Cloud Security Alliance updates guidance documents

The Cloud Security Alliance (CSA) announced significant updates to two de facto industry standards, the Cloud Controls Matrix (CCM) Version 3.0.1 and the Consensus Assessments Initiatives Questionnaire (CAIQ) 3.0.1. With the updates, the CSA has completed a major milestone in the alignment between the Security Guidance for Critical Areas of Focus in Cloud Computing v3, CCM, and CAIQ.

“With the release of the new CAIQ and CCM, alongside a strong migration path to CSA’s Security, Trust & Assurance Registry, we have intentionally created a much needed one-stop-shop in the cloud provider assessment process,” says Jim Reavis, CEO of the CSA.

“This will allow cloud providers to be more transparent in the baseline assessment process, helping accelerate the implementation process where cloud consumers will be able to make smart, efficient decisions. We expect the new versions to have an enormous and positive impact on the cloud industry,” added Reavis.

Together the CCM 3.0.1 and CAIQ 3.0.1 allow for greater efficiencies and transparency in the cloud assessment and implementation process. Additionally, the new guidance documents will serve as a seamless transition point to those providers wishing to submit to the CSA Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.

Specifically, CAIQ 3.0.1 realigns CAIQ questions to CCM 3.0.1 control domains and the CSA’s Guidance for Critical Areas of Focus in Cloud Computing v3.0. It also maps the CAIQ questions to the latest compliance requirements found in the CCM 3.0.1. In both documents, redundancies have been reduced and language rewritten for clarity of intent, STAR enablement, and Standards Development Organization alignment. Additionally, CCM 3.0.1 contains new or updated mappings in all 16 domain control areas.

“With the release of the new CCM and CAIQ, we are creating an incredibly efficient and effective process for cloud providers to better demonstrate transparency and improve trust in the cloud, which is the ultimate mission of the CSA,” said Daniele Catteddu, Managing Director, CSA EMEA. “Now we also have a streamlined path for these providers to become part of the CSA STAR program, giving further assurance to cloud consumers by allowing them to review the security practices of providers. This will help accelerate their due diligence and lead to a higher quality procurement experience.”

The CSA CAIQ is an initial exploratory document between a cloud customer and provider. By providing a series of “yes or no” control assertion questions the CSA CAIQ helps organizations build the necessary assessment processes when engaging with cloud providers. This question set is a simplified distillation of the issues, best practices, and control specifications from the CSA CCM and intended to quickly identify areas for additional discussion between consumer and provider.

The CSA CCM is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that are aligned across 16 security domains. The foundation of the Cloud Controls Matrix rests on its customized relationship to other industry standards, regulations, and controls frameworks such as: ISO 27001:2013, COBIT 5.0, PCI:DSS v3, AICPA 2014 Trust Service Principles and Criteria and augments internal control direction for service organization control reports attestations.

The CSA CCM strengthens existing information security control environments by enabling the reduction of security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.