Cloud risk management: CSA on its Cloud Controls Matrix

Co-chair of CSA project talks about the CCM and how organizations can leverage it.

This article is a part of the learning guide, Cloud computing risk management: Assessing key risks of cloud computing.

The Cloud Security Alliance recently released Version 2.1 of its Cloud Controls Matrix (CCM), a baseline set of controls aligned to the CSA guidance and mapped to industry standards, regulations and frameworks, such as ISO 27001/27002, PCI DSS, HIPAA and COBIT. The CCM, which is available for free download, is designed to help enterprises assess the security risk of a cloud provider and provide control guidance for cloud vendors. The CCM is part of the CSA’s GRC Stack toolkit, which also includes the Consensus Assessments Initiative Questionnaire, a set of questions a cloud customer can ask a cloud provider to gauge its security. recently met with Becky Swain, co-chair of the CCM working group, to talk about the framework and how it can help organizations with cloud risk management.

SearchCloudSecurity: What’s new in the latest version?

Swain: We added NERC CIP for more utilities-based asset protection and the Jericho Forum. The big change was to accompany the customer/tenant and SPI [SaaS, PaaS, Iaas] mapping to architectural relevance and corporate governance relevance. If you break apart the layers of a stack in a cloud architecture, you have much of what you would expect in traditional auditing of computing controls; you’ve got networking controls, database controls, application interface controls, etc. For example, user access reviews -- you would expect for each of those architectural areas, there is some level of access control in a review. But there are some controls that have an overall corporate governance element. … An example of where you don’t have much architectural relevance is background screening for new hires. It’s not architecturally relevant, but an important control. Customers want to know companies have these controls in place when they’re looking for suppliers.

SearchCloudSecurity: Any insight into how organizations are using the CCM?

Swain: A number of organizations have told [CSA Executive Director] Jim Reavis they’re using it. Sometimes they’ll tweak it to make it their own document; they might have additional controls they want to encompass. … Our hope is over time we can start to measure that a little better to make sure the document remains relevant to the industry.

SearchCloudSecurity: Any tips for organizations on how to leverage the CCM?

Swain: Understand how the organization is adopting cloud. From what I’ve observed, it can be coming in various forms. Maybe the product team wants a quicker development environment so instead of leveraging their own it might go to Amazon. … .Another area is adoption of consumer technology, where it just takes a credit card for an employee to get shared space online, like Dropbox. They can put whatever data they want; there are not a lot of controls on restricting that. Your more formal procurement controls don’t work and many traditional corporate controls no longer apply. My recommendation is to understand what’s happening in the enterprise around cloud adoption, and take the Controls Matrix, the Consensus Assessments Initiative Questionnaire -- any of these tools -- and understand how to apply them in the context that the enterprise is adopting cloud. Also, look at whether your vendor program is adapting to cloud providers, knowing you could have a supply chain of cloud providers. … If you’re doing a security assessment on one, are you looking at the full assessment picture?

SearchCloudSecurity: How was the Cloud Controls Matrix developed?

Swain: While I with my prior employer and engaged in a SaaS project, there were multiple compliance requirements such as SOX, PCI DSS and ISO/IEC 27001 with control redundancies lacking uniformity the team was trying to manage. So I reached out to the Cloud Security Alliance in March 2009 with a general inquiry on whether a compliance checklist was available to help guide this team. Jim Reavis responded there was no such guidance or tool available, but he was aware of another team who had previously expressed an interest in something similar. So, the half dozen of us teamed up and kicked off a new CSA research project volunteering our time to go control by control, meeting weekly over several months to determine the cloud computing relevance mapping to commonly known data security standards and regulations.  Once we had a draft, we opened it up to broader [review]. In total, we had approximately 20 industry security professionals who contributed to [version] 1.0. … In the latest release, we had over 100 people involved. It illustrates it’s really a grassroots movement, taking a bottom-up approach to governance, risk and compliance.

SearchCloudSecurity: What’s ahead for the CCM?

Swain: We’re looking at a full release to revisit the controls themselves, but we need to be careful about how we plan that type of change because it has downstream impact to other CSA research that’s dependent on the control infrastructure. [We’ll be] working with CSA WGs [working groups] to make sure we project roadmap alignment implementing that change. … The change will be based on what we learned since we came up with first set of baseline [controls]. What are cloud-specific controls versus more general controls? An example would be multi-tenancy. There needs to be an emphasis on how access control is managed in multi-tenant environments, whether at the app, database or storage layer or in the physical environment. The cloud provider must demonstrate assurance that one customer can’t get access to another customer’s data.



Dig Deeper on Cloud Computing Frameworks and Standards