The Cloud Security Alliance (CSA) publishes the version 1.2 of Cloud Controls Matrix (CCM), which is designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider.
CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. Version 1.2 adds Corporate Governance, mapped to the existing 13 domains, as well as Architectural Relevance and Scope Applicability controls.
Becky Swain, co-chair of the CCM working group, Cloud Security Alliance noted, “The CSA CCM v1.2 update addresses the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership by not only cloud provider type (SaaS, PaaS, IaaS), tenant or customer, but also by architectural relevance to ensure that shared accountability is accurately identified at all layers of the stack and at the corporate governance level for those controls that are architecturally irrelevant or agnostic. Further, this update enhances the existing mapping of regulations, standards and control frameworks with the addition of Jericho Forum and NERC CIP.”
The foundations of the CCM rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, and NIST, and will augment or provide internal control direction for SAS 70 attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry.
CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardize security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.