Cloud Security Alliance Releases New Guidelines Providing Insight Into Effectively Using Its Industry-Leading Security Assessment, Assurance Tools

Documents provide best practices in using and implementing the Cloud Controls Matrix and Security, Trust, Assurance and Risk (STAR) program

BELLEVUE, WA – SECtember – Sept. 15, 2021 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the publication of a new document, Implementation Guidelines for the Cloud Controls Matrix (CCM) v4. The implementation guidelines are a new addition to the CCM v4, CSA’s flagship cybersecurity framework for cloud computing, and were developed to support users in the proper application of CCM controls, while providing additional guidance and recommendations tailored to the control specifications for each of CCM v4’s 17 cloud security domains.

“Given the enterprise-specific nature of cloud infrastructure and architecture, CSA cannot provide detailed, prescriptive guidance pertinent to every organization and cloud service implementation or technology. That being said, the guidelines represent an ideal compendium to the CCM controls as they provide a greater level of detail regarding cloud security and privacy best practices. We are confident that the Implementation Guidelines represent a very useful tool for supporting cloud service providers and cloud customers in their adoption of the CCM requirements,” said Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance.

The guidelines are available as both a spreadsheet and PDF: The former allows organizations to leverage the guidelines in conjunction with the full roster of CCM v4 components, while the PDF provides structured guidance on working through the CCM framework. It should be noted that the document is not meant to be a “how-to” manual for the CCM controls implementation. Given the nature of CCM controls, their operationalization will depend on numerous factors, largely the IT/service architecture, the type of technology used, risks faced, applicable regulations, and organizational policies, among others.

The CCM Implementation Guidelines are a collaborative product of the volunteer CCM Working Group and are based on shared cloud service provider and cloud service customer experiences in implementing and securing cloud services and using CCM controls. The working group’s insight covers myriad topics and queries, including how organizations can best:

• implement controls for the first time
• improve an existing implementation
• answer a Consensus Assessment Initiative Questionnaire (CAIQ) question
• better understand a customer’s security responsibilities
• leverage CCM controls within a specific platform or architecture

CSA also released The Evolution of STAR: Introducing Continuous Auditing, which provides an overview of STAR Level 3, the most rigorous assurance tier in CSA’s Security, Trust, Assurance and Risk (STAR) program. STAR Level 3 allows certified service providers to demonstrate that critical security controls are being continuously monitored and validated, thereby providing customers with the ultimate level of transparency and assurance. It’s important, therefore, that enterprises understand the critical role this plays in third-party risk management. The white paper reviews implementation concepts and process design, demonstrating how continuous security control auditing and certification delivers best-in-class security transparency.

“When implemented properly, the CCM framework, the foundation of the STAR program, helps reduce cybersecurity risk by delivering best-in-class security. It’s critical therefore that those seeking STAR Level 3 certification understand and properly apply the CCM control set to their organization,” said John DiMaria, CSA Research Fellow, Assurance Investigatory Fellow, Cloud Security Alliance.

CSA is currently working with solution providers on a Proof of Concept (POC) to demonstrate how commercially available technology solutions can be leveraged to achieve STAR Level 3 certification. CSA invites additional organizations, both solution providers and customers, to join the POC and extend its scope of applicability. For more information or to volunteer, please contact us at [email protected].

Download the Implementation Guidelines for the Cloud Controls Matrix (CCM) v4 and The Evolution of STAR: Introducing Continuous Auditing now.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.