What is the Cloud Control Matrix?
The Cloud Control Matrix (CCM) is a cybersecurity controls framework for cloud computing. It provides a structured blueprint consisting of policies, procedures, and guidelines organizations can follow to remain secure. The CCM lists 17 domains covering the key aspects of cloud technology, under each of which are specific control objectives. The CCM is currently considered a defacto standard for cloud security assurance and compliance.
With numerous organizationsmigrating to the cloud, cloud security is a top concern. Many industrial regulations and laws mandate the implementation of security controls in the cloud. In this regard, adopting a cloud security framework for your cloud environment, such as the CCM, can be beneficial.
Who developed the CCM?
The CCM was developed by the Cloud Security Alliance (CSA). The CSA is a non-profit organization that intends to promote the use of secure cloud computing practices and educate people on how to adopt them.
Why do you need the CCM?
The CCM can be used as a framework to systematically assess your cloud implementation. It provides guidance on which security controls should be implemented by which actor within the cloud supply chain.
What security domains does the CCM cover?
The CCM lists 17 cloud-technology-related domains with a set of control objectives under each domain. These domains are:
- Application & Interface Security
- Audit and Assurance
- Business Continuity Mgmt & Op Resilience
- Change Control & Configuration Management
- Data Security & Privacy Lifecycle Management
- Datacenter Security
- Cryptography, Encryption and Key Management
- Governance, Risk Management and Compliance
- Human Resources Security
- Identity & Access Management
- Security Infrastructure & Virtualization
- Interoperability & Portability
- Universal EndPoint Management
- Security Incident Management, E-Discovery & Cloud Forensics
- Supply Chain Management, Transparency & Accountability
- Threat & Vulnerability Management
- Logging and Monitoring
These17 domains have a total of 197 control objectives between them.
How does the CCM help with compliance?
The control objectives listed under each domain in the CCM are mapped against various industry security standards, regulations, and control frameworks.Some regulations and frameworks that the CCM helps you adhere to are:
- NIST SP 800-53
- AICPA TSC
- German BSI C5
- PCI DSS
- ISACA COBIT
- NERC CIP
- FedRamp
- CIS v8
- ISO/IEC 27001/27002/27017/27018
How can your organization use the CCM?
The CCM comes with a set of yes or no questions called the Consensus Assessments Initiative Questionnaire (CAIQ). Organizations can leverage the CSA's CAIQ to assess the different cloud service providers and their own cloud security infrastructures. Cloud vendors and security providers can fill out the CAIQ and submit it to the STAR Registry, which is a public registry, to demonstrate compliance to industry standards, frameworks, and regulations.
What is STAR?
STAR stands for Security, Trust, Assurance, and Risk. STAR is a CSA-initiated program aimed at providing transparency into cloud best practices and standards, enabling organizations to make informed decisions. The program consists of STAR Attestation and STAR Certification, which are extensions of the SOC2 and ISO27001 frameworks respectively, but it also utilizes the CCM framework. STAR certification consists of two levels:
Level 1: This is a self-assessment that organizations can take to promote trust and transparency. With this, organizations that are in low-risk environments can assess their security using CCM and CAIQ, and assess their privacy based on the General Data Protection Regulation Code of Conduct.
Level 2: This is for organizations that require third-party audits and is more suitable for medium-risk environments.
The CSA also provides other cloud security certifications such as a Certificate of Cloud Security Knowledge (CCSK) and a Certificate of Cloud Auditing Knowledge (CCAK). Organizations can choose to apply for the certifications based on their requirements. The certifications not only provide credibility to organizations, but also establish a form of trust, transparency, and assurance that all the efforts to secure the cloud are in line with industry standards.
Related solutions
ManageEngine's SIEM solution: Log360
Manage your compliance, risks, threats, and security incidents using Log360.
Learn moreLearn how Log360 has helped organizations achieve compliance standards.
Case study