Scribd
Upload
22 views19 pages

Cloud Matrix

Uploaded by

Bikila Tariku
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
22 views19 pages

Cloud Matrix

Uploaded by

Bikila Tariku
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 19

G e tti n g t o k n o w t h e

Cloud Controls Matrix


H T T P S : / / C LO U D S E C U R I T YA L L I A N C E . O R G /
ABOUT THE  BUILDING SECURITY BEST
P R A C T I C E S F O R N E X T G E N E R AT I O N
IT
C LO U D
SECURITY  G LO B A L , N O T- F O R - P R O F I T
O R G A N I Z AT I O N
ALLIANCE

 R E S E A R C H A N D E D U C AT I O N A L
PROGRAMS

“To promote the use of best


practices for providing security
assurance within Cloud Computing,  C LO U D P R OV I D E R C E RT I F I C AT I O N –
C S A S TA R
and provide education on the uses
of Cloud Computing to help secure
all other forms of computing.”
 U S E R C E RT I F I C AT I O N – C C S K


T H E G LO B A L LY AU T H O R I TAT I V E
S O U R C E F O R T R U S T I N T H E C LO U D
The Value Equation in the Cloud

Security Service + Transparency Service =

Compliance & Trust  VALUE Captured

… delivering evidence-based confidence …


… with compliance-supporting data & artifacts …
… using the best virtualization and cloud technologies …
… within quality processes …
… operated by trained
and certified staff
and partners …

© 2011 Cloud Security Alliance, Inc. All rights reserved.


CLOUD CONTROLS MATRIX

© 2011 Cloud Security Alliance, Inc. All rights reserved.


Holistic Framework

More information
FOR MORE INFORMATION
What is the CCM?
• First ever baseline control framework specifically
designed for managing risk in the cloud
– Providing an anchor point and common language for balanced
measurement of security and compliance postures.
– Providing the holistic adherence to the vast and ever evolving
landscape of global data privacy regulations and security
standards.
– Addressing the inter and intra-organizational challenges of
persistent information security by clearly delineating control
ownership.
• Serves as the basis for new industry standards and
certifications.
• Technology framework specific to cloud
What is the CCM?
• Controls (133)
– Countermeasures or safeguards to avoid, detect, counteract, or
minimize risks
• Elements (12)
– Architecture
– Corporate Governance
– Delivery Model
– Supplier Relationship
• Mappings (Scope Applicability) (40/31)
– Customized relationships to other industry-accepted security
standards, regulations, and frameworks
Purpose of the CCM

• Provide fundamental cloud specific security objectives


• Outline who is responsible for the control implementation (CSP,
customer, both?) – The Shared Responsibility Model
• Outline to which cloud service delivery model a control applies (S-
P-I Model)
• Aligns to industry standards
• Assess and compare CSPs
Review of the CCM

• First security controls framework for cloud


• Allows the assessment and comparison of CSPs
• Outlines responsibility of controls – Shared Responsibility Model
• Aligns to industry standards
• Increases trust between CSP and cloud customer
Framework coverage: CCM

https://cloudsecurityalliance.org/group/cloud-controls-matrix/#_overview

Image by
overlap: +NIST 800.53

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Image by
overlap: +ISO 27001

https://en.wikipedia.org/wiki/ISO/IEC_27001:2013

Image by
overlap: +PCI DSS

https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

Image by
What is the CCM not?

• A Standard – it’s a pseudo-standard (industry-accepted)


• Information Security Management System (ISMS)? – it’s
technology specific
– Cloud first or Cloud only strategy
• Due Diligence
• Vendor specific
Tools for Due Diligence

Cloud Security Controls Provider Assessment Questions

• Common framework for technology, IS management • Questions to enable cloud computing assessments
• Assesses the overall security risk of a cloud service • Establish the presence and testing of security controls
• Provides standardized security, operational risk • Discover presence of security capabilities and gaps
management • Document security controls in IaaS, PaaS, SaaS
• Harmonizes to security standards and compliance
frameworks

Provider Assessment Reports Cloud Solutions Management


Dashboard
• Provider listing of security controls
• Transparency, auditing, and harmonization of standards • Solution to help organizations manage compliance
• Level of assurance meeting requirements • Assign maturity and relevance scoring
• Industry acceptable • Provision and manage user access to assessments
• Compare assessments based on common criteria

H T T P S : / / C LO U D S E C U R I T YA L L I A N C E . O R G /
Control Matrix >>
Guidance >> ISO
Roadmap for CCM

CCM Methodology Industry Mappings CCM v4.0


– Forward Mapping – ISO 27001, -02, -17, -18 – Evaluate Structure
• Mapping CCM to X – AICPA TSC 2017 • Auditors
– Reverse Mapping – • CSPs
BSI C5
• Mapping X to CCM • End Users
– NIST 800-53 R5
– Gap Identification – New Areas to Consider
– ASD 2017 • Privacy
• Full
• Partial
– FedRAMP (FedSTAR) • IoT
• No – CEPREI • Emerging Technologies

– Gap Analysis – Cobit 5 – Control evaluation


• Additional requirements – More – Incorporate CAIQ
• Compensating controls • Lite for shorter assessments

© 2011 Cloud Security Alliance, Inc. All rights reserved.


Thank You!

Contact CSA
Email: [email protected]
Twitter: @CloudSA, @YoTheShow
Site: www.cloudsecurityalliance.org
Download:
www.cloudsecurityalliance.org/download

H T T P S : / / C LO U D S E C U R I T YA L L I A N C E . O R G /
19

You might also like