CCM Testimonial: The Advantages and Future of the Cloud Controls Matrix

The Cloud Controls Matrix (CCM) is composed of 197 control objectives that cover all key aspects of cloud technology. It can be used as a tool for the systematic assessment of cloud implementation and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The CSA Security Update podcast is hosted by John DiMaria, CSA Assurance Investigatory Fellow, and explores the CCM, STAR Registry, CSA best practices, research, and associated technologies and tools.

This blog is part of a series where we edit key CSA Security Update episodes into shorter Q&As. In today’s post, John interviews Harry Lu, Co-Chair of the CSA Cloud Controls Matrix Working Group. They discuss the CCM, the advantages it brings to organizations, how it mitigates risk, and how it facilitates the reduction of complexity in a business.

Listen to the full podcast here.

Gaps in the Cloud Adoption Journey

John DiMaria: The Cloud Controls Matrix is the foundation of the CSA STAR program and a lot of associated programs, so it's a very important subject. Our guest today is Harry Lu, the Senior Manager of Cybersecurity, Privacy, and Forensics at PwC, and Harry is currently our co-chair of the Cloud Controls Matrix Working Group, who leads the effort to develop the Cloud Controls Matrix.

Harry brings a lot of perspective to cloud security from the professional services industry, has a lot of experience with industry leaders and clients, and has an incredible amount of insight into major gaps that companies have in their cloud adoption journey.

Just a quick note at the beginning that anything we talk about is Harry's personal opinion. So he's not representing PwC today.

Harry, you have a lot of insight into the major gaps across different verticals. What do you see out there? What are some of the unique challenges in information security you see across these verticals that people face day to day?

Harry Lu: There are several of them. I think one of the most unique ones is the fall of the traditional security parameter. In previous decades, organizations spent a lot of capital and investment to build their security parameters, but this has been changing for years. Most recently with the pandemic, with the increasing amount of digital transformation and adoption of cloud technologies, the fall of the parameters has accelerated. I see this as an opportunity to rethink security strategies and adopt next generation security technologies.

And I'm not saying that the traditional technologies are no longer relevant. I think it's a different way of thinking about it, especially with the other two key trends of more mobile users and a more integrated supply chain ecosystem. You are going to expect users to access different kinds of services and talk to different kinds of third parties from anywhere at any time. Many of the organizations that I work with are multinational organizations. So you just have to factor in a lot of these moving parts when you design your security infrastructure.

JD: That's a great point because, as you say, the traditional technology is there but we're getting more complex in what we do every day, and complexity really breeds some contempt there because the more complex a system you have, the more risk you have. So putting it together, I think the process with mapping the CCM to these 35+ different regulations and standards is to really reduce complexity by looking through one window rather than trying to look through many windows.

What Are Some Major Issues That Can Be Mitigated by Using the CCM?

JD: The CCM has grown into an incredible tool that has really taken off and helped organizations provide a way of looking at how their cloud providers compare. In your travels and experiences with the CCM, what are some of the highlights? What are some of the major issues that will be mitigated by implementing the CCM?

HL: If you look at it from a risk mitigation perspective, I think the biggest impact of CCM is to help develop a comprehensive framework that can provide standardization. You can think about two spectrums: on one spectrum, the larger organizations most likely have multiple cloud platforms in their environment. They consume different services and these platforms have different nuanced offerings. Approaching these platforms differently and building unique security standards becomes a very tedious effort and creates a lot of overhead. You want to have that standardization that your developers can follow. Then, if you think about using CCM as a framework for how you build out security capabilities, you can build referenceable architectures and implementations that are specific to all platforms. So I think that standardization is really helpful for larger organizations with multi-cloud strategy.

But on the other spectrum, if you think about smaller organizations, companies who are just getting into the space, that standardization also helps them due to their relatively lower maturity. I mean, it's not a great fit for these companies to consider a large framework like NIST because it will be overkill for them, and these frameworks are not developed specifically for cloud. More and more, we see startups and small organizations to be very much pure cloud or almost all cloud. So, having CCM to provide that foundational layer will be beneficial to them.

Improvements to the CCM With Version 4

JD: We just released the CCM v4, a major update which brought together a lot of people from the industry. What are some of the highlights and improvements over the previous version?

HL: I'll say three major things:

One is the domain structure changes. It's been quite a few years since v3, so there are quite a lot of domain structure changes needed, with new technologies and focus areas in cloud computing. A good example is that we’ve updated Mobile Security to a new domain called Universal Endpoint Security, because the definition of a mobile device is relatively narrow compared to what we have nowadays.

The second part is the usability of CCM. Previously, CCM, being a framework itself, came with a lot of good controls and control mappings. This time around for v4, on top of the controls themselves, we're adding two very important types of guidelines: One type is the implementation guidelines. These are specific to each control. So, the control will stay high-level and the implementation guideline will actually provide you the “how.” That will give a lot of practical advice to organizations that are adopting CCM. The other guidelines I'm very excited about are the auditing guidelines. These provide a lot of benefits to both internal and external auditors.

The last change is the merger of CAIQ and CCM, which has been discussed for a long time. I definitely recommend checking it out on the CSA website. Some of the things I mentioned, especially the implementation guideline and auditing guideline, were not released with the main CCM framework back in December, but they're just around the corner.

Why Should I Use the CCM?

JD: When people see the CCM, they're looking for something that's going to really add value to the organization. What do you normally tell someone when they ask you, "Why should I use CCM? What are the benefits over other things that are out there?"

HL: Other than risk mitigation and standardization, here are a couple other benefits: Number one is the flexibility that the CCM has. CCM emerged as a framework for the cloud service providers, but over the years, I think it has evolved to a point where it's been adopted by both sides of the house - the cloud consumers and the cloud providers. That by itself is a testimony of how flexible the framework is.

Secondly, the ability for it to be applied across the globe is a big thing. It's internationally applicable and recognized. This especially applies to multinational organizations that are looking to align their cloud security with regional requirements.

And the last benefit is the ability to evolve with the community. Like I mentioned, CCM is something that's continuously evolving and improving, so it's more nimble compared to some of the other frameworks that remain unchanged for a long period of time. Here at CSA, we have a large community of people that are always talking about the cutting edge technologies.

JD: Harry, thank you for coming on today and giving us some great insight. If anyone wants to contact us, you can get us at [email protected]. Go to the research section of the CSA website to view the CCM working group.

HL: Thanks a lot, John, for inviting me again. I'm happy to connect with anyone who’s interested.