The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) is designed to provide guidance to cloud vendors and to assist cloud customers in assessing the security risk of a cloud provider. The CSA CCM has 133 controls in 13 domains with customized relationships (mappings) to other industry-accepted security standards, regulations, and controls frameworks (e.g. ISO 27002//27001, ISACA, COBIT, PCI-DSS, NIST 800-53). The objective of the CCM framework is to help organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry.
Compliance in the Cloud and Key Challenges
“The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud” – Cloud Security Alliance
Most of the CSA CCM controls can be categorized as being either procedural or technical controls. Procedural controls are usually policies procedures and process related.
Design and implementation of technical security and privacy controls in the cloud present unique challenges listed below:
1. Lack of visibility – with hundreds of security groups, projects, entities, instances and accounts across several regions, it is difficult to keep track of security policy configurations and ensure that these policies are being enforced. Companies need tools that provide security visualization, management, and enforcement of compliance and security best practices.
2. Ever changing cloud technology – existing security solutions are not designed to support dynamic cloud infrastructure that is rapidly changing.
3. Knowledge gap – one of the cloud computing challenges is lack of specific cloud security knowledge in the Devops/compliance teams. This knowledge gap makes it even more difficult to develop enterprise wide guidelines and best practices around supported by detailed technical recommendations.
4. Large amounts of data – existing security and compliance tools are focused on analyzing large volumes of data and generating text heavy reports. These tools lack the ability to visualize configuration/activity data, and cannot support real time monitoring of compliance and security requirements.
5. Remediation is a pain – complex cloud architectures make it difficult to identify known issues immediately upon discovery and perform the necessary remediation actions all from a single platform.
How Does Dome9 Help with CSA CCM Compliance?
1. Visibility into all of your Cloud Assets
A company needs to clearly define the scope of all the system components in scope for CSA CCM certification. Dome9 provides you the visibility into cloud assets in order to comply with CSA CCM since you cannot protect information that is not on your radar.
2. Compliance Engine
Real-time view of compliance and security posture for immediate risk mitigation
3. Governance Specification Language (GSL)
GSL allows Compliance and Security team to write and review any compliance check in seconds without deep technical knowledge – This equates to fewer errors in translating IT governance requirements to policy definitions.
4. Continuous Compliance
Continuous Compliance allows Dome9 clients to continuously run a compliance assessment according to various compliance suites and deliver findings through the most convenient method such as email, SNS notification message or PDF report.
5. Advanced Alerts Mechanism
Our Advanced Alerts Mechanism alerts you on findings that Dome9 discovers when scanning AWS Accounts, Azure Subscriptions, and GCP Projects. This mechanism allows you to maintain CCM compliance and easily trigger incident response and start your investigation if there are major issues.
Get Started Today with Dome9 for CSA CCM Compliance
The Dome9 Compliance Engine ensures continuous compliance automation of the CSA CCM standard across your cloud accounts, with out of box compliance bundles.
With a single click, you can automate your CSA CCM continuous compliance assessment in real time using Dome9’s Compliance Engine and continuous compliance features. Learn more at www.dome9.com/compliance