In this blog we will provide an overview of the Cloud Security Alliance, the Cloud Controls Matrix that the CSA offers, and a few other offerings provided by the CSA.
What is the Cloud Security Alliance and the Cloud Controls Matrix (CSA CCM)?
The Cloud Security Alliance is a nonprofit organization that promotes the use of best practices for providing secure cloud computing. Since 2010, the CSA has released multiple versions of a free Cloud Controls Matrix for public use. The matrix is mapped to various well established and recognized standards, regulations, and control frameworks, including ISO 27001, NIST SP 800-53, PCI, and others.
The matrix is designed to provide fundamental security principles to guide cloud vendors on their security posture and to assist prospective cloud customers in assessing the overall risk of a cloud service provider. The current version 3.0.1 was released in August 2019 and can be accessed directly from the cloud security alliance here. Version 4.0 will be released at some point in the near future according to the cloud security alliance website. You can sign up at the link here to receive the newest version once it is released.
A great benefit of this matrix is the ability for service organizations to see the controls they should have in place in order to prepare for various engagements. Many of the same controls are used for different engagements, essentially enabling the service organization to “kill two birds with one stone.” This is discussed more below.
What are the Domains of the Cloud Security Alliance Cloud Controls Matrix?
Listed below, per the Cloud Security Alliance website, are the 16 domains that make up the current 3.0.1 Cloud Controls Matrix. Again, this matrix can be downloaded here.
As stated above, the matrix helps organizations evaluate the controls they should have in place to prepare for various audit and assessment engagements. Further, within the matrix, each domain contains a set of controls. For each control listed, the matrix notates how the control applies and then maps the control to the other recognized standards, regulations, and framework requirements. This mapping can help an organization determine if the controls they have in place will meet the other various standards/regulations and control frameworks as well.
- Application & Interface Security
- Audit Assurance & Compliance
- Business Continuity Management & Op Resilience
- Change Control & Configuration Management
- Data Security & Information Lifecycle Management
- Data Center Security
- Encryption & Key Management
- Governance & Risk Management
- Human Resources Security
- Identify & Access Management
- Infrastructure & Virtualization
- Interoperability & Portability
- Mobile Security
- Security Incident Management, E-Discovery and Cloud Forensics
- Supply Chain Management, Transparency & Accountability
- Threat & Vulnerability Management
Note: as part of Version 4 (soon to be released) these domains will be updated. You can find the updated domains on the Cloud Security Alliance website as well.
What is the Cloud Security Alliance Guide and the CCSK?
The Cloud Security Alliance Guide v4.0 is also a free document that can be downloaded here from the Cloud Security Alliance website. In summary, the guide provides educational information to organizations on how they can safely adopt cloud services, as well as identify and address the associated risks. This document is also a part of the CCSK self-study exam preparation kit which the Cloud Security Alliance also offers for free on their website. The CCSK stands for the Certification of Cloud Security Knowledge.
Along with the CSA Guide, the CCSK exam kit also includes the Cloud Controls Matrix and the ENISA Cloud Computing Risk Assessment. All three of these documents are expected to be understood prior to attempting the CCSK exam. Once the exam is taken and the CCSK is obtained, individuals would be able to demonstrate their knowledge of cloud computing and are expected to be able to review the security of cloud service providers and understand how to build a cloud security program. The Cloud Security Alliance offers Self-paced training online, online training with an instructor, and in-person training for the exam.
How much is the CCSK exam?
To continue discussing the CCSK exam, many might be wondering how much the exam costs. With a quick google search, this information can be found directly on the Cloud Security Alliance website. For reference, I will add the information here. The cost of the CCSK is $395 which includes two exam attempts in case you do not pass the first. The exam is also online only. Additionally, you can purchase additional attempts for $395 if needed; however, there is only one attempt for each additional purchase. You can sign up here to register a CCSK account and purchase your exam.
What is the CSA Star certification?
Additionally, in terms of an organizational certification offering, the Cloud Security Alliance offers the CSA STAR. This stands for Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) which is an assessment where an organization can obtain a certification after a CSA Star Authorized firm assesses their cloud security status. This assessment will help provide assurance to customers around the security of an organization’s cloud services. The STAR program highlights three levels of Assurance as follows: self-assessment, third-party audit, and continuous auditing. Additional details on the three levels can be found here. Additionally, the list of the certified STAR auditor firms can be found here.
The Cloud Security Alliance is an organization that provides best practices on secure cloud computing. One of the ways it accomplishes this is through providing the free cloud controls matrix which helps organizations gauge their cloud security posture and for individuals to evaluate potential security cloud providers. For further cloud security education, the Cloud security alliance also offers certifications for individuals including the CCSK, and assessments for organizations including the CSA STAR. The Cloud Security Alliance is overall a great resource for individuals and organizations to learn about how to evaluate and implement cloud security best practices.
Olivia Refile (CISSP, CISA, CRISC, GSEC, ISO lead Auditor) specializes in SOC examinations for Linford & Co., LLP. She completed her Bachelors of Business Administration, with a concentration in Management Information Systems from Temple University’s Fox School of Business in 2010. Olivia started her career in IT Risk Management in 2010 specializing in internal, external audits as well as IT security risk assessments. Following her time in risk management Olivia moved solely into external IT Audit and is currently dedicated to performing SOC 1 and SOC 2 examinations.