Back

TechnologyJan 14, 2022

Making Sense of Cloud Controls Matrix (CCM) Part 1: A CCM Overview

Michael Schubert and Jim Jimenez

The reality of today’s technology landscape is that enterprises are evaluating their cloud strategy and likely already have workloads running in the cloud. The cloud can take many different forms depending on the requirements of the business or industry. IT professionals have the difficult job of navigating a sea of endless possibilities and evolving options. A Cloud Controls Matrix (CCM) is a powerful tool to chart a steady course on a business’s journey to the cloud.

What is CCM? 

A CCM is a framework document that guides the implementation of cloud security controls. This document is created by gathering all security requirements and mapping those items to technical capabilities in the cloud platform of choice. 

By completing a thorough CCM, a company can ensure they are meeting security compliance standards and following best practices. Microsoft (Azure), Amazon (AWS), and Google (GCP) have all completed the Cloud Security Alliance’s (CSA) STAR Level 2 assessment. CSA’s STAR is a CCM that can be used as reference for how each cloud provider addresses particular security concerns. Each company has completed the same STAR Level 2 certification so their question responses can be directly compared when deciding which cloud provider to use.

What are benefits of the CCM?

There are several benefits of a CCM that justify the time required to complete. First, the CCM exercise should result in a clear and easy to understand document that will inform all relevant parties involved in the cloud project. Both a technical and non-technical audience should be able to read the CCM and understand the company’s security posture. 

The CCM will methodically break down security requirements and their mapped technical details. This will illustrate exactly how the requirement is being satisfied, thus reducing confusion and complexity. The CCM is also a powerful auditing and reporting tool for both industry compliance and company executives. If regulators or a company executive want to know how a specific security concern is being addressed, looking up that issue in the CCM should provide the answer. Lastly, evolving security requirements and their corresponding responses can be tracked over time by versioning the CCM.

Figure 1 – Cloud Controls Mapping Workflow

How do we use a CCM on a cloud project? 

Before any other decision can be made on the security specifics, the cloud provider must be selected. Microsoft Azure is an industry leader in cloud, but they are not the only player. AWS and GCP might be a better fit for a particular project or perhaps the business already has a footprint in either. The Cloud Security Alliance’s STAR Level 2 assessment can be used as an apples-to-apples comparison between the big three cloud providers. 

A company can review the responses from each provider and make an informed decision on the platform of choice. Next, decisions need to be made around platform as a service (PaaS), infrastructure as a service (IaaS), or software as a service (SaaS) options for applications. A typical deployment might involve a combination of different service models and impact which party is responsible for the infrastructure or application.

Every cloud project needs to start with a defined security foundation. One such foundation is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This framework can be downloaded via the NIST website. Spend time reviewing the NIST framework and begin mapping project compliance and security requirements to it. 

From this starting point, layer on industry specific requirements. These industry specific requirements can include compliance for Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI), and others. By ensuring compliance with all regulations, the company can avoid expensive litigation and strengthen confidence that their data is secure. 

Once all the NIST and industry specific requirements have been identified, it is time to build a custom CCM for the project. Until this point the CCM could not be created because decisions had not yet been made on the provider and service models. Use the NIST framework or the CSA CCM as a model and create a spreadsheet that lists all the requirements. Then fill out adjacent columns with detail on how each specific requirement will be met. Additional columns can be added as needed with other information such as key stake holders, responsible departments and management oversight. This exercise is often referred to as “mapping” the CCM and is the most time consuming and important step in the process.

Depending on the project, the environment might be a clean greenfield and all the cloud controls can be freshly implemented. This situation is ideal because a design following a methodical CCM is deployed from day one. 

More commonly, a business will have an existing cloud presence. In this case, the CCM is a powerful tool to audit the environment. Perform a gap analysis between the company’s cloud security controls and the newly created CCM. The findings of the analysis activity can be used to create a backlog of remediation items. Before company production data is migrated into the cloud, complete the remediation backlog. Validate that the controls have been implemented correctly with the use of environment documentation and testing.

What happens next?

Cloud technology is constantly evolving and because of this, it is important to treat the CCM as living document. When designing cloud applications and infrastructure, consider building reporting for management and technical oversight. Do not fall into the trap of “set it and forget it.” Build mechanisms that will report data access, performance metrics, malicious activity, and security threats. Develop a response plan for events that might need immediate attention.

A properly executed CCM can seem overwhelming at first. Understanding the broad reach of compliance and cloud capabilities from regulatory agencies requires a skillset some organizations may not have. We’ve had the opportunity to partner with our clients on many CCM executions and would be happy to answer any questions you may have on your journey. Reach out of Credera at findoutmore@credera.com to learn how we can deliver a complete Cloud Controls Matrix solution.

Have a Question?

Please complete the Captcha