Analytics
10/18/2013
12:19 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

CSA Releases Expanded Cloud Controls In New CCM V.3

New version also includes improved harmonization with the Security Guidance for Critical Areas of Cloud Computing v3

CSA EMEA 2013 - Edinburgh, Scotland – September 26, 2013 – The Cloud Security Alliance (CSA) today announced the release of the CSA Cloud Controls Matrix (CCM) Version 3.0, the most comprehensive update to the industry's gold standard for assessing cloud centric information security risks. The CCM Version 3.0 expands its control domains to address changes in cloud security risks since the release of the CSA's seminal guidance domain, "Security Guidance for Critical Areas of Focus in Cloud Computing version 3.0" while making strides towards closer harmonization of the two.

Having drawn from industry-accepted security standards, regulations, and control frameworks such as ISO 27001/2, the European Union Agency for Network and Information Security (ENISA) Information Assurance Framework, ISACA's Control Objectives for Information and Related Technology, the American Institute of CPAs Trust Service and Principals Payment Card Industry Data Security Standard, and the Federal Risk and Authorization Management Program, the updated CSA CCM control domain provides organizations with the cohesiveness of controls needed to manage cloud centric information security risks. This major restructuring of the CCM also captures the needs of cloud security governance in the near future, where it will serve as an annual check in updating future controls, further ensuring CCM remains in line with future technology and policy changes.

"As cloud usage continues to evolve, so must our security controls," said Evelyn De Souza, Co-Chair of the CCM Working Group and also Data Center and Cloud Security Strategist with Cisco Systems. "We must now address the expanding methods of how cloud data is accessed to ensure due care is taken in the cloud service provider's supply chain, and service disruption is minimized in the face of a change to a cloud service provider's relationship. With the additional new key control domains and improved clarity, the CCM will become an increasingly important tool for providers and consumers to rely on to ensure greater transparency, trust, and security in the cloud."

CCM Version 3.0 includes the following updates:

· Five new control domains that address information security risks over the access of, transfer to, and securing of cloud data: Mobile Security; Supply Chain Management, Transparency & Accountability; Interoperability & Portability; and Encryption & Key Management

· Improved harmonization with the Security Guidance for Critical Areas of Cloud Computing v3

· Improved control auditability throughout the control domains and an expanded control identification naming convention

"The decision to use a cloud service distills down to one question, 'Do I trust the provider enough for them to manage and protect my data?,'" said Sean Cordero Co-Chair of the CCM Working Group and industry expert. "CCM adoption gives cloud providers a manageable set of implementation ready controls that are mapped to global security standards. For customers, it acts a catalyst for dialogue about the security posture of their service providers, something that before the CCM existed was impossible. Keeping this balance in CCM v3 was a significant undertaking that could not have happened without the dedication of CSA member companies such as Microsoft, Salesforce, PwC, and the 120+ individual members who participated in the worldwide peer review. For their efforts and dedication we are grateful."

The CSA will hold three CCM specific sessions at upcoming CSA Congress events this fall. This week, at CSA Congress EMEA which is being held in Edinburgh, Scotland, Evelyn De Souza will lead "The Cloud Control Matrix v3," to introduce and guide participants through the new controls and enhancements. She will also host a workshop at the conference titled, "Your Chance to Shape the Future of The CSA Cloud Controls Matrix."

Additionally, at CSA Congress 2013, being held December 3rd-5th in Orlando, Florida, the CSA will host a workshop titled, "CSA & British Standards Institution: Governance, Risk and Compliance in the Cloud with Cloud Controls Matrix, Consensus Assessments Initiative Questionnaire (CAIQ) and CSA Security, Trust and Assurance Registry (STAR)" where Sean Cordero, alongside other industry experts, will provide participants a background on the theory and design of the new Cloud Controls Matrix (CCM), how to map organizational requirements to the CCM, and ways to best leverage the key components of the CSA GRC Stack including the: CCM v3, Consensus Assessments Initiative Questionnaire (CAIQ) , and the Security, Trust and Assurance Registry (STAR).

Individuals interested in becoming part of the working group can visit: https://cloudsecurityalliance.org/research/ccm/#_get-involved

For conference and registration information for the upcoming the upcoming CSA Congress 2013 in Orlando, Florida visit http://www.cloudsecuritycongress.com/us/index.

Tweet This: @cloudsa releases new #CCM 3.0; includes new #cloud control domains & processes for improved clarity & cohesiveness http://bit.ly/ur4dzf

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.