Cloud Security Alliance and Cyber Risk Institute create Cloud Controls Matrix  

Cloud Security Alliance and Cyber Risk Institute create Cloud Controls Matrix  

The  Cloud Security Alliance (CSA), one of the world’s leading organisations dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, has announced that it has partnered with the Cyber Risk Institute (CRI), a non-profit coalition of financial institutions and trade associations, to develop an addendum to its Cloud Controls Matrix (CCM) – written specifically for the financial sector. 

For many years, the cloud was a tempting, albeit forbidden, fruit for financial institutions. However, as cloud service providers’ (CSP) security measures have improved to accommodate most, if not all, of the financial sector’s regulatory requirements, increasing numbers of financial institutions are now looking to extend their rate of cloud adoption. Unfortunately, until now there hasn’t been a framework that adequately addresses this sector’s unique regulatory security requirements within the context of cloud computing. 

“Rather than layer new controls over CCM’s core set, we chose to partner with another like-minded organisation that would allow us to mutually take advantage of the work each of us has done in addressing cyber and cloud security. We are excited to further build on our relationship with CRI in what we see as the first step in creating a version of CSA Security, Trust, Assurance, and Risk (STAR) Level 2 specific to financial institutions,” said Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance. 

While CCM has become the de facto standard for cloud security assurance and compliance, it has not yet evolved to the point where it’s sufficient to satisfy the security and compliance requirements for every business sector. Correspondingly, the CRI Profile, the financial sector’s benchmark for cyber-risk assessment, covered many of the financial sector’s unique cybersecurity requirements but lacked the specificity of cloud security. After mapping the controls within their respective frameworks, CSA and CRI performed a gap analysis to create and incorporate both cloud-specific controls into the CRI Profile, and correspondingly, financial sector-specific requirements into CCM. 

“When we released the CRI Cloud Profile in March 2022, we knew it was a tremendous step forward for financial institutions looking to move to the cloud with confidence by outlining roles and responsibilities,” said Josh Magri, Founder and President, CRI. “This recent reverse mapping by CSA to the Profile is the missing piece that allows cloud service providers to speak financial sector language. This is not the end, though. We are excited to continue our collaboration with CSA and look forward to building on this success.”