The CSA Cloud Controls Matrix (CCM) V4: Raising the cloud security bar to the next level
Written by: Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance and Lefteris Skoutaris, CCM Program Manager, Cloud Security Alliance
Over the course of the last decade since its first appearance in 2010, the Cloud Controls Matrix (CCM) has become a reference for any organization seeking to define and improve its cloud security and compliance posture. CCM is by now a de facto standard in the cloud market and constitutes the very foundation of CSA’s STAR Program.
Now in 2021, after a long creation period, CSA has released the initial version 4 of the CCM.
The upgrade from CCM v3.0.1 to v4 has been imperative considering the evolution of the cloud security landscape, both from the technical and legal and regulatory standpoint. There was also a need for organizations to make the implementation of security and privacy controls more efficient and streamline compliance.
Since CCM V3.0.1 was initially released six years ago, the cloud market has substantially evolved and matured.
Cloud native approaches have passed from being the exception to being the rule, multi-cloud, DevOps, microservices and micro-segmentation, serverless, and automation are the new norm. GDPR, LGPD, CCPA, and other privacy regulations, together the recent rulings of the European Court of Justice have redesigned the rules of compliance in the cloud. One of the only things that doesn’t appear to have changed significantly is the bad habits from cloud customers due to the poor understanding of the cloud security shared responsibility model and the difference between cloud security responsibility and accountability. Both of those were important drivers for the creation of CCM v4.
CCM v4 is meant to provide the community with the best vendor-neutral security and privacy control framework.
CSA’s main goal was to create a new reference in the cloud security market. We wanted to offer to the community the best vendor agnostic security and privacy control framework in market. We built on the experience and the feedback collected from the tens of thousands of CCM users, and created a better standard, a framework that was easier to implement and audit and that would offer the much needed level of assurance for any category of cloud customers, from small and medium companies to large enterprises in the highly regulated business sectors.
The objectives that drove CCM v4 development were:
Ensure coverage of requirements deriving from new cloud technologies (e.g., microservices, containers) and new legal and regulatory requirements especially in the privacy realm.
Improve the auditability of the controls and providing better implementation and assessment guidance to organizations.
Clarify the allocation of cloud security responsibilities within the share responsibility model.
Improve interoperability and compatibility with other standards.
Changes in CCM v4
The new version 4 of the CCM includes a number of changes that are summarized below alongside the various complementary components that are currently under development and will be released during the course of 2021.
CCM v4.0 includes new additional controls, so as to better reflect the changes and evolution described above. It is comprised of 17 domains, compared to 16 in v3.0.1, and about 50% more control specifications, from 133 to 197 controls.
The V4 controls will eventually be accompanied by mappings with the following standards:
- ISO/IEC 27001-2013
- ISO/IEC 27017-2015
- ISO/OEC 27018-2019
- AICPA TSC v2017
- CCM V3.0.1
Beside the set of core controls, CCM V4 will eventually include the following additional components:
CCM Implementation Guidelines: a guidance to support the implementation of CCM controls. Expected to be released at the beginning of Q2 2021 (tentative date April).
CAIQ: the new CCM Questionnaire. Expected to be released at the beginning of Q2 2021 (tentative date April).
Control Applicability Matrix: a support to define the attribution of the responsibilities between cloud service providers (CSPs) and customers (CSCs). Expected to be released in Q2 2021 (tentative date April).
Organizational Relevance: a support to define the organizational relevance of each control based on the work done by the CSA Enterprise Architecture Working Group. Expected to be released in Q2 2021 (tentative date April).
CCM Auditing Guidelines: a guidance to support the auditing and assessment of CCM controls. Expected to be released at the beginning of Q3 2021 (tentative date July).
CCM Lite: a lightweight version of CCM, including a subset of the CCM Controls which represent the CCM foundational controls, i.e., those that any organization should implement ‘no matter what’. Expected to be released at the beginning of Q4 2021 (tentative date October).
In addition to the above, CSA will be working over the course of 2021 to translate the CCM in other languages and provide additional mapping to relevant standards, best practices, laws and regulations. In our current pipeline, priority will be given, in no particular order, to: NIST 800-53 Rev 5, ENISA Security Controls for Cloud Services, CIS Controls, PCI-DSS.
CCM v4 is just the beginning.
With all that being said, we are conscious that the CCM v4 is not the conclusion of our work, but rather the beginning of journey towards the excellence. We want work with the community and give the best possible solution for cloud security and privacy assurance and compliance.
Should you be interested in knowing more, or participating and contributing to the CCMv4 and working group activities, please join us here: https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix .
Join the CCM v4 User Group
CSA is looking for feedback on version 4 of the CCM. If you would like to help provide feedback, please join our community on Circle. (You will need to create an account on Circle to join this community.)