Implementing CCM: Universal Endpoint Management Controls
Published 07/17/2026
The Cloud Controls Matrix (CCM) is a framework of controls that are essential for cloud computing security. Created by CSA, the CCM aligns with CSA best practices.
You can use CCM to assess and guide the security of any cloud service. CCM also provides guidance on which actors within the cloud supply chain should implement which controls. Both cloud service customers (CSCs) and cloud service providers (CSPs) use CCM in many ways.
CCM contains 197 controls structured into 17 domains that cover all key aspects of the cloud:
CCM Domains
Today we’re looking at implementing the 17th and final domain of CCM: Universal Endpoint Management (UEM). The UEM domain's 14 control specifications focus on mitigating risks associated with endpoints, including mobile devices. The primary concerns in this domain relate to user behavior and awareness of acceptable use policies for devices.
UEM Controls
Endpoint Devices Policy and Procedures
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for all endpoints. Review and update the policies and procedures at least annually.
The CSP is responsible for communicating and implementing policies, standards, processes, and tooling for all endpoints.
Policies and procedures for both managed and unmanaged endpoints should include:
- A definition and scope of endpoints and the acceptable-use policy requirements for all endpoints
- A list of approved cloud services and applications
- Minimum OS requirements for endpoints to ensure compatibility with essential apps and security tools
- A maintained inventory of all endpoints connected to the organization's network
- Granular access control mechanisms to restrict endpoint access to authorized systems and resources
- A change management process for endpoint operating systems
- Whole-disk encryption on all endpoints
- Real-time anti-malware software deployment on all endpoints
- Software firewalls on all endpoints
- DLP technologies configured to monitor and control the movement of sensitive data from endpoints
- Remote geo-location capabilities enabled on mobile devices
- Remote wipe capabilities enabled on all endpoints
- Security requirements and responsibilities related to third-party endpoint access in contractual agreements and SLAs
- Requirements regarding privacy expectations for remote location identification, litigation, e-discovery, and legal holds
- An approval process for any changes or modifications to the policy and procedures
- A documented record of approvals
Application and Service Approval
Document a list of approved services, applications and stores for use by endpoints when accessing or storing organization data.
Implementation best practices include:
- For managed endpoints, universally enforce policies through one or more centralized configuration management tools
- Conduct a risk assessment to determine what information you can access or store using unmanaged endpoints
- Maintain approved sources (stores) for obtaining applications of only trusted vendor applications
- Prohibit the installation of apps from unauthorized sources, unless a business need exists after following the exceptions approval process
Compatibility
Define and implement a process for the validation of the endpoint device's compatibility with operating systems and applications.
The CSP is responsible for implementing a process for the validation of the endpoint device's compatibility with operating systems. The CSP should also implement a diagnostic tool that checks endpoint security features for noncompliance. It should also automate remedial activities before allowing endpoints to access corporate networks.
Endpoint Inventory
Maintain an inventory of all endpoints used to store and access company data.
The CSP is responsible for maintaining an accurate and up-to-date centralized inventory of all endpoints. The asset inventory should record the network address, hardware address, device name, asset owner, and department for each asset.
Endpoint Management
Implement procedures to enforce controls for all endpoints permitted to access systems and/or process organizational data.
Implementation best practices include:
- Enforce controls that manage endpoints permitted to access systems and/or store, transmit, or process organizational data
- For managed endpoints, enforce policies through one or more centralized configuration management tools
- Prohibit circumvention of vendor-supported and integrated (built-in) security controls on endpoints (e.g., jailbreaking or rooting
- For unmanaged endpoints, consider best practices for hardening endpoints
Automatic Lock Screen
Configure all relevant interactive-use endpoints to require an automatic lock screen.
Automatically trigger the lock screen when the endpoint device is idle for a specified period. The security lockout controls should automatically initiate after the endpoint remains idle from user interaction after a predefined time period. The user should then re-enter their credentials to gain access to the endpoint.
Operating Systems
Manage changes to endpoint operating systems, patch levels, and/or applications through the company's change management processes.
Include a formal patch management process to ensure that endpoint operating systems are up to date. Implement a change management process that ensures controlled and consistent changes.
Storage Encryption
Protect information from unauthorized disclosure on managed endpoint devices with storage encryption.
The CSP should document formal encryption policies based on the sensitivity of the data. In addition, the CSP should leverage technology to enforce various levels of encryption.
Anti-Malware Detection and Prevention
Configure managed endpoints with anti-malware detection and prevention technology and services.
Configurations should include installing and regularly updating anti-malware software, signatures, and virus definitions whenever updates are available. The CSP should periodically review installed software and system data content to identify and remove unauthorized code/software. Define procedures to respond to malicious code or unauthorized software identification.
Software Firewall
Configure managed endpoints with properly configured software firewalls.
Configurations should include installing and regularly updating firewall software and firewall rules (automatically) on all endpoints. The CSP should periodically review and scan the firewall rules to ensure unapproved rules do not exist.
Implementation best practices include):
- Ensure all endpoints have the currently active baseline ruleset
- Approve changes to baseline rules through a well-documented change management process
- Ensure new rules are properly approved through a well-documented change management process
- Check web traffic for malicious code
- Note anomalies that exceed normal traffic patterns, and take appropriate action to address them
Data Loss Prevention
Configure managed endpoints with Data Loss Prevention (DLP) technologies and rules in accordance with a risk assessment.
Implementation best practices include:
- Use a formal data classification standard that classifies data based on sensitivity for business, customers, clients, partners and regulatory obligations (refer to DSP domain)
- Maintain structured and unstructured data inventories
- Monitor for sensitive information to discover unauthorized attempts for disclosure across network boundaries, and block such transfers by alerting information security personnel
- Use defined Standard Operating Procedures (SOPs) to handle data leakage events
Remote Locate
Enable remote geo-location capabilities for all managed mobile endpoints.
The CSP and CSC are both responsible for remotely tracking lost or stolen endpoint devices.
Implementation best practices include:
- Maintain an inventory of the endpoint devices, whether provisioned or BYOD
- Configure geolocational tracking and GPS or network-based location services to identify the device's whereabouts
- Alert the response team if the endpoint goes off the tracking
Remote Wipe
Define, implement and evaluate processes, procedures and technical measures to enable the deletion of company data remotely on managed endpoint devices.
The CSP and CSC are both responsible for wiping lost or stolen endpoint devices.
Implementation best practices include:
- Maintain an inventory of the endpoint devices, whether provisioned or BYOD
- Configure geolocational tracking and GPS or network-based location services to identify the device's whereabouts
- Alert the response team if the endpoint goes off the tracking
- Turn on the remote wipe feature/ability, and make it so the user of the device is unable to turn it off
- Implement secure wipe processes to ensure thorough data removal without compromising device functionality
- Restrict remote wipe capabilities to authorized personnel to prevent unauthorized data deletion
Third-Party Endpoint Security Posture
Define, implement and evaluate procedures and/or contractual measures to maintain proper security of third-party endpoints with access to organizational assets.
The CSP and CSC are both responsible for ensuring security of third-party endpoints that have access to assets.
Implementation best practices include:
- Leverage cloud Identity and Access Management (IAM) tools to provision and manage access for third-party endpoints
- Implement network segmentation practices to isolate third-party endpoint traffic from sensitive internal resources
- Enforce the installation and configuration of endpoint security software (antivirus, endpoint detection and response) on all authorized third-party devices
- Ensure secure communication channels (e.g., VPN) for all data transfer between third-party endpoints and organizational assets
- Establish and maintain contracts between CSPs and third-parties
- Continuously monitor logs related to third-party endpoint access for suspicious activity
Shared Security Responsibility Model (SSRM)
Both CSPs and CSCs are typically independently responsible for implementing the UEM security controls. CSPs are primarily responsible for maintaining an inventory of all their endpoints. They must be able to approve services and applications that are acceptable. They have to implement security measures including automatic screen lock and data loss prevention technologies.
The CSCs are responsible for securely managing those devices. They must ensure they comply with the security policies of both themselves and the CSP. They must make sure to always protect their data.
Major Risks & Their Mitigating Controls
Lack of Comprehensive Endpoint Security Policies
Inconsistent policies and security controls may lead to weaknesses and potential entry errors. The mitigating control is Endpoint Devices Policy and Procedures. Establish robust endpoint device policies and procedures that ensure consistent device creation.
Installation of Applications from Unauthorized Sources
Without an approved list of services and applications, you risk the installation of unauthorized services. Two controls help mitigate this risk: Application and Service Approval & Endpoint Inventory.
Actually document a list of approved services and applications for endpoint use. A good idea is to use UEM tools to create an app store where users can download in-store and periodically update approved apps. This helps prevent unauthorized applications.
Lack of Visibility and Rogue Devices
All unauthorized endpoints pose a threat to cloud resources and workloads. And what are the controls that we have identified to mitigate these risks? The Compatibility & Endpoint Inventory controls help mitigate this risk.
Implement a diagnostic tool that checks endpoint security features for noncompliance. Automate remedial activity before allowing endpoints to access corporate networks. Use UEM tools to automatically enforce enrollment and provision for any unknown device that is trying to connect.
Data Leaks and Data Breach
Three controls help mitigate data incidents: Storage Encryption, Software Firewall, and Data Loss Prevention.
Utilize universal endpoint management tools to apply and enforce security policies and isolate corporate and personal data on endpoints. Also utilize industry-standard encryption algorithms and certify to relevant bodies. Implement firewall rules to limit traffic from endpoints to only trusted sources. Finally, implement a robust DLP technology to detect and prevent unauthorized filtration of sensitive data.
Malware
Once malware is present on endpoints or connected devices, it can move laterally across company networks. The Anti-Malware Detection and Prevention control helps mitigate this risk. Implement technical measures to restrict the installation of unauthorized software. Include restrictions on obtaining data and software from external sources.
Conclusion
Make sure that the responsibilities for the UEM controls are well-defined and documented between the CSP and CSC. Both must ensure that all endpoint devices fall within corporate policies and IT industry standards.
If your endpoints are not secure, then nothing can be secure. These controls must be well-designed and implemented effectively to ensure that corporate resources are secure.
You can find all the details and guidance discussed here, and much more, in the CCM Implementation Guidelines.
Zoom in on other CCM domains by reading the rest of the blogs in this series.
Unlock Cloud Security Insights
Subscribe to our newsletter for the latest expert trends and updates
Related Articles:
The Hidden Risks of the Agentic Enterprise: Bridging the AI Governance Gap
Published: 07/17/2026
CMMC Certification Deadlines are Coming Soon. Here’s What That Means for You
Published: 07/15/2026
AI Controls Matrix v1.1: Strengthening the Foundation for Trustworthy AI
Published: 07/14/2026
The Role of CSA STAR in Vendor Security Assessments
Published: 07/13/2026

.png)
.png)



.jpeg)
.jpeg)

