How CSA Research Uses the Cloud Controls Matrix to Address Diverse Security Challenges

CSA extensively leverages the Cloud Controls Matrix (CCM) to enhance security practices across various domains of cloud research. The CCM is a comprehensive cloud security framework consisting of 197 security control objectives. The main purpose of the framework is to help organizations address the unique challenges of cloud computing. However, the CCM also acts as a foundational tool for other CSA research initiatives.

In this blog, learn directly from our research team how they use the CCM in various cybersecurity research projects. Discover CSA's innovative work with enterprise architectures, AI security controls, quantum-safe security, and cloud threats.

Enterprise Architecture Working Group

The Enterprise Architecture (EA) is a framework that can help bridge the cloud security gap within any business. We built out the EA as an actual “architecture,” composed of the top industry standard frameworks used today. This includes TOGAF, ITIL, SABSA, and Jericho.

Using these frameworks, the EA addresses all business-critical areas and their relationship to cloud. Imagine human resources, legal, compliance, business operations, et cetera. From these four domains exist subdomains that allow the user to dig deeper. This allows them to ensure coverage and perform a gap analysis against their own current technical stacks.

We mapped each corresponding domain and subdomain to every CCM control. This establishes full coverage of responsibility and security controls that can help improve management over each cloud-specific area. The beauty of this mapping is that it allows businesses of all sizes to leverage CCM controls across a much broader plane of business.

- Sean Heide, Research Technical Director, CSA

AI Controls Working Group

The AI Controls Working Group is leveraging the CCM to create an AI Controls Matrix. This matrix will address the unique security challenges posed by AI systems.

The group benefits from the CCM's comprehensive mapping of cloud-specific security controls. These controls map to widely accepted standards like ISO/IEC 27001 and GDPR to provide a robust, standardized starting point. The group can then identify security gaps that are uniquely relevant to AI.

The goal is to tailor these controls to focus on key AI-specific concerns. Such concerns include model integrity, data provenance, bias mitigation, and system transparency. While tailoring these controls, we also want to retain the rigorous security posture that the CCM establishes.

The value of using the CCM lies in its established credibility and comprehensive structure. Leveraging the CCM ensures that the AI Controls Matrix benefits from a broad and mature control set, reducing the need to build from scratch. It also allows the framework to remain compatible with existing regulatory frameworks and security standards. This alignment ensures that the AI-specific controls will seamlessly integrate with existing governance, risk, and compliance efforts.

- Marina Bregkou, Senior Research Analyst, CSA

Quantum-Safe Security (QSS) Working Group

The QSS Working Group is using the CCM to educate organizations on the growing risks posed by quantum technologies. We are particularly focused on cryptographically relevant quantum computers (CRQCs) and quantum key distribution (QKD).

As quantum computing evolves, traditional encryption methods are becoming increasingly vulnerable. We've pinpointed specific controls within the CCM that help identify valuable data at risk from quantum advancements. The controls also guide organizations in developing effective mitigation strategies.

In tandem with this, NIST has standardized post-quantum cryptography (PQC) with FIPS 203, 204, and 205. These standards provide a clear framework for securing data against future quantum attacks. Our approach aligns key CCM controls with these new standards. This ensures that encryption protocols remain resilient in a post-quantum world.

By emphasizing cryptographic protection, secure key management, and robust encryption algorithms, organizations can better safeguard their cloud environments as quantum technology continues to advance.

- Hillary Baron, Senior Research Technical Director, CSA

Top Threats Working Group

The Top Threats to Cloud Computing is a staple research product at CSA. This document identifies key areas that impact businesses taken from the real-world experience of industry experts. Ordered on a weighted scale, we rank the Top Threats from the viewpoint of most notable to least. The most common threats include IAM threats, misconfiguration and change management issues, insecure third-party resources, and system vulnerabilities.

However, it is not enough to just state what the top concerns are. To truly help the enterprise space, there needs to be mitigative, preventive, and corrective controls. We need to establish protection boundaries and eliminate the potential of negative actions taking place.

So, we add the CCM categories to each Top Threat as a kind of “micro-mapping” of how to setup controls. The idea is to explain how to reduce the impact and blast radius if an attack were to occur. It also helps organizations consider other areas of business that could be impacted. This ensures there is internal coverage to help establish controls over time.

- Sean Heide, Research Technical Director, CSA

Conclusion

Together, the CCM and CSA Research ensure that organizations have access to a standardized and robust suite of guidance. Whether through guiding security for enterprises, AI, or quantum, the CCM offers comprehensive coverage and actionable insights. By leveraging these controls, businesses of all sizes can stay resilient in an ever-evolving cloud landscape.

Learn more about how your organization can use the CCM.