Cloud Security Alliance (CSA), an organisations aimed at promoting the use of best practice in the cloud, has released the new updated controls for cloud computing together with the updated Consensus Assessments Initiative Questionnaire (the CCM and CAIQ v3.01). When used in conjunction these guidelines aim to provide further cloud transparency and assist in filling the gaps so that consumers of cloud are able to make improved and informed decisions regarding cloud computing.

In this short article we will consider the controls proposed by the CSA as part of their CCM v3.01 matrix update and deliberate the affect these might have on computing in the cloud.


Cloud standards and controls are living, continually evolving to meet our requirements. The living guidelines recently updated through the CSA should prove to be a great addition to the cloud practitioner and consumer toolbox to equip both consumer and IT practitioner/vendor with further strategies for assessing cloud situations to improve cloud governance across all deployment models (public, private, and hybrid).

Upgraded controls awards us improved knowledge and further confidence in all areas of cloud computing. With an improved cloud criteria base, IT practitioners/vendors and cloud consumers’ alike show potential with informed decision making in broader cloud areas.

The guidelines used in conjunction with the control questions (CAIQ) can place consumers and providers of cloud in good stead.

Equip with these additional tools and knowing the pertinent questions to address, we should now have further clarity when it comes to deciding on cloud computing matters concerning our data handling (type of data and migration of data and applications), suitability of deployment models and suitability of services, providers and location.

The New Tools in the Cloud Toolbox

Updated CCM and updated CAIQ both now v3.01

The evolving controls of the Cloud Control Matrix (CCM) are based on a handful of aspirations, every update or addition to these controls aims to further the realisation of those goals. The, CAIQ, has also been updated to fit in with the new version of CCM as the two tools compliment each other and are recommended to be used together for the combined benefit.

The aspirations behind the Cloud Control Matrix are:

  • To consolidate the fundamental cloud security principles to be used as a guideline for cloud vendors and customers for assessing overall provider security risk
  • To reinforce information security control environments through highlighting control guidance according to consumer and provider and also demarcating according to deployment model type and environment type
  • To simplify cloud auditing through the provision of a framework that is interrelated to industry accepted security standards, regulations and controls (ISO 2700/77002, ISACA COBIT, PCI, NIST etc.)
  • To regulate all things cloud: cloud taxonomy and terminology, security expectations and security procedures to be applied in the cloud


In the previous version, CCM v3, areas addressed included the information security risks contiguous with data access and transfer as well as the securing of cloud data in conjunction with mobile security, management, transparency and accountability, interoperability and portability and encryption and key management.Continuing from this, CCM v3.01 aims to further improve on the controls of the previous versions.

Areas covered in the latest version include 133 controls in the following areas with updates having been made to mappings and terminology.

  • Human Resources Security
  • Identity and Access Management
  • Infrastructure and Virtualisation
  • Interoperability and Portability
  • Mobile Security
  • Secondary Incident management, E-disc and Cloud Forensics
  • Supply Chain Management, Transparency and Accountability
  • Threat and Vulnerability Management
  • Application and Interface Security
  • Audit Assurance and Compliance
  • Business Continuity Management and Operation resilience
  • Change Control and Configuration Management
  • Data Security and Information Lifecycle Management
  • Datacentre Security
  • Encryption and Key Management
  • Governance and Risk Management


The reasoning behind the Consensus Assessment Initiative Questionnaire (CAIQ)

This concise yet comprehensive set of questions act as guideline questions which can be adapted to your specific requirements. The questions are based on the security controls in the CCM, simplified and converted into concise questions to cover the various areas (for best practice and security controls) of cloud security guidance. Having this as part of your ‘toolkit supplies’ the consumer can be confident and ready to ask all the right questions when assessing and choosing a cloud provider. It is also a great tool for the provider when it comes to self-assessment of their security posture. The questionnaire covers all areas in-depth yet is easy to read and understand. The associations between the controls, questions and standards/regulations is invaluable, it’s advantageous to have all this useful information and guidance as one collaborative document.


Where cloud consumption is rife and on the increase tools like this are gratefully welcomed. The combined utilisation of these guidelines/guided questions offer huge assistance for first time consumers of cloud or present cloud consumers to get to grips with security in the cloud and improve your security posture. Any assistance in clarifying the ‘cloudy’ areas of cloud computing will enhance the cloud experience. We would recommend these guidance tools to all cloud consumers and providers that are serious about good cloud practice.

Cloud Security Alliance (CSA):