Reviewing the new CSA Cloud Control Matrix
Having covered the Cloud Security Alliance (CSA) while at Gartner, I’ve kept track of their work on cloud security assessment criteria ever since. This week I got a request from Kari Walker and Jack Luciano to review their new Cloud Control Matrix (CCM) Version 3.0, which has gone through the following important changes:
- 5 new control domains to address new ways cloud data is accessed
- Improved clarity and cohesiveness of control domains – Mobile Security, Supply Change Management, Transparency and Accountability and finally Interoperability and Portability
- Alignment with Security Guidance for Critical Areas of Cloud Computing V.3
- New Control ID naming convention (three letter acronyms vs. two in the previous versions)
- 139 controls vs the previous 98
- A total of 16 control domains vs the 11 in the previous versions
The CCM and accompanying documents in the CSA’s Governance, Risk and Compliance (GRC) stsack are important tools that for communication of customer security requirements, cloud service provider (CSP) assurance characteristics and the audit process. I’m hoping to get involved in the CSA’s SMB working group as well at some point.
Gartner for Technical Professionals (GTP) customers can still access my document, “Determining Criteria for Cloud Security Assessment: It’s More than a Checklist.”
Have you used the original CCM, or seen the new version? Please share your comments below.