Whose job is it anyway? Cloud Security Alliance updates controls matrix to include logging and monitoring

CSA Cloud Controls Matrix

The Cloud Security Alliance (CSA) has finally released the fourth update to its Cloud Controls Matrix, a version that was two years in the making, bringing both structural changes and domain modifications to the framework.

The Cloud Controls Matrix is an online security and compliance project designed as a way of assessing a cloud implementation and finding out who is responsible for the provision of certain security control. It comes in the form of a spreadsheet that, according to the CSA, “lists common frameworks and regulations organizations would need to comply with”.

The recent iteration of the controls matrix lists 17 domains ranging from application and interface security to threat and vulnerability management, and is the first to list logging and monitoring as a separate domain. Each domain includes a number of controls, along with an ID and a specification. Control network defense, for example, is listed in the infrastructure and virtualisation security domain as IVS-09 and is specified as “Define, implement and evaluate processes, procedures and defense-in-depth techniques for protection, detection, and timely response to network-based attacks.” 

The matrix can, among other things, be used to notify customers of cloud services about various security concerns and provide a basis for checking their own setup. To help users discover missing security measures, CSA also provides a companion questionnaire that organisations and auditors can use when talking to service providers, and a number of mappings for similar standards. 

While the mappings help to provide an overview as to which regulations the implementation of certain controls satisfies, the questionnaire can also be used to document the presence of controls in infrastructure-as-a-service, platform-as-a-service, or software-as-a-service.

In addition to logging and monitoring, CCM 4.0 has added 64 new controls to the spreadsheet to ensure requirements of new technologies are met. Implementation guidelines, and the questionnaire mentioned are scheduled to land in early Q2 2021, along with a control applicability matrix to “define the attribution of responsibilities between cloud service providers and customers.” 

Mappings for standards ISO/IEC 27001-2013, ISO/IEC 27017-2015, ISO/IEC 27018-2019, and AICPA TSC v2017 will require some more time, though CSA promised their release for early February.

Teams interested in the matrix but somewhat floored by the extent of things to take into consideration might choose to wait until Q4 2021, when CSA expects to release a subset that represents foundational controls that organisations should implement no matter what.