Welcome!

Release Management Authors: Pat Romanski, Elizabeth White, David H Deans, Liz McMillan, Jnan Dash

Related Topics: @CloudExpo, Java IoT, Linux Containers, Release Management

@CloudExpo: Article

Cloud Security Alliance Releases Cloud Controls Matrix, Version 3.0

Industry Standard for Cloud Security Now Includes Expanded Controls to Assess Cloud Service Provider Information Security Risks

The Cloud Security Alliance (CSA) Thursday announced the release of the CSA Cloud Control Matrix (CCM) Version 3.0, the most comprehensive update to the industry's gold standard for assessing cloud centric information security risks. The CCM Version 3.0 expands its control domains to address changes in cloud security risks since the release of the CSA's seminal guidance domain, "Security Guidance for Critical Areas of Focus in Cloud Computing version 3.0" while making strides towards closer harmonization of the two.

Having drawn from industry-accepted security standards, regulations, and control frameworks such as ISO 27001/2, the European Union Agency for Network and Information Security (ENISA) Information Assurance Framework, ISACA's Control Objectives for Information and Related Technology, the American Institute of CPAs Trust Service and Principals Payment Card Industry Data Security Standard, and the Federal Risk and Authorization Management Program, the updated CSA CCM control domain provides organizations with the cohesiveness of controls needed to manage cloud centric information security risks.   This major restructuring of the CCM also captures the needs of cloud security governance in the near future, where it will serve as an annual check in updating future controls, further ensuring CCM remains in line with future technology and policy changes.

"As cloud usage continues to evolve, so must our security controls," said Evelyn De Souza, Co-Chair of the CCM Working Group and also Data Center and Cloud Security Strategist with Cisco Systems.  "We must now address the expanding methods of how cloud data is accessed to ensure due care is taken in the cloud service provider's supply chain, and service disruption is minimized in the face of a change to a cloud service provider's relationship. With the additional new key control domains and improved clarity, the CCM will become an increasingly important tool for providers and consumers to rely on to ensure greater transparency, trust, and security in the cloud."

CCM Version 3.0 includes the following updates:

  • Five new control domains that address information security risks over the access of, transfer to, and securing of cloud data: Mobile Security; Supply Chain Management, Transparency & Accountability; Interoperability & Portability; and Encryption & Key Management
  • Improved harmonization with the Security Guidance for Critical Areas of Cloud Computing v3
  • Improved control auditability throughout the control domains and an expanded control identification naming convention

"The decision to use a cloud service distills down to one question, 'Do I trust the provider enough for them to manage and protect my data?,'" said Sean Cordero Co-Chair of the CCM Working Group and industry expert. "CCM adoption gives cloud providers a manageable set of implementation ready controls that are mapped to global security standards. For customers, it acts a catalyst for dialogue about the security posture of their service providers, something that before the CCM existed was impossible. Keeping this balance in CCM v3 was a significant undertaking that could not have happened without the dedication of CSA member companies such as Microsoft, Salesforce, PwC, and the 120+ individual members who participated in the worldwide peer review. For their efforts and dedication we are grateful."

The CSA will hold three CCM specific sessions at upcoming CSA Congress events this fall. This week, at CSA Congress EMEA which is being held in Edinburgh, Scotland, Evelyn De Souza will lead "The Cloud Control Matrix v3," to introduce and guide participants through the new controls and enhancements.  She will also host a workshop at the conference titled, "Your Chance to Shape the Future of The CSA Cloud Controls Matrix."

Additionally, at CSA Congress 2013, being held December 3rd-5th in Orlando, Florida, the CSA will host a workshop titled, "CSA & British Standards Institution: Governance, Risk and Compliance in the Cloud with Cloud Controls Matrix, Consensus Assessments Initiative Questionnaire (CAIQ) and CSA Security, Trust and Assurance Registry (STAR)" where Sean Cordero, alongside other industry experts, will provide participants a background on the theory and design of the new Cloud Controls Matrix (CCM), how to map organizational requirements to the CCM,  and ways to best leverage the key components of the CSA GRC Stack including the: CCM v3, Consensus Assessments Initiative Questionnaire (CAIQ) , and the Security, Trust and Assurance Registry (STAR).

Individuals interested in becoming part of the working group can visit: https://cloudsecurityalliance.org/research/ccm/#_get-involved

For conference and registration information for the upcoming the upcoming CSA Congress 2013 in Orlando, Florida visit http://www.cloudsecuritycongress.com/us/index.

Tweet This: @cloudsa releases new #CCM 3.0; includes new #cloud control domains & processes for improved clarity & cohesiveness http://bit.ly/ur4dzf

About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

More Stories By Carmen Gonzalez

Carmen Gonzalez is the co-founder, president, and CEO of SYS-CON Media, Cloud Expo, Inc. and Ulitzer, Inc.

Carmen has been in charge of SYS-CON's sales and marketing functions since 1994. Under her leadership, the company was named by Inc 500, among the fastest growing 500 privately held companies in North America three years in a row.

IoT & Smart Cities Stories
IoT is rapidly becoming mainstream as more and more investments are made into the platforms and technology. As this movement continues to expand and gain momentum it creates a massive wall of noise that can be difficult to sift through. Unfortunately, this inevitably makes IoT less approachable for people to get started with and can hamper efforts to integrate this key technology into your own portfolio. There are so many connected products already in place today with many hundreds more on the h...
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
SYS-CON Events announced today that IoT Global Network has been named “Media Sponsor” of SYS-CON's @ThingsExpo, which will take place on June 6–8, 2017, at the Javits Center in New York City, NY. The IoT Global Network is a platform where you can connect with industry experts and network across the IoT community to build the successful IoT business of the future.
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear these words all day every day... lofty goals but how do we make it real? Add to that, that simply put, people don't like change. But what if we could implement and utilize these enterprise tools in a fast and "Non-Disruptive" way, enabling us to glean insights about our business, identify and reduce exposure, risk and liability, and secure business continuity?
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...