Domain-Based Security Architecture Framework – CSA Cloud Controls Matrix (CCM) v4.0
Control Requirements Mapped to the CSA Cloud Controls Matrix (CCM) v4.0
The following domain-based security architecture framework maps to the CSA Cloud Controls Matrix (CCM) v4.0 to identify the specific control requirements applicable to each architectural domain.
Framework Overview
| # | Security Domain | CSA CCM Control Families (v4.0) |
|---|---|---|
| 1 | Host Security | CCC, IVS, LOG, UEM |
| 2 | Infrastructure and Network Security | CCC, IVS, LOG, UEM |
| 3 | Application Security | AIS, CCC, LOG |
| 4 | Data Security | CEK, DSP |
| 5 | Identity and Access Management (I&AM) | IAM |
| 6 | Solutions Architecture | Architecture governance / Service Introduction |
Control family key: AIS Application & Interface Security · CCC Change Control & Configuration Management · CEK Cryptography, Encryption & Key Management · DSP Data Security & Privacy Lifecycle Management · IAM Identity & Access Management · IVS Infrastructure & Virtualization Security · LOG Logging & Monitoring · UEM Universal Endpoint Management
1. Host Security
Build compliance must be verified against a baseline for all servers and end-user devices used to host and access the data. All approved security controls for the relevant host type must be implemented and configured to baseline. All known vulnerabilities must be detected and patched, or the associated risk remediated, before go-live. Security audit event logging must be enabled and configured so that it is monitored and alerted through the enterprise SIEM service.
| CSA CCM Control Family | Control Reference(s) |
|---|---|
| Change Control & Configuration Management | CCC-02, CCC-04, CCC-06, CCC-07 |
| Infrastructure & Virtualization Security | IVS-04 |
| Logging & Monitoring | LOG-04, LOG-06 |
| Universal Endpoint Management | UEM-06, UEM-07, UEM-08, UEM-09, UEM-10, UEM-11 |
2. Infrastructure and Network Security
Network zoning and data flow policies must ensure that connectivity is only initiated from a higher trust zone to a lower trust zone, although data flow may be bi-directional once connectivity has been established. User and application access to data must originate only from trusted networks, segments, and devices, and must traverse the appropriate policy enforcement points. Production and non-production environments must be clearly segregated through policy enforcement points, and security controls must be identified and defined to minimise the risk of data loss from lower trust network environments.
| CSA CCM Control Family | Control Reference(s) |
|---|---|
| Change Control & Configuration Management | CCC-02, CCC-04, CCC-06, CCC-07 |
| Infrastructure & Virtualization Security | IVS-03, IVS-04, IVS-05, IVS-06, IVS-09 |
| Logging & Monitoring | LOG-02, LOG-03, LOG-04, LOG-05, LOG-06, LOG-07, LOG-08, LOG-09, LOG-11 |
| Universal Endpoint Management | UEM-06, UEM-07, UEM-08, UEM-09, UEM-10, UEM-11 |
3. Application Security
Secure SDLC processes must be followed and verified for all applications that have access to this data. Supplier assurance, application reviews, and SAST and DAST processes must ensure that all known vulnerabilities are detected and patched, or the associated risk remediated, before go-live.
| CSA CCM Control Family | Control Reference(s) |
|---|---|
| Application & Interface Security | AIS-04, AIS-05, AIS-06, AIS-07 |
| Change Control & Configuration Management | CCC-02, CCC-04, CCC-06, CCC-07 |
| Logging & Monitoring | LOG-02, LOG-03, LOG-04, LOG-05, LOG-07, LOG-08, LOG-09, LOG-11 |
4. Data Security
Information classification must be assigned and verified in line with policy. The controls for data handling defined by policy, covering auditing, access controls, encryption, data integrity assurance, and data privacy across the data lifecycle, must be verified before go-live. All data egress routes must be identified by threat modelling the system, and security controls must be identified and defined to prevent unauthorised access to, or loss of, production data.
| CSA CCM Control Family | Control Reference(s) |
|---|---|
| Cryptography, Encryption & Key Management | CEK-03, CEK-04, CEK-11, CEK-12 |
| Data Security & Privacy Lifecycle Management | DSP-02, DSP-03, DSP-04, DSP-05, DSP-10, DSP-15, DSP-17 |
5. Identity and Access Management (I&AM)
Staff and customer IAM processes must be verified to ensure policy-based authentication and authorisation for all human users who have access to the data. Privileged access to infrastructure and applications by human users and service accounts that have access to data must be identified and managed through PAM controls.
| CSA CCM Control Family | Control Reference(s) |
|---|---|
| Identity & Access Management | IAM-03, IAM-04, IAM-05, IAM-09, IAM-10, IAM-13, IAM-14, IAM-15, IAM-16 |
6. Solutions Architecture
High-level designs (HLDs) and low-level designs (LLDs) must be kept up to date with all changes to the solutions architecture, and must be reviewed through the appropriate governance and Service Introduction processes before go-live.
| No specific CSA CCM v4.0 controls are mapped to this domain. Assurance is provided through architecture governance and the Service Introduction process. |
