CSA and the CCM WG have been developing since the beginning of this year the 'SSRM Implementation Guidelines' for the CCM V4 control specifications.
The so called 'SSRM project' is a big project, currently in progress, and only just recently a first draft was delivered. Primary project objective is to develop and deliver quality and well justified SSRM implementation guidelines per CSP/CSC that pertain to the Shared Security Responsibility model for each control in the CCM V4.
Given the vast size of the project will not enter details at this point. However, feel free to ask any questions you might have.
You can access here the first CCM V4 SSRM Guidelines draft. Upon completion, this work is expected to update both the current "Typical Control Applicability and Ownership matrix" and the existing "Implementation Guidelines" of the CCM V4.
For CCM/CAIQ related discussions please consider joining the CCM WG community here in Circle, where you can also find additional information to join the SSRM project calls.
Best regards,
------------------------------
Eleftherios Skoutaris
Program Manager
Cloud Security Alliance
------------------------------
Original Message:
Sent: Sep 08, 2023 09:28:34 AM
From: JW Merrow
Subject: CSA CCM - 'Typical Control Applicability and Ownership'
To sum up all the points, it seems as though using the Shared Responsibility Model from the CSP to gain an understanding of that division is the best way to go. It would be good if some of the "CSP-Owned" items were marked with an asterisk or had an explanation that these were dictated by the Shared Responsibility Model. I'll have to see where I can submit feedback on the CSA CCM for the next version to maybe add some commentary to that effect.
In my friendly debate, the other parties were under the impression that since it was marked "CSP-Owned" the onus for controls implementation laid upon the CSP. Which was incorrect and eventually able to be made clear.
The summary around managing the Guest OS security made perfect sense and was the logical 'argument' I utilized to make it clear that the control ownership was 'Shared'. :)
Thanks for the clarity and affirmation on the approach!
------------------------------
JW Merrow
CyberSecurity Architect
Huntington National Bank
Original Message:
Sent: Sep 07, 2023 07:10:35 AM
From: Francesco Calabretta
Subject: CSA CCM - 'Typical Control Applicability and Ownership'
Your CSP should have provided you with a Shared Security Responsibility Model regarding the service at hand. In this model, you should be able to identify the areas of your direct responsibility and the areas managed directly by the provider.
For example, in the control you are mentioning, considering an IaaS service, you should find that the hardening of the Hypervisor is a CSP responsibility, while the hardening of the guest OS must be managed directly by the customer, as the CSP only provides you with an infrastructure.
------------------------------
Francesco Calabretta
Consultant
BIP Cybersec
Original Message:
Sent: Aug 09, 2023 01:21:37 PM
From: JW Merrow
Subject: CSA CCM - 'Typical Control Applicability and Ownership'
This is hopefully an easy question. I was in a friendly debate recently on the meaning behind the value of 'CSP-Owned' in regards to some controls.
The specific example is around Infrastructure & Virtualization Security (IVS); the case given is that we should have controls that are auditable around host hardening (IVS-04) despite the value of "CSP-Owned" since Guest OS hardening is certainly our responsibility with IaaS.
The two sides are:
- CSP-Owned means that we have no responsibility to implement or be audited on the controls efficacy and the Cloud Service Provider is responsible
- CSP-Owned is just 'typical' ownership of the control... we still have responsibilities where it makes sense (e.g. Guest OS hardening)
My personal understanding is #2, that we have some responsibilities.
Has anyone come across this debate before? If so, is there something from CSA that helps detangle it?
------------------------------
JW Merrow
CyberSecurity Architect
Huntington National Bank
------------------------------