This content is part of the Essential Guide: How to evaluate, choose and work securely with cloud service providers

Essential Guide

Browse Sections
News Stay informed about the latest enterprise technology news and product updates.

CSA releases new Cloud Controls Matrix and CAIQ standards

The Cloud Security Alliance has updated its Cloud Controls Matrix (CCM) and Consensus Assessments Questionnaire (CAIQ) to help enterprises standardize cloud provider security assessments.

The Cloud Security Alliance this week updated two of its industry standards, the Cloud Controls Matrix version 3.0.1 and the Consensus Assessments Initiative Questionnaire version 3.0.1.

The updates seek to eliminate redundancies between the two standards, which were designed as a "one-stop shop" to guide companies in conducting cloud provider security assessments, and the latest versions feature more detailed, clarified language, according to the Cloud Security Alliance (CSA).

The updates also feature improved alignment between the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ) as well as the organization's flagship Security Guidance reference documents and the Security, Trust & Assurance Registry (STAR) program. STAR, which was launched in 2011, is an online registry that documents the security controls offered by participating cloud providers.

Jim Reavis, CEO of the CSA, said the CCM and CAIQ updates are a reflection of the demand for more detailed information from customers who want to invest in cloud technology.

"This is a direct consequence of enterprises and government agencies saying that they're all in on cloud and wanting reassurances about how to move forward," Reavis said. "It's a milestone for us because we've taken what started out as less formal advisory guidelines and moved toward more formal best practices and compliance standards."

Security is a huge, sprawling area but these updates are going to help give customers a better view of what's going on in this space when it comes to cloud.
Pravin Kotharifounder, chairman and CEO, CipherCloud

For example, Reavis said the update to CAIQ, which is a set of questions for businesses to ask cloud providers before procuring cloud services, drills down even deeper into things like service level agreements, while the CCM, which provides security principles for cloud providers, offers updated mapping to other industry standard, compliance laws and controls such as ISO 27001:2013, FedRAMP security controls and the Payment Card Industry Data Security Standard (PCI DSS) version 3.0.

Reavis also said he expects the improved alignment between the two standards and STAR to help drive additional interest and participation in the STAR program from cloud providers.

"We expect a lot of the fruits of these updates to show up with our STAR program," he said.

Pravin Kothari, founder, chairman and CEO of CipherCloud Inc., a San Jose, California-based cloud security vendor and corporate member of the CSA, said the CCM and CAIQ standards are valuable to companies like CipherCloud because they act as "a stack of guidelines and best practices" upon which customers can build an actual cloud security framework.

"The CSA is leading the charge to put some structure around the security side of the cloud," Kothari said. "Security is a huge, sprawling area but these updates are going to help give customers a better view of what's going on in this space when it comes to cloud."

Kothari also said customers are asking "tougher questions" about cloud security in the wake of high-profile data breaches at corporations such as Target Corp. plus the NSA surveillance revelations from last summer. The CCM and CAIQ updates, therefore, are welcome additions because they can help answer those questions.

"The awareness around cloud security as well as these standards is definitely growing," Kothari said. "If you talk to a chief security officer or a compliance officer in any enterprise, they know these standards."

Next Steps

Diana Kelley explains how the CCM and CAIQ can be used to assess cloud providers' security controls.

Dig Deeper on Evaluating Cloud Computing Providers