Cloud Control Matrix 4.0 - improved grip on cloud
The Cloud Security Alliance (CSA) has started updating the Cloud Control Matrix (CCM). The bare 4.0 version is available. Bare version, meaning the mapping to other standards as was present with previous well-known CMM versions will be added later this year.
As the cloud business is maturing and usage of cloud has taken a huge leap since the COVID-19 with the increase usage of cloud for homeworking needs as a result, the importance for up to date secure guidance is increasingly important. This CMM update may come just in time.
What are the overall improvements of version 4.0?
- Improved Control Clarity, meaning consistency in terminology and wording has been applied;
- Mapping of controls mapped to ownership within the shared ownership model;
- Adding uniform policy level controls;
- Improving and re-homing into uniform domains. Six (6) domains added, four (4) retired;
- Planned implementation guidelines in Q2 2021;
- Improving Auditing Guidelines assisting in documenting better outcomes for assessment and with auditing consistency.
What’s new in version 4.0?
There are many as can be derived from the overall improvements. Domain wise the biggest changes can be found in structure of the framework with a new domain dedicated to Log and Monitoring (LOG), and modifications in the existing ones (GRC, A&A, UEM, CEK).
The (former) Audit Assurance and Compliance and Governance & Risk Management have been reorganized into Audit & Assurance (A&A) and Governance Risk and Compliance (GRC), moving the Compliance.
Mobile security has been renamed to Universal End-point Management (UEM) and the number of controls have been decreased, while expending the scope from mobile to all computing devices with access to the cloud.
For insiders encryption may have been seen as an important security measure in the cloud since the start. It helps limiting access, protects data and gives an alternative for shredding your hard drives in the old world. The importance is now made clear for all by modifying the Cryptography, Encryption and Key Management (CEK) domain and adding new controls from four (4) to twenty one (21).
With the legal and privacy laws that have come into effect since last CCM version the domain of Data Security & Privacy Life Cycle Management (DSP) has also grown significantly from seven (7) to nineteen (19) controls.
And finally the re-evaluation of ownership has led to addition of five (5) extra controls to the Supply Chain Management Transparency & Accountability (STA) domain.
What’s next?
As said the previous version of CMM had a mapping to several well known and accepted industry standards like ISO and NIST. A similar mapping is to be expected later this year. More to come are implementation guidelines, auditing guidelines and an updated version of the CAIQ Questionnaire to Assess Cloud Providers. A copy of the CMM 4.0 can be found here.
Summary
The update of CCM to version 4.0 is a well-timed update with the intend of significantly improving the framework. CMM is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation, and provides guidance on security controls to be implemented by the different owners within the cloud supply chain.
CMM version 4 aims to ensure coverage of requirements deriving from new cloud technologies, new controls and security responsibility matrix, improved auditability of the controls, and enhanced interoperability and compatibility with other standards.
