Feb 09, 2022

Making sense of Cloud Controls Matrix (CCM) Part 2: Deep dive into deploying CCM

Jim Jiminez

Jim Jiminez

Making sense of Cloud Controls Matrix (CCM) Part 2: Deep dive into deploying CCM

While many organisations have realised the multitude of benefits cloud computing has to offer, many are still trying to define their long-term cloud security strategy - all whilst they continue to adapt to evolving business requirements.

The Cloud Security Alliance’s (CSA) “Cloud Security Matrix” (CCM) can help define requirements while developing or refining the enterprise cloud strategy. The CSA developed their Cloud Controls Matrix in conjunction with cloud providers, industry players, enterprises, and governments.

This framework is designed to enable cooperation between cloud consumers and providers in demonstrating appropriate risk management. As such, it is the most comprehensive cloud security standard on the market today. The CCM covers three primary areas including architecture, governance, and operations. The CCM can also be mapped to over 35 different regulations and standards to reduce complexity. It provides a single pane of glass view to assist in developing a cloud strategy.

Implementing CCM in a greenfield environment

Implementing a CCM up front in a greenfield environment can reduce risk, increase efficiency, and save costs. It prevents the need to change the environment later in the process causing re-work.

Reduce risk

As an organisation considers moving resources to a new cloud environment, an important consideration is a solid risk management strategy. This will ensure a complete understanding of your organisation’s networks, applications, data, and other resources across the full resource lifecycle. As a result, the planning, development, deployment, operations, and decommissioning steps can be effectively managed.

Increase efficiency

It also ensures that the organisation will provide the best possible answers to CCM framework questions, which leads to better decisions as implementation moves along. With security baked into the solution, the organisation will be better equipped to work through challenges that will be required to maintain cloud integrity, hence increasing efficiency.

Save costs

Many of the CCM directives can be achieved by building an automation tool to remediate security issues. This ability to automate the enforcement of best practices and standards is a game changer. Cloud automation tools provide organisations with continuous compliance and the ability to take the burden off the IT department by automatically monitoring applications and identifying and fixing issues on the fly.

Cloud automation tools continuously scan the virtual infrastructure, identify non-compliant resources, and remediate common cloud problems related to security. This reduces the overall cost compared to the traditional way of reporting, identifying, and then fixing the issue.

Organisations getting into the cloud space for the first-time benefit from this standardisation significantly. Increasingly, we see organisations pursuing fully cloud-native solutions. So, having CCM to provide that foundational layer will be beneficial in their cloud journey.

Cloud controls workflow

Diagram 1: Cloud controls workflow

Implementing CCM in an existing environment

Implementing CCM in an existing environment may cost a bit more when compared to baking it in. However, it is still a necessary step in achieving a strategy that will provide the organisation with reduced security and compliance risk.

Reduce security risk

Clouds are complex distributed systems, so the technology needed to secure them can be expensive. However, companies are migrating to the cloud every day and are using it as the key enabler to complete their digital transformation. Without a fundamental security strategy, these companies become vulnerable to cyber-attacks which cost a lot more to remediate. CCM, which is designed to provide fundamental security principles to guide cloud vendors, delivers just that.

It starts with using the CCM defined framework to assess an organisation’s cybersecurity risks (threats, vulnerabilities, and impacts) and produces a strategy to reduce these risks with customised measures. This approach of implementing security to an existing environment or “bolting on,” tends to increase overall costs. As gaps are discovered across the different verticals between the current environment and the CCM document, a backlog of work items needs to be recorded and addressed as these CCM rules are implemented.

Lower compliance risk

Organisations, where CCM is most likely to be implemented as an addition to an existing environment, will have multiple cloud platforms in their environment. They consume different services, and these platforms have different nuanced offerings. Approaching these platforms differently and building unique security standards becomes a very tedious effort and increases overhead. You want to provide standardisation that your developers can follow. Then, if you think about using CCM as a framework for how you build out security capabilities, you can build referenceable architectures and implementations that are specific to all platforms.

The bottom line of implementing CCM

In addition to carrying the advantages mentioned above, here are a few more benefits that organisations can appreciate. CCM emerged as a framework for cloud service providers, but over the years, it has evolved and is now being adopted by consumers and providers. That by itself is a testimony of how flexible the framework is.

Also, the ability to be applied across the globe is another advantage. CCM is recognised internationally, which enables faster adoption. This is especially relevant to multinational organisations looking to align their cloud security with regional requirements. CCM is continuously evolving and improving, making it nimble compared to some of the other frameworks that remain unchanged for an extended period. Lastly, CCM provides a crosswalk against a variety of industry-accepted standards and frameworks including: NIST 800, PCI-DSS, COBIT, ISO 27001/27002, CIS and more.

If you’re interested in applying CCM to your organisation, please get in touch with a member of the team.


    Conversation Icon

    Contact Us

    Ready to achieve your vision? We're here to help.

    We'd love to start a conversation. Fill out the form and we'll connect you with the right person.

    Searching for a new career?

    View job openings