The Cloud Control Matrix from the
Cloud Security Alliance decoded

??? pgHead ???
 
  • What is the Cloud Control Matrix (CCM)?
  • Who developed the CCM?
  • Why do you need the CCM?
  • What security domains does the CCM cover?
  • How does the CCM help with compliance?
  • How can your organization use the CCM?
  • Related solutions
 

What is the Cloud Control Matrix?

The Cloud Control Matrix (CCM) is a cybersecurity controls framework for cloud computing. It provides a structured blueprint consisting of policies, procedures, and guidelines organizations can follow to remain secure. The CCM lists 17 domains covering the key aspects of cloud technology, under each of which are specific control objectives. The CCM is currently considered a defacto standard for cloud security assurance and compliance.

With numerous organizationsmigrating to the cloud, cloud security is a top concern. Many industrial regulations and laws mandate the implementation of security controls in the cloud. In this regard, adopting a cloud security framework for your cloud environment, such as the CCM, can be beneficial.

Who developed the CCM?

The CCM was developed by the Cloud Security Alliance (CSA). The CSA is a non-profit organization that intends to promote the use of secure cloud computing practices and educate people on how to adopt them.

Why do you need the CCM?

The CCM can be used as a framework to systematically assess your cloud implementation. It provides guidance on which security controls should be implemented by which actor within the cloud supply chain.

What security domains does the CCM cover?

The CCM lists 17 cloud-technology-related domains with a set of control objectives under each domain. These domains are:

  1. Application & Interface Security
  2. Audit and Assurance
  3. Business Continuity Mgmt & Op Resilience
  4. Change Control & Configuration Management
  5. Data Security & Privacy Lifecycle Management
  6. Datacenter Security
  7. Cryptography, Encryption and Key Management
  8. Governance, Risk Management and Compliance
  9. Human Resources Security
  10. Identity & Access Management
  11. Security Infrastructure & Virtualization
  12. Interoperability & Portability
  13. Universal EndPoint Management
  14. Security Incident Management, E-Discovery & Cloud Forensics
  15. Supply Chain Management, Transparency & Accountability
  16. Threat & Vulnerability Management
  17. Logging and Monitoring

These17 domains have a total of 197 control objectives between them.

How does the CCM help with compliance?

The control objectives listed under each domain in the CCM are mapped against various industry security standards, regulations, and control frameworks.Some regulations and frameworks that the CCM helps you adhere to are:

  • NIST SP 800-53
  • AICPA TSC
  • German BSI C5
  • PCI DSS
  • ISACA COBIT
  • NERC CIP
  • FedRamp
  • CIS v8
  • ISO/IEC 27001/27002/27017/27018

How can your organization use the CCM?

The CCM comes with a set of yes or no questions called the Consensus Assessments Initiative Questionnaire (CAIQ). Organizations can leverage the CSA's CAIQ to assess the different cloud service providers and their own cloud security infrastructures. Cloud vendors and security providers can fill out the CAIQ and submit it to the STAR Registry, which is a public registry, to demonstrate compliance to industry standards, frameworks, and regulations.

What is STAR?

STAR stands for Security, Trust, Assurance, and Risk. STAR is a CSA-initiated program aimed at providing transparency into cloud best practices and standards, enabling organizations to make informed decisions. The program consists of STAR Attestation and STAR Certification, which are extensions of the SOC2 and ISO27001 frameworks respectively, but it also utilizes the CCM framework. STAR certification consists of two levels:

Level 1: This is a self-assessment that organizations can take to promote trust and transparency. With this, organizations that are in low-risk environments can assess their security using CCM and CAIQ, and assess their privacy based on the General Data Protection Regulation Code of Conduct.

Level 2: This is for organizations that require third-party audits and is more suitable for medium-risk environments.

The CSA also provides other cloud security certifications such as a Certificate of Cloud Security Knowledge (CCSK) and a Certificate of Cloud Auditing Knowledge (CCAK). Organizations can choose to apply for the certifications based on their requirements. The certifications not only provide credibility to organizations, but also establish a form of trust, transparency, and assurance that all the efforts to secure the cloud are in line with industry standards.

ManageEngine's SIEM solution: Log360

Manage your compliance, risks, threats, and security incidents using Log360.

Learn more

Learn how Log360 has helped organizations achieve compliance standards.

Case study

Related pages

4 must-know GDPR principles for IT compliance Protecting payment card information with PCI-DSS Is your organization HIPAA compliant? Calculate your HIPAA compliance score to find out
Download ManageEngine Log360, a unified SIEM solution  

ManageEngine Log360 helps you detect; investigate; and respond to threats, while meeting compliance requirements.

Download Live demo

Awards & recognition

ManageEngine named in 2022 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link