FRAMINGHAM 21DECEMBER 2010 - The Cloud Security Alliance (CSA) has launched a revision of the Cloud Controls Matrix (CCM). The new matrix (version 1.1), available for free download here, is designed to provide fundamental security principles to guide cloud vendors and help prospective cloud customers assess the overall security risk of a cloud provider.
The matrix provides a controls framework that gives a detailed understanding of security concepts and principles that are aligned to the CSA's 13 domains. The foundations of the CCM rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as ISO 27001/27002, ISACA COBIT, PCI, and NIST. The latest version includes more thorough mapping around NIST and GAAP, as part of more "holistic guidance", according to CSA.
According to the CSA, CCM strengthens existing security control environments by emphasizing business information security control requirements; identifies and reduces consistent security threats and vulnerabilities in the cloud; provides standardized security and operational risk management; and aims to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.
The latest version of the matrix was put together by more than 60 people worldwide in the last two months. "This is a bunch of security industry leaders that came together and said let's enable the cloud computing industry" to better handle security issues, says Phil Agcaoili, co-founder of the matrix and a CSA steering committee co-chair.
The latest version has the support of the Holistic Information Security Practitioner Institute (HISPI), an independent certification organization consisting of information security practitioners. Agcaoili says the HISPI community analyzed the matrix for quality assurance.
Becky Swain, program manager in the corporate security programs organization at Cisco and another founder of the matrix, says the long-term vision for CCM is to provide a framework for cloud service providers -- including those that deliver infrastructure services and those that provide applications -- to assess each other's security.
"The matrix provides a common criteria for assessing cloud providers," Swain says.
Sign up for Computerworld eNewsletters.