CSA – Cloud Security Framework

A few weeks ago, an article by me on the new CIS 18 framework was published on this site. CIS is one of my go to frameworks for security assessments, but the cloud has its own set of controls and a specific framework developed by the Cloud Security Alliance (CSA). They have recently released a new version of their framework as well. This article will introduce the CSA and its security framework.

The CSA is a non-profit organization that focuses on cloud security, without focusing on any specific cloud vendor. It has chapters all around the world, including in Denmark, where I reside. Full disclosure, I am a member of CSA and the Danish chapter of CSA, and I am part of the working group that focuses on and develops the security framework that I will be detailing in this article. Before I get to the security framework, I would like to tell you a little about CSA itself.

Cloud Security Alliance

The CSA was established back in 2009 as a volunteer organization for people with interest or professional involvement in security in cloud environments. Since then, a number of certifications aimed at cloud security have been launched to spread the gospel of cloud security, including:

• CCSP – Certificate of Cloud Security Professional
• CCSK – Certificate of Cloud Security Knowledge
• CCAK – Certificate of Cloud Audit Knowledge
• ACSP – Advanced Cloud Security Practitioner

You can read more about these certifications on the CSA website. CSA has country chapters around the world and it might be worth your time to find out if your country has a CSA chapter and get involved there. CSA is continually producing research into the various cloud security areas and all of this research is freely available to the community. With that said, let’s focus on the primary subject, the CSA Cloud Control Matrix.

Cloud Control Matrix

The Cloud Control Matrix (CCM) is part of a larger program called the Security, Trust, Assurance, and Risk (STAR) Program which has a focus on security and privacy controls for cloud vendors. However, CCM is not focused solely on cloud vendors but is equally aimed at the customers of these cloud vendors, containing a list of controls that should be applied by the users of the cloud, just as much as by its providers. The latest CCM version 4.0.1 came out on 8 June 2021 along with a set of questions called the Consensus Assessment Initiative Questionnaire (CAIQ). These are the questions that we as security assessors can use as guidelines when assessing cloud implementations or use cases.

The questions are mapped into areas of focus and there are hundreds of questions in the list. This should be hardly surprising, since no two clouds are the same, and the usage patterns are different from one cloud customer to another. Some of the focus areas are not applicable to customers at all, for instance, the section called “Datacenter Security” is likely to be of interest to the cloud vendors themselves. Other areas are of more general interest to vendors and customers alike. Just to give you a quick taste of the mapping areas, below is a subset of those contained in the CAIQ:

• Audit & Assurance
• Cryptography, Encryption & Ley Management
• Data Security & Privacy Lifecycle Management
• Interoperability & Portability

Especially the last area will become of increasing importance in the coming years, as more cloud customers are implementing hybrid and multi cloud scenarios. Challenges of these kind of deployments have been featured on this site previously.

The CCM can be used as a tool for cloud security assessments, or it can be used as a tool for a more formal audit engagement with clients. Because of the complexity of cloud solutions and the multitude of different ways that clouds are being utilized by customers, having some guidance on how to approach security, both as a customer and as a cybersecurity professional, is hugely valuable. But how to go about using the questions in the CAIQ? One could just start from the end and begin asking question, just skipping the areas that are not applicable to the customer, such as the datacenter part. A better way is to scope the assessment and limit the set of questions to those within scope. That way, we can focus the assessment on the areas, or applications, of interest to the customer.

Do not see the CAIQ as the be all, end all of the questions possible in every situation. The CCM and CAIQ are meant as a guidance and not as the final truth of the matter. Those of you that are experienced auditors or security assessors knows this already: Sometimes an answer will inevitably prompt follow-up questions. Therefore, use the CAIQ as a foundation and progress from there. Just like with the CSA’s research, the CCM and CAIQ are free of charge and can be downloaded here.