The Cloud Security Alliance (CSA) has released v3 of their security controls mapping. The Cloud Controls Matrix (CCM) Version 3.0 has been long awaited, and includes a number of important changes in cloud security risks.
Version 3.0 of the Cloud Controls Matrix includes:
- Five new cloud control domains: Mobile Security; Supply Chain Management, Transparency & Accountability; Interoperability & Portability; and Encryption & Key Management
- Improved harmonization with the Security Guidance for Critical Areas of Cloud Computing v3
- Improved control auditability throughout the control domains and an expanded control identification naming convention
Where the CCM Falls Short
While this is an important step forward in security control mapping, I feel that the mappings are too broad to be useful in enterprise compliance and governance programs. The CCM v3 condenses major cloud frameworks like PCI DSS, ISO 27001, FedRAMP, HIPAA, and COBIT. This mapping can serve as a useful stepping stone for research into new security frameworks and how certain control areas might be applied.
The main issue with this framework is that no company can ever pick it up to as a way to see what needs to be done to satisfy particular control requirements. For the CCM to be useful, it would need to go into much more detail about the controls and what and what need to be done to meet those controls.