What Are Cloud Controls?
Published 03/19/2022
There are many risks associated with cloud computing. Therefore, it’s critical to understand cloud security before attempting to migrate your organization to the cloud.
Cloud controls are safeguards or countermeasures that help organizations manage risk in the cloud. Cloud controls can be policies, procedures, guidelines, practices, or organizational structures that prevent misconfigurations, vulnerabilities, attacks, and more. They can be of an administrative, technical, management, or legal nature.
The Cloud Controls Matrix
CSA’s Cloud Controls Matrix (CCM) is a framework of cloud controls. It’s a spreadsheet that lists 16 topics covering all key aspects of cloud technology, each topic broken down into a total of 133 control objectives. By allowing you to see all the common cloud standards in one place, the CCM reduces the need to use multiple frameworks and simplifies cloud security.
For example, the CCM Business Continuity Management and Operational Resilience (BCR) Domain includes these controls:
Control Title | Control ID | Specification |
Business Continuity Management Policy and Procedures | BCR-01 | Establish, evaluate, and maintain business continuity management and operational policies. |
Risk Assessment and Impact Analysis | BCR-02 | Determine the impact of business disruptions and risks. |
Business Continuity Strategy | BCR-03 | Establish strategies to reduce the impact of business disruptions. |
Business Continuity Planning | BCR-04 | Maintain a business continuity plan based on operational resilience strategies. |
Documentation | BCR-05 | Acquire documentation relevant to support business continuity. |
Business Continuity Exercises | BCR-06 | Exercise business continuity and operational resilience plans annually. |
Communication | BCR-07 | Establish communication with stakeholders and participants. |
Backup | BCR-08 | Periodically backup data stored in the cloud. |
Disaster Response Plan | BCR-09 | Maintain a disaster response plan to recover from natural and man-made disasters. |
Response Plan Exercise | BCR-10 | Exercise the disaster response plan annually or upon significant changes. |
Equipment Redundancy | BCR-11 | Supplement business-critical equipment with redundant equipment. |
By allowing you to see all the common cloud standards in one place, the CCM reduces the need to use multiple frameworks and simplifies cloud security. The CCM also provides guidance on who should fill the control (the cloud service provider or cloud customer) and on which cloud model type (IaaS, PaaS, SaaS) or cloud environment (public, hybrid, private) the control applies to. This clarifies the roles and responsibilities between a cloud service provider and cloud customer CCM. Learn more about the CCM in this blog.
Related Articles:
Modern Day Vendor Security Compliance Begins with the STAR Registry
Published: 12/20/2024
Top Threat #6 - Code Confusion: The Quest for Secure Software Development
Published: 12/02/2024