Methodology for the Mapping of the Cloud Controls Matrix

By Victor Chin, Research Analyst, Cloud Security Alliance

CCM Mapping methodologyThe Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) provides fundamental security principles to guide cloud vendors and cloud customers seeking to assess the overall security risk of a cloud service. To reduce compliance fatigue in the cloud services industry, the CCM program also includes controls mappings to other key industry frameworks such as International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001, National Institute of Standards and Technology (NIST) 800-53, and American Institute of Certified Public Accountants (AICPA) Trust Services Criteria (TSC).

Historically, these mappings come from two main sources: third-party organizations and CCM Working Group volunteers. Over time, processes to incorporate these mappings have evolved organically but were not formally documented.

The Methodology for the Mapping of the Cloud Controls Matrix document aims to formally document and enhance these processes. They include a controls mapping methodology, the identification of gaps between two frameworks, the creation of a mapping work package, naming references, and project management guidelines.

By documenting these processes, we aim to fulfill four primary functions:

  1. Provide clarity and transparency regarding the CSA CCM Working Group’s mapping approach, guidelines and naming conventions;
  2. Encourage process review and improvement suggestions by the CSA community;
  3. Yield a valuable reference for organizations—especially those seeking to benefit from and contribute to interoperable efforts by mapping their frameworks to the CCM; and
  4. Improve assessor criteria understanding and interpretation of all mapping processes through criteria mapping exercises.

Moving forward, we hope that this document will be a valuable reference to all key stakeholders in the CCM ecosystem, as well as contribute to the maturity of the CCM program.

The success of the CCM continues to be the result of the dedicated professionals within the CCM Working Group. This document would not have been possible without the expertise, focus, and collaboration of the following working group members:

  • Sean Cordero
  • Ai-Ping Foo
  • Kimberley Laris
  • Ahmed Maaloul
  • Michael Roza
  • Eric Tierling

Download the Methodology for the Mapping of the Cloud Controls Matrix.

Updated CCM Introduces Reverse Mappings, Gap Analysis

By Sean Cordero, VP of Cloud Strategy, Netskope

CCM logoSince its introduction in 2010, the Cloud Security Alliance’s Cloud Control Matrix (CCM) has led the industry in the measurement of cloud service providers (CSP). The CCM framework continues to deliver for CSPs and cloud consumers alike a uniform set of controls to measure the security readiness of a cloud-centric security program. It continues to be the industry standard used to measure, evaluate, and inform risk, information security, and audit professionals on the best practices for securing cloud services.

Consistent with the CSA’s commitment to driving greater trust, assurance, and accountability across the information risk and security industry, this latest expansion to the CCM incorporates the ISO/IEC 27017:2015, ISO/IEC 27018:2014, and ISO/IEC 27002:2013 controls, and introduces a new approach to the development of the CCM and an updated approach to incorporate new industry control standards.

Core to this release of the ISO 27017:2015, 27018:2014, and 27002:2013 reverse mappings and gap analysis were two additional goals defined by the CSA and the CCM Working Group:

  1. Improve the ease of operationalization and measurement for all new controls.
  2. Increase the flexibility for CSPs and cloud consumers adopting additional control frameworks while retaining alignment with the core CCM controls.

Improved ease of operational usage and measurement

The avoidance of overly prescriptive control statements has been central to the CCM’s control development philosophy. This approach was required to avoid duplication across other control frameworks and to avoid rework for security and audit professionals. While this approach is reflected in the language of the CCM, this intentional lack of specificity has made it, at times, challenging to fully integrate into architectural and validation efforts. To address this within the language for the newly developed controls two key changes were made—first, to the alignment of the core of the research team and second, to the method of delivery for new controls.

First, two working group sub-teams were created and leaders of each identified. One group specific to information risk management and the other for audit and control measurement. To ensure that both teams brought to bear their collective expertise across the entire revision, each team then collaborated on the review of the work product of the other team, which has led to the most comprehensive and well-defined release of the CCM to date.

The information security team was led by Ai Ping Foo. Her team focused on the identification and creation of new controls and mappings with a focus on ensuring the incorporation of these controls across security architectures.

The assurance team was led by Ahmed Maaloul, whose team drove the creation of the new controls and mappings with a focus on ensuring control clarity, ease of measurement, and reproducibility for audit and assurance professionals.

Improved flexibility and delivery for new controls

This latest release of the Cloud Controls Matrix introduces reverse mappings and gap analysis to the CCM program. We believe that this approach allows organizations to continue their alignment to the core CCM standard while giving the option of further expanding their controls without disruption to any STAR certification efforts underway or existing certifications.

As the CCM framework continues to mature we are confident it will give security, audit, and assurance professionals the most flexibility for control identification without compromising the existing CCM controls.

The CCM continues to define the standard for trust, assurance, and control for security, audit, and compliance analysts when conducting operations in the cloud. This latest release reflects the CSA’s and the CCM Working Group’s continued commitment towards ease of use, flexibility, and uniformity across the multiple disciplines which enable trusted cloud operations.

The success of the CCM continues to be the result of the dedicated professionals within the CCM Working Group. This latest release would not have been possible without the expertise, focus, and collaboration of the following working group members:

Security Team Leader: Ai Ping Foo

Assurance Team Leader: Ahmed Maaloul

CCM Working Group Volunteers:

Ai Ping Foo

Adnan Dakhwe

Ahmed Maaloul

Angela Dogan

Alejandro del Rio Betancourt

Bunmi Ogun

Chris Sellards

Chris Shull

Eric Tierling

Josep Bardallo

Kazuki Yonezawa

Kelvin Arcelay

Madhav Chablani

Masashiro Morozumi

Mariela Rengel

Mohin Gulzar

Muswagha Katya

Noutcha Gilles

Puneet Thapliyal

Shahid Sharif

Saraj Mohammed

M. Reid Leake

William Butler

Download the latest version of the CSA Cloud Control Matrix.

Sean Cordero has over 18 years of IT and Information Risk Management. He has held senior security executive roles at leading bio-technology, financial, retail, and consulting organizations. Cordero is the Chair of the CSA’s Cloud Control Matrix Working Group and serves as the Co-Chair of the CSA’s Consensus Assessments Initiative Questionnaire. Cordero was honored by the CSA with the Ron Knode Service Award in 2013 and inducted as a CSA Research Fellow in 2016. Cordero is a certified CISSP, CISM, CISA and CRISC.

 

You can Benefit from the Cloud: Choose based on Class of Service

In my last blog, I had promised a deeper dive into Choosing a Cloud provider based on Class of Service.

It is a very timely topic. In one of very many recent articles on cloud security, Avoiding cloud security pitfalls Telstra enterprise and infrastructure services IT director Lalitha Biddulph advises “A lot of cloud services are proprietary and once you move your data in there, you may have given away your right to shift data by choosing to use a particular service.”

Without a doubt this is an area of risk to be balanced when making decisions about which key vendors to use when you consider public cloud usages across SaaS, PaaS and IaaS models. It is also an area of opportunity where organizations can draw up distinct SLAs around their rights with their data and ensure that the SLAs are properly drawn up, communicated and agreed to by all parties prior to moving data across.

Over the last couple of years we have seen remarkable strides forward with cloud providers becoming much more diligent in not only improving levels of security for hosted email, customer relationship management and vertically-focused applications, but also with IaaS providers becoming much more flexible in conditions around SLAs and reporting.

I continue to feel greatly encouraged by the work that the Cloud Security Alliance is doing and it is why I invest my time in their activities. I believe that they have the power with their wealth of resource and broad industry participation to continue to educate the industry and move us forward with ideal frameworks based on consensus.

While I think caution should be urged and organizations should be in no doubt about the risks that their data can be exposed to in cloud models, this should also be balanced with the economic advantages. Added, to that, cloud models have matured for the types of services I have mentioned above and others – that too should be taken into consideration along with a robust set of security controls.
Additionally, for more news and discussions, head over to @SecDatacenter or Secure Data Center Trends

Evelyn de Souza Bio
Evelyn is a senior data center and cloud security strategist for the Security Technology Group at Cisco responsible for championing holistic and next generation security solutions . She is a strong proponent of building automated, repeatable processes that enable organizations to sustain compliance while optimizing security posture and reducing costs. To this end, she pioneered the development of such tools in her previous role as the McAfee Compliance Mapping Matrix, which cross-maps various regulations, standards, and frameworks to e solutions and the McAfee PCI Mapping Tool. She currently co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM) and is focused on harmonizing efforts across industry initiatives such as the Open Data Center Alliance (ODCA). Evelyn is a dedicated security professional with more than 12 years in the IT security industry. She enjoys engaging with industry analysts, customers, and partners to discuss industry trends and how security solutions can be best implemented to meet the needs of next-generation datacenters. She holds a Bachelors of Arts degree with honors in music from Monash University, Melbourne, Australia. She can also be found on Twitter at: e_desouza

Why the Cloud Cannot be treated as a One-size-fits-all when it comes to Security

Despite the fact that cloud providers have long since differentiated themselves on very distinct offerings based on cloud platform type, I often see the cloud written about as though it is a single, uniformservice. And, the problem with that is while there are commonalities, it is downright misleading especially as so much is misunderstood around what’s required to secure cloud-based services and the risks that are involved. Today there are three classes of service, Software as a Service (SaaS) where the provider hosts software-based services and the consumer accesses via a web interface, Platform as Service (PaaS) that developers mostly use to developsoftware-based offerings, and Infrastructure as a Service (IaaS) where consumers can “rent” infrastructure to host their own services.

When I speak with customers I recommend they consider cloud offerings in the light of classes of services they need, the types of data they will need to expose, their regulatory compliance needs and the reputation and flexibility of the service providers they are looking to leverage. Because, even within the classes of service I mentioned above there are distinct variances.

Choosing a cloud provider based on class of service

Over the last five years in particular the industry has benefitted from broad based adoption of SaaS particularly for customer relationship management, payroll and document collaboration to name a few. But, cloud providers in this space range from those with established practices and who have robust data handling and hygiene practices that are well documented to emerging players. The same goes for PaaS and IaaS. Over the last couple of years some IaaS providers have developed tailored offerings to suit particular verticals such as government, retail and healthcare. Today, the industry is still very much lacking from standard definitions and templates for SLA. And with each different class of service, there are different security requirements too, ranging from SaaS where the consumer has no ability to push security controls down to the provider’s environment to IaaS where typically the consumer is responsible for securing the virtual machines that they might “rent” from a provider. This is where leveraging the freely available resources from the Cloud Security Alliance Trust and Assurance Registry (STAR) an initiative that encourages transparency of security practices within cloud providers, is incredibly valuable.

Data Security According to Data Type

Data, too, is not created equal. Consumers of different cloud services need to consider the data that entrust in the hands of a SaaS provider from a sensitivity level as well as any exposure that may result from a potential data breach. This concern may be a little different with IaaS where a consumer potentially has the opportunity to addmore safeguards such as encryption, file monitoring and other security controls at the virtual machines level that may help mitigate some of the risks. I have seen some excellent security implementations around some vertical stack models that some IaaS providers have developed for government, retail, healthcare and now expanding to more verticals. However, there are issues such as data residency, data handling and monitoring at the network and overall host level that still need to be considered and carefully thought out.

Regulatory Compliance Needs

Some years back the security industry had been focused around the idea of audit and compliance fatigue – this the idea that many enterprises today can be dealing with in excess of fifty mandates pending whom they do business with and their geographic span and the amount of often manual audit data collection. Since then, there has been some automation of IT audit practices but it still remains a time consuming practices for most organizations. There are over 4000 mandates today, which the Unified Compliance Framework has done an amazing job of tracking and cross mapping for many years and as always more government and data privacy mandates in the works. The Cloud Security Alliance Cloud Controls Matrix also cross walks several standards but further categorizes controls according to platform, recognizing that different models require different controls. It is ideal for those looking to learn about how to evolve their controls to map to different models and who want to avoid the audit fatigue syndrome through the concept of audit once, report many times.

Over the next few weeks I will drill down into each of the above areas. In the meantime, if you have any questions or wish to discuss any of the above further, please contact me at [email protected]

Evelyn de Souza Bio
Evelyn is a senior data center and cloud security strategist for the Security Technology Group at Cisco responsible for championing holistic and next generation security solutions . She is a strong proponent of building automated, repeatable processes that enable organizations to sustain compliance while optimizing security posture and reducing costs. To this end, she pioneered the development of such tools in her previous role as the McAfee Compliance Mapping Matrix, which cross-maps various regulations, standards, and frameworks to e solutions and the McAfee PCI Mapping Tool. She currently co-chairs the Cloud Security Alliance Cloud Controls Matrix (CCM) and is focused on harmonizing efforts across industry initiatives such as the Open Data Center Alliance (ODCA). Evelyn is a dedicated security professional with more than 12 years in the IT security industry. She enjoys engaging with industry analysts, customers, and partners to discuss industry trends and how security solutions can be best implemented to meet the needs of next-generation datacenters. She holds a Bachelors of Arts degree with honors in music from Monash University, Melbourne, Australia. She can also be found on Twitter at: e_desouza

CSA Releases CCM v 3.0

The Cloud Security Alliance (CSA) today has released a draft of the latest version of the Cloud Control Matrix, CCM v3.0. This latest revision to the industry standard for cloud computing security controls realigns the CCM control domains to achieve tighter integration with the CSA’s “Security Guidance for Critical Areas of Focus in Cloud Computing version 3” and introduces three new control domains. Beginning February 25, 2013 the draft version of CCM v3.0 will be made available for peer review through the CSA Interact website with the peer review period closing March 27, 2013, and final release of CCM v3.0 on April 1, 2013.

The three new control domains; “Mobile Security”, “Supply Change Management, Transparency and Accountability”, and “Interoperability & Portability” address rapidly expanding methods cloud data is accessed, the need for ensuring due care is taken in the cloud providers supply chain, and the minimization of service disruptions in the face of a change to cloud provider relationship.

The “Mobile Security” controls are built upon the CSA’s “Security Guidance for Critical Areas of Mobile Computing, v1.0” and are the first mobile device specific controls incorporated into the Cloud Control Matrix.

The “Supply Change Management, Transparency and Accountability” control domain seeks to address risks associated with governing data within the cloud while the “Interoperability & Portability” brings to the forefront considerations to minimize service disruptions in the face of a change in a cloud vendor relationship or expansion of services.

The realigned control domains have also benefited through changes in language to improve the clarity and intent of the control, and, in some cases, realigned within the expanded control domains to ensure the cohesiveness within each control domain and minimize overlap.

The draft of the Cloud Control Matrix can be downloaded from the Cloud Security Alliance website and the CSA welcomes peer review through the CSA Interact website.

The CSA invites all interested parties to participate in the peer review and the CSA Cloud Controls Matrix Working Group Meeting to be held during the week of the RSA Conference, at 4pm PT on February 28, 2013, at the Sir Francis Drake Hotel
Franciscan Room
450 Powell St in San Francisco, CA.