The genesis of the The Cloud Security Alliance (CSA) began at the 2008 Information Systems Security Association (ISSA) Chief Information Security Officer (CISO) Forum in Las Vegas. The CSA was incorporated as a non-profit organization in 2009. The initial mission and strategy of the CSA was outlined by Jim Reavis and Nils Puhlman. They reached out to information security community and asked for help to formalize their plan. As a result, dozens of volunteers stepped forward to create the initial work product which was a white paper presented at the 2009 RSA conference. The CSA’s mission is: To promote the use of best practices for providing security assurance with Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing.
In 2010, the CSA published the first version of the Cloud Controls Matrix (CCM). The CCM is the only meta-framework of cloud specific security controls. One of the important aspects of the CCM is that it maps the CSA’s controls to all of the leading standards and regulations. The CCM maps the CSA’s cloud security controls to these standards: AICPA, BITS Shared Assessments, BSI Germany, PIPEDA Canada, CIS AWS Foundation, COBIT, COPPA, ENISA IAF, 95/46/EC EU Data Protection Directive, FedRAMP, FERPA, GAPP, HIPAA/HITECH Act, HITRUST CSF, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, ISO/IEC 27018, Mexico Federal Law, NERC CIP, NIST SP800-53, NZISM, ODCA UM: PA, PCI DSS, IEC 62443-3-3, C5.
As industry migrated computing services to the cloud, the CCM evolved to keep pace. In November of 2018 the CSA published Version 3.0.01 of the CCM was published in November of 2018. This version identifies 132 controls in 16 domains:
Application & Interface Security (4 controls)
Audit Assurance & Compliance (3 controls)
Business Continuity Management & Operational Resilience (11 controls)
Change Control & Configuration Management (5 controls)
Data Security & Information Lifecycle Management (7 controls)
Supply Chain Management, Transparency, and Accountability (9 controls)
Threat and Vulnerability Management (3 controls)
The foundations of the CCM lie in the customized relationship to other industry-accepted security standards, regulations and controls frameworks. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud. (1)
Access to the cross-framework mapping provides security professionals with a valuable tool to guide their infrastructure migrations to the cloud. For example, using the CCM, healthcare professionals looking to validate the security of their HIPAA data in a cloud environment can easily see that the HIPAA/HITECH act regulation 45 CFR 164.312(e)(2)(i) maps to CCM Control AIS-01, Application & Interface Security. For healthcare organizations that use the HITRUST Cloud Security Framework to audit their environments, HITRUST controls 10.b, 10.c and 10.e map to the same CCM control, AIS-01. This cross-framework mapping function provides auditors working with industry specific frameworks a clear guide for use in evaluating the effectiveness of the security controls used to protect information assets in a cloud environment. Use of the Cloud Security Alliance’s Cloud Controls Matrix by internal and external audit teams reduces the effort required to verify compliance and eliminates the need to update existing industry specific frameworks to add cloud specific controls.
Baird Brueseke has 25-plus years of experience leading companies and designing solutions to solve customer problems. He co-founded Wheb Systems which grew from a two-person start up to become Captiva Software; a public company purchased by EMC. After Captiva, Baird’s interests turned to Education and Cybersecurity. He created a cloud-based portal, CLaaS – Computer Lab as a Service - which provides academic institutions the ability to deliver a hands-on computer science laboratory experience to distance learners.