Cloud Controls Matrix

Leverage the leading cloud security attestation framework to achieve “provable security and compliance” for your SaaS environments

As software-as-a-service (SaaS) offerings explode in popularity and diversity across industries, SaaS vendors are under increasing pressure from customers, regulators, and other stakeholders to prove that they can keep sensitive data secure in the cloud. SaaS security, compliance, data privacy and safety of user data in subscription-based software is a critical component and must be included in a proactive and resilient Information Security Strategy.

To address this business-critical challenge, cloud service providers (CSPs) need an attestation of conformance to an open, trusted cloud security framework. The leading option today for CSPs is the Cloud Service Alliance (CSA) Cloud Controls Matrix (CCM).

About the CSA Cloud Controls Matrix

The CSA Cloud Controls Matrix is a cybersecurity control framework for cloud computing. Aligned with CSA’s Cloud Security Guidance 4.0 and mapped to industry-accepted security standards like ISO 27001, ISO 27017, the CIS Critical Security Controls V8 and more, the CSA Cloud Controls Matrix is a de facto standard for cloud security assurance and compliance.

The Cloud Controls Matrix includes 17 domains encompassing 197 control objectives covering all facets of cloud security. You can use the Cloud Controls Matrix as a tool to systematically assess the security of a cloud implementation. It tells you which controls should be implemented by which participant (e.g., the CSP or the customer) across the cloud supply chain, helping to clarify security roles and responsibilities. The framework also tells you which cloud model type (infrastructure-as-a-service, platform-as-a-service, software-as-a-service) or cloud environment type (public, private, hybrid) each control applies to.

The Cloud Controls Matrix is the standard used to assess a CSP’s security posture for inclusion in the CSA Security, Trust, Assurance and Risk (STAR) public registry. The STAR program offers two incremental certifications that demonstrate compliance with industry standards:

  • Level 1: A self-assessment against the CSA’s Consensus Assessments Initiative Questionnaire (CAIQ). CSA STAR Level 1 is intended for CSPs operating in a low-risk environment that are looking for a cost-effective approach to improving trust and transparency.
  • Level 2: A third-party attestation/certification, which can serve as an adjunct to an ISO 27001 certification or SOC 2 attestation. Level 2 is intended for CSPs operating in medium- or high-risk environments that need a cost-effective way to increase assurance. Level 2 is also ideal for CSPs that have already achieved ISO 27001 certification, a SOC 2 attestation, GDPR compliance, etc.

This process can be independent of, or integral to, an ISO 27001 certification effort or SOC 2 attestation.

Overall, Pivot Point Security’s approach ensures that each client takes the best possible “next steps” on their unique path to provable security and compliance in the cloud.

Is Alignment with the CSA Cloud Controls Matrix Right for Our Organization?

CSA is the current market/thought leader for cloud security globally, and its Cloud Controls Matrix is increasingly being adopted as the “default” controls framework for cloud security. The Cloud Controls Matrix is mappable to key cybersecurity standards today and will align with future guidance from NIST and CISA around cloud security and zero trust best practices.

Why Choose Pivot Point Security for Cloud Security Services?

Helping you prove that your SaaS offering is secure and compliant so that you can grow your business is what we have done for thousands of clients for over 20 years. Our confidence in your success comes from our experience and all that we are trusted to protect.

When you work with Pivot Point Security, you can rely on our proven process to achieve your business goals. Whatever your budget, timeline, and current control maturity, we focus on helping you holistically understand and cost-effectively manage your information security risk, not on technology. And we have the experts on staff to augment your diverse resource needs as you move forward.

Start a discussion with an expert