking to achieve CCM certification can do so through the CSA Security, Trust, Assurance and Risk (STAR) registry
  • A Cloud Maturity Model or CMM provides a systematic and structured way to help organizations migrate to the cloud