Back

TechnologyJan 28, 2022

Making Sense of Cloud Controls Matrix (CCM) Part 2: Deep Dive into Deploying CCM

Mirza Javed and Jim Jimenez

While many organizations have realized the multitude of benefits cloud computing has to offer, many are still trying to define their long-term cloud security strategy. All while they continue to adapt to evolving business requirements. 

The Cloud Security Alliance’s (CSA) “Cloud Security Matrix” (CCM) can help define requirements while developing or refining the enterprise cloud strategy. The CSA developed their cloud controls matrix in conjunction with cloud providers, industry players, enterprises, and governments. 

This framework is designed to enable cooperation between cloud consumers and providers in demonstrating appropriate risk management.  As such, it is the most comprehensive cloud security standard on the market today. The CCM covers three primary areas including architecture, governance, and operations. The CCM can also be mapped to over 35 different regulations and standards to reduce complexity. 

It provides a single pane of glass view to assist in developing a cloud strategy.

Implementing CCM in a Greenfield Environment

Implementing a CCM up front in a greenfield environment can reduce risk, increase efficiency, and save costs. It prevents the need to change the environment later in the process causing re-work. 

Reduce Risk

As an organization considers moving resources to a new cloud environment, an important consideration is a solid risk management strategy. This will ensure a complete understanding of your organization’s networks, applications, data, and other resources across the full resource lifecycle. As a result, the planning, development, deployment, operations, and decommissioning steps can be effectively managed.

Increase Efficiency

It also ensures that the organization will provide the best possible answers to CCM framework questions, which leads to better decisions as implementation moves along. With security baked into the solution, the organization will be better equipped to work through challenges that will be required to maintain cloud integrity, hence increasing efficiency.

Save Costs

Many of the CCM directives can be achieved by building an automation tool to remediate security issues. This ability to automate the enforcement of best practices and standards is a game changer. Cloud automation tools provide organizations with continuous compliance and the ability to take the burden off the IT department by automatically monitoring applications and identifying and fixing issues on the fly. 

Cloud automation tools continuously scan the virtual infrastructure, identify non-compliant resources, and remediate common cloud problems related to security. This reduces the overall cost compared to the traditional way of reporting, identifying, and then fixing the issue.

Organizations getting into cloud space for the first-time benefit from this standardization significantly. Increasingly, we see organizations pursuing fully cloud native solutions. So, having CCM to provide that foundational layer will be beneficial in their cloud journey.

 Diagram 1 - Cloud Controls Workflow

Implementing CCM in an existing environment 

Implementing CCM in an existing environment may cost a bit more when compared to baking it in. However, it is still a necessary step in achieving a strategy that will provide the organization with reduced security and compliance risk.

Reduce Security Risk

Clouds are complex distributed systems, so the technology needed to secure them can be expensive. However, companies are migrating to the cloud every day and using it as the key enabler to complete their digital transformation. Without a fundamental security strategy, these companies become vulnerable to cyber-attacks which cost a lot more to remediate. CCM, which is designed to provide fundamental security principles to guide cloud vendors, delivers just that.

It starts with using the CCM defined framework to assess an organization’s cybersecurity risks (threats, vulnerabilities, and impacts) and produces a strategy to reduce these risks with customized measures. This approach of implementing security to an existing environment or “bolting on,” tends to increase overall costs. As gaps are discovered across the different verticals between the current environment and the CCM document, a backlog of work items needs to be recorded and addressed as these CCM rules are implemented.

Lower Compliance Risk

Organizations, where CCM is most likely to be implemented as an addition to an existing environment, will have multiple cloud platforms in their environment. They consume different services, and these platforms have different nuanced offerings. Approaching these platforms differently and building unique security standards becomes a very tedious effort and increases overhead. You want to provide standardization that your developers can follow. Then, if you think about using CCM as a framework for how you build out security capabilities, you can build referenceable architectures and implementations that are specific to all platforms.

The Bottom Line of Implementing CCM

In addition to carrying the advantages mentioned above, here are a few more benefits that organizations can appreciate. CCM emerged as a framework for cloud service providers, but over the years, it has evolved and is now being adopted by consumers and providers. That by itself is a testimony of how flexible the framework is. 

Also, the ability to be applied across the globe is another advantage. CCM is recognized internationally which enables faster adoption. This is especially relevant to multinational organizations looking to align their cloud security with regional requirements. CCM is continuously evolving and improving, making it nimble compared to some of the other frameworks that remain unchanged for an extended period. And lastly, CCM provides a crosswalk against a variety of industry-accepted standards and frameworks including: NIST 800, PCI-DSS, COBIT, ISO 27001/27002, CIS and more. 

If you’re interested in applying CCM to your organization and are unsure of how to get started, reach out to us at findoutmore@credera.com.

Have a Question?

Please complete the Captcha