Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

What Are Cloud Controls?

Published 03/19/2022

What Are Cloud Controls?
Written by Nicole Krenz, Web Marketing Specialist, CSA.


There are many risks associated with cloud computing. Therefore, it’s critical to understand cloud security before attempting to migrate your organization to the cloud.

Cloud controls are safeguards or countermeasures that help organizations manage risk in the cloud. Cloud controls can be policies, procedures, guidelines, practices, or organizational structures that prevent misconfigurations, vulnerabilities, attacks, and more. They can be of an administrative, technical, management, or legal nature.

The Cloud Controls Matrix

CSA’s Cloud Controls Matrix (CCM) is a framework of cloud controls. It’s a spreadsheet that lists 16 topics covering all key aspects of cloud technology, each topic broken down into a total of 133 control objectives. By allowing you to see all the common cloud standards in one place, the CCM reduces the need to use multiple frameworks and simplifies cloud security.

For example, the CCM Business Continuity Management and Operational Resilience (BCR) Domain includes these controls:

Control Title

Control ID

Specification

Business Continuity Management Policy and Procedures

BCR-01

Establish, evaluate, and maintain business continuity management and operational policies.

Risk Assessment and Impact Analysis

BCR-02

Determine the impact of business disruptions and risks.

Business Continuity Strategy

BCR-03

Establish strategies to reduce the impact of business disruptions.

Business Continuity Planning

BCR-04

Maintain a business continuity plan based on operational resilience strategies.

Documentation

BCR-05

Acquire documentation relevant to support business continuity.

Business Continuity Exercises

BCR-06

Exercise business continuity and operational resilience plans annually.

Communication

BCR-07

Establish communication with stakeholders and participants.

Backup

BCR-08

Periodically backup data stored in the cloud.

Disaster Response Plan

BCR-09

Maintain a disaster response plan to recover from natural and man-made disasters.

Response Plan Exercise

BCR-10

Exercise the disaster response plan annually or upon significant changes.

Equipment Redundancy

BCR-11

Supplement business-critical equipment with redundant equipment.

By allowing you to see all the common cloud standards in one place, the CCM reduces the need to use multiple frameworks and simplifies cloud security. The CCM also provides guidance on who should fill the control (the cloud service provider or cloud customer) and on which cloud model type (IaaS, PaaS, SaaS) or cloud environment (public, hybrid, private) the control applies to. This clarifies the roles and responsibilities between a cloud service provider and cloud customer CCM. Learn more about the CCM in this blog.

Share this content on your favorite social network today!