What is the CSA Cloud Controls Matrix and Why Should Everyone on the Cloud Care?
This blog was originally published by Pivot Point Security here.
If you’re not on the cloud you must be very afraid of heights. With nearly 100% of businesses now using cloud services, how are cloud service providers (CSPs) proving to customers and other stakeholders that they are secure?
To talk about how CSPs are revamping and representing their security postures today, a recent episode of The Virtual CISO Podcast features John DiMaria, Assurance Investigatory Fellow and Research Fellow at Cloud Security Alliance (CSA). His longtime friend John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
Maps to over 20 other regulations and standards
At the heart of CSA’s efforts is its CSA STARS (for security, trust, assurance and risk) program and public assessment registry. At the heart of CSA Stars is CSA’s Cloud Controls Matrix (CCM), which was first released in 2010.
Recognizing that some orgs need to manage compliance with 10, 15 or even more security regulations and standards, the new Cloud Controls Matrix V4 maps to over 20 guidance sources and counting (e.g., the ISO 27017:2015 cloud services “code of practice”).
“My whole premise even before CSA has always been this ‘implement once, comply many’ approach to information security,” relates John D.
Bringing it all together for stakeholders
Aligning from the opposite direction, other industry organizations are adopting the Cloud Controls Matrix as their security framework.
In particular, the Center for Internet Security (CIS) has adopted the Cloud Controls Matrix V4 for its cloud-specific security requirements. The Cyber Risk Institute (CRI) serving the financial sector also recently adopted the CCM.
“It’s all about understanding that, hey, I don’t need to do things ten times,” explains John D. “I can do it once, act on the deltas and then comply with everything rather than redoing. There’s a lot of redundancy that you can reduce by using a framework like this that brings it all together for you.”
Achieving CSA STAR compliance
Perhaps the greatest value for cloud providers and users in CSA STAR is its rigorous third-party attestation option at Level 2. The Level 2 starting point is an ISO 27001 certification or SOC 2 report.
For ISO 27001 certified firms, a CSA STAR certification is effectively an extension to your ISO 27001 information security management system (ISMS) certification. For SOC 2 aligned businesses, CSA STAR is an attestation developed in partnership with AICPA that leverages Trust Service Criteria combined with the Cloud Controls Matrix.
“You can call it integrated or combined audits; it’s just different nomenclature,” John D clarifies. “But it’s filtering that into your statement of applicability, for instance—either embellishing upon the controls you have or adding a new control that you don’t have. It’s just a balance sheet based upon your current controls that you run through your statement of applicability. You’re justifying things that aren’t applicable and then that’s audited by your auditor the same way they would audit in ISO 27001.”
As John V points out, achieving CSA STAR Level 2 isn’t that different from aligning with ISO 27017: “It’s a list of controls, but it isn’t a bolt-on. Some of those controls are relatively new. But many of those controls are just additional guidance for existing controls. Many CCM controls exist at some level already within the ISO 27002 framework. What you’re doing is giving what I would say is better and more prescriptive guidance for some of those controls that are specific to cloud use.”
Plus you get the mappings you need for either ISO 27001 or SOC 2 cross-references right out of the box.
To listen to the complete episode with John DiMaria from Cloud Security Alliance, click here.
Did you know the CSA is also into IoT? Here’s a quick post on their IoT framework: CSA’s New IoT Security Controls Framework—How it Came About and Why it’s so Effective
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.