This evening I've been working my way through changes and modifications on the beta of version 3.1 of the Cloud Security Alliance CCM controls. Version 3.0 is the current shipping version of this living breathing bible of cloud security goodness. Recently I was in Amsterdam with Jim Reavis and his crew at the CSA Securecloud Conference, and I'll be out in the US at the annual CSA Congress in the fall. Whilst there I recorded a podcast with Jim that I will bring out midweek this week.
Regularly I talk at conferences expressing why the CSA CCM matrixes are one of the most powerful Swiss Army tools an IT practitioner can have when approaching a governance exercise in any facet of private, public or open hybrid cloud. Crossing business verticals allowing an organisation to be able to consider pressures of location and data type, workload or platform. This then allows you to make weighted decisions around application migration, infrastructure deployment and the isolation of services or provisioned platform services.
As the audit community continue to hone and document how they are are assessing technical and actual risk in on premise cloud, a contracted out public cloud or hybrid elastic combination of the two.
As 3.1 emerges and becomes the new defacto standard I will bring more information as to how best to adopt it, for now please point your browsers at the current shipping version of the matrix which you will find here.