Cloud Security Alliance's new guidelines focus on mobile, data management

The Cloud Security Alliance has updated its Cloud Control Matrix (CCM), which is designed to help organizations vet the security credentials of cloud service providers.

The CCM provides recommendations of best practices for securing the cloud. It covers a wide variety of areas, from data center, hardware and application security, to business continuity and vulnerability assessment. The third version of the CCM, released last week, includes guidelines for five new categories: mobile security; supply chain management, transparency and accountability; interoperability and portability; and encryption and key management.

[WHY DO SDN?Weighing the IT implications of implementing SDNs]

Mobile was a natural area to focus new security best practices on because it's becoming a popular use case for the cloud, says Sean Cordero, co-chair of the CCM Working Group that helped create the guidelines. The mobile best practices cover not only how cloud-based services are accessed via mobile devices, but also how software like mobile device management (MDM) tools are delivered through an SaaS offering.

One recommendation, for example, is to have a clearly-defined mobile use policy and to ensure that everyone within the organization is familiar with it. While somewhat obvious, many customers lack a fundamental policy to control which services users can access from their mobile devices, Cordero says.

"This has really sprung up from the organic growth of BYOD (bring your own device)," says Cordero, who is also president of boutique cloud security consultancy Cloud Watchmen. "An executive wants to use an iPad, but then all of a sudden there are questions." A policy can dictate how the device is secured, what information it stores and what data on the device the business has access to. "Be clear about what the rules of the game are," Cordero says.

Another new category is for supply chain management, transparency and accountability. The CSA recommends that customers have a clear understanding of exactly how data is handled by their provider. In some cases the provider may be working with other third parties, which can present a security risk, Cordero explains.

For example in virtual desktop deployments customers may contract with a vendor, but on the back-end the VDI provider may use another third-party storage platform. Customers should know the entire supply chain of their data to ensure it is appropriately secured throughout the entire process. Another increasingly common scenario is in the platform as a service (PaaS) market, Cordero says. Often a PaaS which is an application development platform - runs on an underlying infrastructure as a service (IaaS). Customers should be aware of the service-level agreements (SLA) and security controls not just for their PaaS provider, but any foundational IaaS provider as well.

Following security best practices like those outlined by the CCM is one way for customers to protect themselves. The recent cautionary tale of cloud storage provider Nirvanix, which gave its customers short notice to move data from its cloud because it was folding, has reinforced the importance of having a business continuity and data egress plan.

The CSA which is a non-profit organization focused on advancing the security of the cloud regularly updates the CCM to ensure it incorporates the latest industry-accepted security standards like ISO27001/2. Members like Cordero work with cloud users, advisers and service providers to identify the latest trends in the industry to ensure they're reflected in the CCM.

Customers can see the full list of CCM specifications by downloading the PDF version here (it requires users to register with the CSA). The CSA also has its STAR Registry, which is a version of the CCM in a questionnaire format that providers can fill out that is posted on the CSA website. A listing of responses given by providers is in the CSA's STAR Registry for consumers to compare various cloud providers.

Senior Writer Brandon Butler covers cloud computing for Network World and He can be reached at and found on Twitter at @BButlerNWW. Read his Cloud Chronicles here.  

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenancesecurityCloudhardware systemscloud security allianceData Centercloud computinginternet

More about CSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brandon Butler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts