How the Cloud Controls Matrix helps protect your organization

As more companies turn to the cloud to handle storage and computing needs, it’s crucial to ensure that providers are addressing the different security threats that can penetrate a technology infrastructure.

Having a set of guidelines and principles to follow is a fundamental part of keeping your company safe in the cloud. Security controls provide guidance which organizations can follow to meet, or exceed, established best practices.

The Cloud Security Alliance’s Cloud Controls Matrix (CCM) is a framework your organization can use in assessing whether your cloud service provider (CSP) has the controls in place necessary to keep your data secure.

CCM cloud security controls

There are a variety of different areas CCM Version 4 covers, including data center security, risk management and mobile security. It also incorporates different industry accepted standards, regulations and control frameworks, such as:

• AICPA Trust Service Categories
• CIS Controls V8
• PCI-DSS
• ISO/IEC 27001/27002/27017/27018
• NIST 8-53 Rev.5

For assessments, CCM tests against 197 security control objectives that are outlined in 17 different domains:

• Application and interface security
• Audit and assurance
• Business continuity management and operational resilience
• Change control and configuration management
• Data security and privacy lifecycle management
• Datacenter security
• Cryptography, encryption and key management
• Governance, risk management and compliance
• Human resources security
• Identity and access management
• Security infrastructure and virtualization
• Interoperability and portability
• Universal endpoint management
• Security incident management, e-discovery and cloud forensics
• Supply chain management, transparency and accountability
• Threat and vulnerability management
• Logging and monitoring

For every control, CCM specifies which cloud model type — PaaS, IaaS or SaaS — or cloud environment — hybrid, private or public — the control relates to. It also outlines the responsibilities and roles between a cloud customer and CSP by stating which control guidance relates to each entity.

This wide range in controls and frameworks allows CCM to keep your infrastructure safe from threats and to be up to par with the current regulations.

To get certified against the CCM, a CSP must have an attestation or certification engagement performed through an entity that performs CCM services.

Benefits of a cloud control framework

In addition to evaluating a CSP’s data security practices, CCM can also be used as a tool to plan and assess cloud implementation. CCM provides users with guidance on security control frameworks that should be in place for companies operating in the cloud and in the cloud supply chain.

When preparing for the cloud, an organization needs to have the appropriate guardrails in place to enforce mandatory requirements. Establishing them will help detect and alert on deviations away from good practice, for both awareness and education. However, you need to be careful that the level of security applied will still allow your team access to the tools and information they need to innovate.

Once established, all controls need to be backed up by appropriate levels of documentation and evidence to satisfy internal stakeholders and external legislative and regulatory interested parties. Controls also need to undergo continual review and improvement, so that they can develop along with organizational and business change.

A cloud control framework enables you to build on the visibility of your cloud environment. It gives you the ability to make more informed decisions on appropriate policy, procedures and guidance to support implementation of proportionate security controls. This helps you protect your organization’s assets in the cloud and its reputation.

How Wipfli can help

Wipfli is here to help your organization meet the ever-changing security demands of the digital space. We support you in implementing the right security solutions for your business so that you can focus on using your technology and data to fuel growth. Contact us today for more on how we can help you be confident in your cybersecurity.

Sign up to receive additional information in your inbox or continue reading:

• Why a vCISO is the better option
• The basics of privileged access management
• Data privacy vs. data security
• Captive insurance may be the solution amid rising cyber claims

This article was co-authored by Neethu Choudhary and Zubair Ali