A Useful Overview of the Cloud Controls Matrix

The Cloud Controls Matrix by Cloud Security Alliance (CSA) has always been the go-to standard when it comes to securing the cloud environment. The matrix itself is developed alongside industry players, cloud service providers, governments, and enterprises, making it the most comprehensive security standard on the market.The latest update, the Cloud Controls Matrix 3.0.1, includes additions based on the security challenges of today. The matrix is designed to be a list of best practices and must-follow approaches, so it is easy to implement even when you have no specific expertise in cloud security. On top of that, the matrix is available for free.

Understanding the Framework

Cloud Controls Matrix or CCM, in short, covers three main focus areas: cloud architecture, governing in the cloud, and operating in the cloud. There are more than 100 controls and guidelines to follow in the matrix, but they are further divided into 16 categories based on specific areas and requirements.As mentioned before, the matrix is designed to be easy to follow. It is a checklist that you can go through from start to finish in order to establish a secure cloud environment for different usages. The challenge isn’t following the matrix, but rather configuring the environment and external factors to comply with these standards.You can download the latest version directly from CSA. Before you start following the matrix, however, we are going to discuss the specific areas it covers to make the matrix easier to implement.

1. Application & Interface Security (AIS)

The first part of the matrix covers application and interface security or AIS. It governs a number of things related to AIS itself, including:

• Application security, where you need to design, develop, and deploy the app and APIs in alignment with industry standards. In the case of web applications, for example, OWASP is the standard to follow.
• Customer access requirements, a part of the application routine that needs to be placed before customers can gain access to data, assets, and other elements of the app itself.
• Data integrity, which needs to be maintained through reconciliation and multiple checks to avoid errors, corruption, and other security risks.
• Data security, which involves putting security policies in place to prevent issues such as disclosure and data destruction.

2. Audit Assurance & Compliance (AAC)

Audit assurance and compliance or AAC starts with audit planning and ends with gaining a better understanding of a control framework based on standards and regulations. This part of the matrix includes:

• Audit planning, where you develop ways to review the effectiveness of your security plans and measures. A plan needs to be established and agreed upon before further reviews can be conducted.
• Independent audits, the process during which reviews and assessments are completed. The CCM 3.0.1 recommends an audit to be conducted at least once a year.
• Information system regulatory mapping, which involves aligning processes and creating a control framework that goes hand in hand with legal and other industry standards to follow.

3. Business Continuity Management & Operational Resilience

A good security framework must guarantee reliability and good continuity, which is why the CCM 3.0.1 also includes business continuity management and operational resilience (BCS) control domains. This part includes:

• Business continuity planning, where you define the purpose and scope of the business, parties that will use the solutions running in the cloud, person-in-charge for specific operations, and even recovery procedures.
• Business continuity testing, which is a way to test the security response plans against other factors, including external business factors that need to be considered.
• Environmental conditions, where you take into account the datacenter utilities and environmental conditions. Factors such as the power supply and internet connectivity must be taken into account as you prepare for better business continuity.
• Equipment maintenance, a part of the process where maintenance policies and routines are added and implemented.

There are other control domains in this section too, including adding documentation and checking for potential power failures. It is a detailed matrix that results in your business being more resilient to cloud-related disruptions.

4. Change Control & Configuration Management

The name of this control domain category says it all. This is where you formulate how to best handle changes, the acquisition of new data or applications, and the addition of new data centers, and infrastructure. The process includes:

• New development or acquisition, where you add policies and procedures for handling new elements being added to the business. Those new elements can be anything from data to a whole new cluster of servers.
• Outsourced development, which is meant to help your business partners follow the same security standards and best practices.
• Quality testing, a control domain that is also designed to help your business test various solutions, including ITIL service management, using standardized testing methods and baselines.
• Production changes, which deals with things such as business-critical implementations and migrating to a new infrastructure or solution.

The category also deals with problems such as unauthorized software installs. It explains how to best mitigate those risks and put in place policies to prevent them from causing severe issues in the future.

5. Data Security & Information Lifecycle Management

Data security and information lifecycle management (DSI) are one of the most detailed categories in the matrix. It deals with data-related issues down to the very last details, including how to best manage data inventory and flow. Some of the points you have to pay attention to are:

• E-commerce transactions, which explains how transactional data needs to be classified and processed to prevent contract dispute.
• Ownership & stewardship, a process of defining responsibilities and documenting how data is handling along the system.
• Secure disposal, another important part of cloud security. Putting in place disposal policies can help prevent unnecessary data leaks and other common issues.

6. Datacenter Security

Datacenter security (DCS) deals primarily with the physical security of your servers and datacenters. It talks about asset management and controlling physical access to the servers. Among the control domains you need to follow are:

• Equipment identification, which involves using location-aware technologies and other measures to validate the integrity of the data center itself, all while preventing unauthorized equipment from being plugged in.
• Off-site equipment, which also handles the creation of policies and procedures related to the use of equipment outside of the business’s location.
• Authorization, where physical access to the servers and other supporting equipment is controlled and logged in a meticulous way for maximum security.

Datacenter security also deals with user access and how you can handle unauthorized access to the datacenter.

7. Encryption & Key Management

Encryption is a big part of cloud security, and the control domains in encryption and key management (EKM) category help you set up the right encryption environment for maximum impact. It deals with things such as:

• Entitlement, which forces each key to have a clear owner and obliges you to have clear key management policies in place.
• Key generation, which – as you may have guessed – includes policies and procedures related to how encryption keys (and the identities behind them) are created.
• Sensitive data protection, which also involves establishing policies on how business-critical data needs to be handled and encrypted, including how data transmissions need to be set up for maximum protection.
• Storage and access, where the security requirements for storing keys and identities are defined and implemented as policies. There is always a standard requirement to follow depending on the industry you are in.

8. Governance & Risk Management

We’ve talked about baseline security requirements before. In many cases, the security requirements are not only based on the business’s internal policies, but also on external factors such as regulations and legal requirements. This is where governance and risk management (GRM) is in play, especially with control domains like:

• Data focus risk assessments, a process where data governance requirements and the risks you face as a business are identified and mitigated, all while remaining in compliance with other requirements.
• Management oversight, which includes the development of an Information Security Management Program or ISMP. The program usually includes risk management, access control, asset management, and other elements as needed by the business.
• Support and involvement, a way to get management and other stakeholders more involved in information security. More importantly, that involvement needs to be in a formal form and followed by a commitment.
• Policy enforcement, designed to further secure your cloud environment through disciplinary action and sanctions against employees who violate the security procedures.

Other parts of this category, including the policy impact on risk assessment and regular review of the security policies, are just as important.

9. Human Resources

Information security policies are only effective when implemented by those who are engaged and involved in the process. That is why CCM 3.0.1 also includes a category of control domains that govern human resources (HRS). Some of the aspects the category touches on are:

• Employee termination, which defines how to handle termination and tasks related to it, including documentation and communication.
• Mobile device management, another important control domain in today’s BYOD environment. Despite using mobile devices, security policies need to remain a priority when business-related information and server resources are accessed.
• Roles and responsibilities, where specific roles of contractors, employees, and other types of users are defined, along with the responsibilities and limitations that come with those roles.
• Training and awareness, which dictates how to best maintain a high level of security awareness through training programs for all roles.

10. Identity & Access Management

Access management is always a big part of cloud security, and it is equally prominent in the CCM. The Identity and access management (IAM) category contains 13 control domains, including:

• Credential lifecycle and provision management, where user access policies and procedures are designed to provide the most flexibility while maintaining a high level of security at the same time.
• Segregation of duties, which further restricts users and roles from accessing the system as a whole. Instead, users can only access data and resources that are assigned to them based on their roles and responsibilities.
• Source code access restriction, where you prevent access from the source code of internally-developed apps and solutions.
• Third-party access, a critical function that limits access by third-party contractors while maintaining a detailed activity log for future review.

The category also defines things such as access reviews, revocation, and authorization in different situations.

11. Infrastructure & Virtualization Security

Many cloud environments are set up as virtual environments, which is why a sufficient infrastructure and virtualization security (IVS) is needed. In the CCM, the category covers control domains such as:

• Intrusion detection and logging, which makes it easy to comply with legal requirements about user accountability and access management. The audit logging needs to follow strict rules so that you always have the ability to do an investigation in the event of a security breach.
• Change detection, which casts a wider net than intrusion detection and monitors the entire cloud environment for changes. Similar to the previous control domain, meticulous logging is also needed.
• Vulnerability management, including the use of assessment tools to discover new and potential vulnerabilities and ways to manage them.
• OS hardening and base controls, further limiting the number of ports and protocols to the essential, business-critical ones only. This is done in order to further limit the risks of a security breach.

The category also deals with VM security and hypervisor hardening, both of which make your cloud environment more secure than ever.

12. Interoperability & Portability

Interoperability and portability (IPY) deal primarily with the use of APIs and the communications between services. In this category, you see control domains such as:

• APIs as a way to ensure interoperability between components of the system.
• Data requests and how they need to be handled in standard formats.
• Policy and legal, which includes procedures and policies about service-to-service applications as well as the customers’ use of the system itself.

Aside from these three major points, the category also covers how you can maximize portability by using a standard virtualization format, and how to best establish your network protocols.

13. Mobile Security

In a world where mobile devices are widely used, having clear and effective mobile security policies is a must. The CCM’s mobile security (MOS) category includes:

• Anti-malware, a combination of solutions and awareness training in this subject to be exact.
• Application stores, which further defines the acceptable sources of apps for mobile devices.
• Approved applications, both for the business-provided devices and BYOD mobile devices.
• Cloud-based services, requiring each service used by the company’s mobile devices to be tested and pre-approved according to the standards we discussed earlier.

Aside from these basic requirements, the CCM also covers things such as jailbreaking and rooting – which are strictly prohibited – and mobile device management. The matrix even goes into details about password best practices and how to handle the remote wipe of mobile devices.

14. Security Incident Management, E-Discovery, & Cloud Forensics

Prevention is the best policy when it comes to cloud security, but there are times when you have to deal with the aftermath of a security breach. The control domains included in this SEF category helps you deal with incidents. They are:

• Contact and authority maintenance, adding a liaison with local law enforcement and other authorities. Your business and its cloud infrastructure must also be ready for a forensic investigation in the event of a security breach.
• Incident management, which deals more with the internal side of things. It sets up procedures to help support business processes while dealing with security breaches and other related incidents.
• Incident reporting, which details how to prepare sufficient reports and how to make sure that all parties involved know their responsibilities.
• Incident response legal preparation, including policies on how to handle forensic evidence, the chain of custody, and how to best handle the investigation into an incident.

15. Supply Chain Management, Transparency, & Accountability

The supply chain management (STA) part of CCM is both straightforward and complex at the same time. It is straightforward because the tasks you need to complete – and the standards you need to follow – are laid out clearly. At the same time, meeting those standards is not always easy.Among the control domains you need to follow are:

• Data quality and integrity, which involves working with the cloud supply-chain partners in ensuring maximum data quality. The process may include fixing data quality errors and mitigating risks along the way.
• Incident reporting, which adds details on how incidents must be reported, and how those reports need to be stored and distributed.
• Supply-chain agreements, which dictates how documents like SLAs must incorporate certain elements for maximum security. These documents need to include details like the scope of the relationship, information security requirements, and timely notifications of a security incident.
• Supply-chain metrics, where further details are added to the supply-chain policies. These details help with the consistent review of SLAs and other documents related to working with third-party service providers.

16. Threat & Vulnerability Management

The last piece of the puzzle is threat and vulnerability management or TVM. The category has three major control domains, which are:

• Anti-virus and anti-malicious software, which includes setting up policies and procedures that prevent the execution of malware and other similar security threats.
• Vulnerability and patch management, which incorporates a risk-based model for identifying potential security risks and prioritizing the development of patches and solutions for them.
• Mobile code, a control domain designed to address the growing need for better end-to-end security measures and communications between connected devices.

The CCM may be a long matrix to follow, but it will fortify your cloud environment. It even touches on things that will help your business become more secure, resilient, and better at managing operational (IT-related) risks.If you haven't quite had enough of security policies, don't miss a great read in our article on Security Challenges with IaC and How to Overcome Them. Ibexlabs is an experienced DevOps & Managed Services provider and an AWS consulting partner. Our AWS Certified DevOps consultancy team evaluates your infrastructure and make recommendations based on your individual business or personal requirements. Contact us today and set up a free consultation to discuss a custom-built solution tailored just for you.