Enterprise Architecture

v2 to CCM v3.01 Mapping

Guide
The permanent and official location for The Enterprise Architecture Working Group is
https://cloudsecurityalliance.org/research/working-groups/enterprise-architecture/

© 2021 Cloud Security Alliance – All Rights Reserved. You may download, store, display on your
computer, view, print, and link to the Cloud Security Alliance at https://cloudsecurityalliance.org
subject to the following: (a) the draft may be used solely for your personal, informational, non-
commercial use; (b) the draft may not be modified or altered in any way; (c) the draft may not be
redistributed; and (d) the trademark, copyright or other notices may not be removed. You may quote
portions of the draft as permitted by the Fair Use provisions of the United States Copyright Act,
provided that you attribute the portions to the Cloud Security Alliance.

© Copyright 2021, Cloud Security Alliance. All rights reserved. 2

Acknowledgments
Lead Authors:
Jon-Michael C. Brook
Michael Roza

Contributors:
Jeff Maley
Michael Theriault
Rolando Marcelo Vallejos
Ashish Vashishtha
Henry Werchan

CSA Staff:
Sean Heide (Analyst)
Stephen Lumpe (Cover Design)
AnnMarie Ulskey (Layout Design)

The Enterprise Architecture Working Group (EA) is a Cloud Security Alliance (CSA) research
working group helps cloud customers and providers develop industry-recommended, secure and
interoperable identity, access and compliance management configurations and practices. The
working group developed cloud reference architecture, the CSA Enterprise Architecture (formerly the
TCI), overlays cloud platforms and solutions on existing common enterprise architectures hardened
with security criteria and industry mappings from the CSA Cloud Controls Matrix.

© Copyright 2021, Cloud Security Alliance. All rights reserved. 3

Table of Contents
Introduction.........................................................................................................................................6
Enterprise Architecture (EA)..........................................................................................................6
Cloud Control Matrix (CCM)...........................................................................................................6
Goal...............................................................................................................................................6
Audience........................................................................................................................................6
Guide...................................................................................................................................................7
Enterprise Architecture Section (Rows 1 to 7)................................................................................8
EA Key.....................................................................................................................................8
EA ID........................................................................................................................................9
EA Domain...............................................................................................................................9
EA Container High/Mid/Low level............................................................................................9
Key ID......................................................................................................................................9
Enterprise Architecture Section (Columns E to NA).......................................................................9
Business Operation Support Services (BOSS)........................................................................10
Information Technology Operation & Support (ITOS)............................................................10
Technology Solution Services (TSS)....................................................................................... 11
Presentation Services...................................................................................................... 11
Application Services........................................................................................................ 11
Information Services........................................................................................................ 11
Infrastructure Services..................................................................................................... 12
Security and Risk Management (SRM)................................................................................... 12
Cloud Controls Matrix (CCM) Section (Columns A to D)..................................................................... 13
CCM Description.......................................................................................................................... 13
Control Domain........................................................................................................................... 13
Control ID....................................................................................................................................14
Control Description.....................................................................................................................14
CCM Section (Rows 8 to 140).............................................................................................................14
Application & Interface Security (AIS)......................................................................................... 15
Audit Assurance and Compliance (AAC)..................................................................................... 15
Business Continuity Management & Operational Resilience (BCR)............................................ 15
Change Control & Configuration Management (CCC)................................................................ 15
Data Security & Information Lifecycle Management (DSI).......................................................... 16
Datacenter Security (DCS).......................................................................................................... 16
Encryption & Key Management (EKM)........................................................................................ 16

© Copyright 2021, Cloud Security Alliance. All rights reserved. 4

 Governance and Risk Management (GRM)................................................................................. 16
Human Resources (HRS)............................................................................................................ 16
Identity & Access Management (IAM)........................................................................................ 17
Infrastructure & Virtualization Security (IVS)............................................................................... 17
Interoperability & Portability (IPY).............................................................................................. 17
Mobile Security (MOS)................................................................................................................ 17
Security Incident Mgt, E-Discovery & Cloud Forensics (SEF)....................................................... 18
Supply Chain Mgt, Transparency and Accountability (STA)......................................................... 18
Threat and Vulnerability Management (TVM)............................................................................. 18
Control Assignment Process.............................................................................................................. 18
EA to CCM Mapping Statistics............................................................................................................20
Total item count: EA Component Group by CCM Domain............................................................20
Coverage item count: EA Component Group by CCM Domain..................................................... 21
Percent coverage: EA Component Group by CCM Domain.......................................................... 21
Summary........................................................................................................................................... 21
References......................................................................................................................................... 22

© Copyright 2021, Cloud Security Alliance. All rights reserved. 5

 Introduction
The Enterprise Architecture (EA) is the CSA’s standard cloud reference architecture while the Cloud
Control Matrix (CCM) is the CSA’s standard control set. The two are linked in that the CCM controls if
applied ensure that the EA is operating securely. However, until now it has never been demonstrated.

Enterprise Architecture (EA)1

Information
Business Operation
Technology Technology Solution Security & Risk
Support
Operations & Support Services (TSS) Management (SRM)
Services (BOSS)
(ITOS)

Figure 1: Interactive CSA Enterprise Architecture Diagram

Cloud Control Matrix (CCM)2

A&A Audit & Assurance HRS Human Resources Security
AAC Audit Assurance & Compliance IAM Identity & Access Management
BCR Business Continuity Mgmt & Op Resilience IVS Infrastructure & Virtualization
CCC Change Control & Configuration Management IPY Interoperability & Portability
DSI Data Security & Information Lifecycle Management MOS Mobile Security
DCS Datacenter Security SEF Sec. Incident Mgmt, E-Disc & Cloud Forensics
EKM Encryption & Key Management STA Supply Chain Mgmt, Transparency & Accountability
GRM Governance, Risk Management and Compliance TVM Threat & Vulnerability Management
Figure 2: CCM v3 Domains

Goal
Provide a mapping between the Enterprise Architecture 2.0 and Cloud Controls Matrix 3.0.1
demonstrating how both can be used together as a guide to securing an enterprise architecture.

Audience
The EA to mapping can be used by cloud security and compliance professionals to guide them in
securing enterprise architectures and performing security assessments.

1
Interactive Enterprise Architecture Representation: https://research.cloudsecurityalliance.org/tci/
index.php/explore/
2
Cloud Controls Matrix: https://cloudsecurityalliance.org/research/cloud-controls-matrix/
© Copyright 2021, Cloud Security Alliance. All rights reserved. 6
 Guide
This guide will first define the main components of mapping - the CSA EA and CSA CCM, then
demonstrate through example how the mapping was accomplished. After this the mapping results
will be provided and explained in a summary that also contains the roadmap of improvements to be
accomplished during 2020/21 that will ensure that the Enterprise Architecture remains relevant.

Below you will find a detailed overview of the Enterprise Architecture and its components.

Enterprise Architecture / Trusted Cloud Initiative Reference3

Business Operation Information Technology
Technology Solution Services (TSS) Security and Risk Management
Support Services (BOSS) Operations & Support (ITOS)
Compliance IT Operation Governance Risk & Compliance
Presentation Services
Audit Planning Contract Authority Maintenance Disaster Recovery Plan Compliance Management Policy Management

Independent Audits Third-Party Audits

Plan Management Test Management Presentation Modality Presentation Platform Vendor Management
Exceptions Self-Assessment

Consumer Service Platform End-Points

Info. System Regulatory IT Governance
Internal Audits Mapping Audit Management IT Risk Management Technical Awareness & Training
Social Media Collaboration Search E-Readers E-mail Mobile Devices Portable Devices Fixed Devices
Architecture & Governance Standards & Guidance Mobile Device
Intellectual Property Protection Management
Enterprise Service Platform
Medical Devices InfoSec Management
Resource Management
Desk Top Risk Portfolio Residual Risk
Operational Risk Management B2E B2M B2B B2C P2P Smart Appliances Capability Mapping Maturity Model Management Risk Dashboard Management
Segregation of Duties Contractors
Company Owned Third-Party Public Kiosk
Operational Risk Committee Crisis Management Secure Sandbox
Privilege Management Infrastructure
PMO
Business Impact Analysis Key Risk Indicator Speech Recognition (IVR) Identity Management
Program Management Project Management Remediation
Business Continuity
Handwriting (ICR)
Domain Unique Identifier Federated IDM Identity Provisioning Attribute Provisioning

Planning Testing Portfolio Management

Application Services Authentication Services
Maturity Model Roadmap Strategy Alignment
Risk Based Multi Factor
Risk Management Framework SAML Token OTP Smart Card
Authentication Authentication
Programming Interfaces Security Knowledge Lifecycle Development Process
Business Assessment Technical Assessment Network
Service Delivery Input Validation
Security Design Security Application Code Samples Attack Patterns Self-Service
Password Management Biometrics
Authentication
Single Sign On
Pattern Framework
Service Level Management Middleware Out of the Box (OTB)
Independent Risk Management Security Code Review Application Vulnerability Scanning Stress and Volume Testing WS-Security Identity Verification
Authentication Authentication
Objectives Internal SLAs OLAs Intergration Middleware
Authorization Services
Human Resources Security Software Quality Assurance
External SLAs Vector Management Service Dashboard Connectivity & Delivery Abstraction Entitlement Review Policy Enforcement Policy Definition Policy Management
Principal Data
Management
Employee Termination Employment Agreements
Information Technology Resiliency Resource Data Out of the Box (OTB)
Background Screening Job Description
Information Services Management
XACML Obligation
Authorization
Availability
Resiliency Analysis Capacity Planning
Management
Privilege Usage Management
Roles and Responsibilities Employee Awareness Service Delivery Data Governance
Application Performance Monitoring Keystroke / Session Privilege Usage Hypervisor Compliance
Password Vaulting Resource Protection
Employee Code of Conduct Service Catalog SLAs OLAs Contracts Recovery Plans Risk Assessments Non-production Data Information Leakage Data Segreation
Logging Gateway and Governance
Metadata
Asset Management
Operational
Data Governance
Service Costing
Budgeting Reporting Services BOSS Threat & Vulnerability Management
Investment Compliance Testing
Data Owner/ Stewardship Data Classification Charge Back Dashboards Data Mining Business Intelligence Reporting Tools Risk Assessments Data Classification Process Ownership
Budgeting
Databases (DBs) Servers Networks
HR Data (Employees &
Handling/Labeling/Security Secure Disposal of Data Audit Findings
Contractors)
Business Strategy
Service Support ITOS
Rules for Information Leakage Vulnerability Management
Clear Desk Policy Preventions
Configuration Management PMO Strategy Road map Risk Management
Application Infrastructure DB
Rules for Data Retention Software
Capacity Building Physical Inventory Problem Management Incident Management CMDB GRC RA BIA
Management
Automated Asset Configuration Penetration Testing Threat Management
TVM (Threat Vulnerability
DR & BC Plans VRA
Security Monitoring Services Discovery Management Knowledge Management Service Management Change Management Management)
Internal External Source Code Scanning Risk Taxonomy

SIEM Platform Event Mining Knowledge Management

Service Support User Directory Service
Application Best Practices Trend Analysis Benchmarking
Database Monitoring
Monitoring Configuration Rules (Metadata) Service Events Configuration Active Directory
Registry Services LDAP Repositories Location Services X.500 Repositories Infrastructure Protection Services
Management Database Services
Security Job Aids Security FAQ Server
Honey Pot End Point Monitoring
Knowledge Repository Change Logs Federated Services DBMS Repositories Virtual Directory Services Meta Directory Services
Sensitive File
Behavioral Malware Prevention White Listing
Protection
Event Correlation Cloud Monitoring Change Management
Market Threat Change Review Security Monitoring HIPS / HIDS Anti-Virus Host Firewall
E-mailing Journaling Service Provisioning Approval Workflow
Intelligence Board
Session Events Authorization Events Authentication Events Application Events Network Events Computer Events Privilege Usage Events eDiscovery Events
Planned Changes Endpoint
Counter Threat Management SOC Portal
DLP Events NIPS Events Compliance Monitoring CRLs ACLs Database Events HIDS-HIPS Transformation Services Anti-Virus, Anti-Spam, Hardware-Based
Project Changes Operational Changes HIPS / HIDS Host Firewall Media Lockdown
Anti-Malware Trusted Assets
Managed Security Services Knowledge Base
Behavioral Malware
Inventory Control Content Filtering Forensic Tools White Listing
Emergency Changes Prevention
Branding Protection Anti-Phishing
Infrastructure Services
Real-time internetwork defense User Behavior and Profile Network
(SCAP) Patterns Incident Management
Security Incident Internal Infrastructure Virtual Infrastructure Behavioral Malware
Prevention
Firewall Content Filtering DPI
Automated Ticketing Self-Service
Response
Legal Services Facility Security Desktop “Client” Virtualization Application Virtualization
NIPS / NIDS Wireless Protection
Link Layer Network
Black Listing Filtering
Cross Cloud Security Security
Ticketing Controlled Physical Access Client Application Server Application
Incident Response Local
Contracts E-Discovery Streaming Streaming
Barriers Electronic Survelliance Security Patrols Physical Authentication Remote Application
Problem Management
Incident Response Legal Preparation Virtual Workspaces XML Appliance Secure Messaging Application Firewall Secure Collaboration Real Time Filtering
Asset Handling Session-based VM-Based (VDI)
Event Classification Root Cause Analysis Trend Analysis
Vertical Isolation
Internal Investigation Orphan Incident
Data Storage Hardware
Problem Resolution
Management
Server Virtualization Data Protection
Forensic Analysis E-mail Journaling Environmental Risk Management
Release Management Vitural Machines (Host Based) Data Life Cycle Management
Physical Security Equipment Location Power Redundancy
Full Paravirtualization Hardware-assisted eSignature
Scheduling Testing Build Meta Data Control Data De-Identification Life Cycle Management
(Unstructured Data)

Source Code Availability Services Data Masking Data Obscuring Data Tagging Data Seeding
Version Control OS Virtualization TPM Virtualization Virtual Memory
Management
Patch Management Servers
Data Loss Prevention
Storage Virtualization
Compliance Monitoring Service Discovery Secure Build Image Management
Block-Based Virtualization Data Discovery Network (Data in Transit) Endpoint (Data in Use) Server (Data at Rest)

Equipment Maintenance
Network Services
Network Segmentation
Host-Based
LDM LVM LUN Intellectual Property Protection
Intellectual Property Digital Rights Management
Authoritative Time Source Storage-Device Based

Cryptographic Services
Network-Based
Storage Services Key Management
PKI
Appliance Switched
Symmetric Keys Asymmetric Keys
Signature Services

File-Based Virtualization Data-in-Transit Encryption Data-at-Rest Encryption

Data-in-Use Encryption (Memory)
(Transitory, Fixed) (DB, File, SAN, Desktop, Mobile)

The EA contains the following classification:

Network Virtualization
Network Address Space
Policies & Standards
IPv4 IPv6 Operational Security Information Security
Job Aid Guidelines Role Based Awareness Policies
Baselines

External (VLAN) Internal (VNIC) Best Practices & Regulatory

Technical Security Standards Data / Asset Classification Correlation

Database Virtualization Mobile Device Virtualization Smartcard Virtualization

• 4 Areas - Highest level groupings (BOSS,

ITOS, TSS, SRM)
• 7 Domains - 4 Areas plus the individual Technology Services breakouts
• 36 Component Groups - Major groupings within each of the 4 areas
• 360 Components - Each individual container within the EA, from the Areas and Domains to
the individual service features
• 360 High Level Components
• 357 Medium Level Components
• 210 Low Level Components

3
https://cloudsecurityalliance.org/artifacts/tci-reference-architecture-v2-0/

© Copyright 2021, Cloud Security Alliance. All rights reserved. 7

 Enterprise Architecture Section (Rows 1 to 7)
The EA mapping spreadsheet includes several header rows to describe the component of the
columns and rows.

Figure 3: EA Mapping Sample for Explanation4

EA Key combines domain

and container levels in a
text string separated by “.”

The container/process
levels from the EA
translate into the four
levels in rows 3-6 of
domain/high/mid/low

Figure 4: EA Mapping Sample for Explanation

EA Key
Row 1 Example EA Key: BOSS.Compliance.Audit Planning.

Amalgamation of the various Enterprise Architecture components useful for spreadsheet manipulation.
The above example key would examine the BOSS domain, followed by the Compliance and Audit
Planning containers.

4
https://docs.google.com/spreadsheets/d/1oPzOAhw3IQiY0BnnOYxbR5HBU7xuXidbW1ua_
py4qwE/edit?usp=sharing

© Copyright 2021, Cloud Security Alliance. All rights reserved. 8

 EA ID
Number for tracking.

EA Domain
Top Level Domain (BOSS/ITOS/TSS//SRM).

EA Container High/Mid/Low level

There are differing levels of Domain/Container/Process depth between the various domains. As
such, the levels used in the Domain through Low-level containers may result in blank fields. Some
areas have more than three levels of containers and processes as shown in the Security and Risk
Management (SRM) domain example with six. These mappings include the third tier low-level
designated in row 6 of the worksheet.

BOSS5 ITOS6 TSS7 SRM8

Figure 5: Domain Keys for Interactive Enterprise Architecture

Key ID
The Key ID is a unique identifier for the EA mapping. The Key ID will remain constant, even if Items
move within the chart, duplicates, combined, or addendums occur.

Enterprise Architecture Section (Columns E to NA)

The Enterprise Architecture includes four top level areas Business Operation Support Services
(BOSS), Information Technology Operation & Support (ITOS), Technology Solution Services (TSS),
and Security and Risk Management (SRM).

5
https://research.cloudsecurityalliance.org/tci/index.php/explore/boss/
6
https://research.cloudsecurityalliance.org/tci/index.php/explore/itos/
7
https://research.cloudsecurityalliance.org/tci/index.php/explore/infrastructure_services/
8
https://research.cloudsecurityalliance.org/tci/index.php/explore/security_risk_management/

© Copyright 2021, Cloud Security Alliance. All rights reserved. 9

Business Operation Support Services (BOSS)
Partners with the business

The BOSS domain is all the enterprise support functions such as Human Resources, Compliance, and
Legal that are critical to a security program. It is also the place where the operations of the company
and its systems are monitored for any signs of abuse or fraud.

Description

BOSS was designed based on best practices and reference frameworks with proven success of
aligning the business and transforming the information security practice across organizations into
a business enabler. Most of the security architectures focus only on technical capabilities, missing
the opportunity to create a dynamic synergy with the business, transforming reactive practices
into proactive areas, that eventually can enable business command centers that provide relevant
information about the health around information assets and business processes. A common concern
when organizations decide to integrate services with cloud providers is the level of security the
provider will offer, as well as the amount of exposure when data is hosted on a multi-tenant model.
This domain outlines aspects that must be considered besides the technological solutions, such as
legal guidance, compliance and auditing activities, human resources, and monitoring capabilities
with a focus on fraud prevention.

Information Technology Operation & Support (ITOS)

Managing IT Processes

ITOS is typically provided by the IT Department. It is the help desk that takes the call when a problem
is found. It is the teams that coordinate changes and roll them out in the middle of the night. It is the
planning and processes that keep the systems going even in the event of a disaster.

Description

ITOS outlines all the necessary services an IT organization will have in order to support its business
needs. This domain provides alignment of industry standards and best practices (PM BOK, CMMI,
ISO/IEC 27002, COBIT, and ITIL v3), providing a reference from two main perspectives that enable the
organization to support its business needs. However, relationships between technology components
are not intended to be a one-to-one match to the process touch points described in PM BOK, ISO/IEC
27002, CMMI, COBIT and ITIL v3.

© Copyright 2021, Cloud Security Alliance. All rights reserved. 10

Technology Solution Services (TSS)
Description

IT solutions can be thought of as a stack of technology: computers and networks are the bottom
layer, followed by the data they host and transport, the applications that manipulate the data, and the
actual interactions that users have with the stack. The four technology solution domains (Presentation
Services, Application Services, Information Services, and Infrastructure Services) are based on the
standard multi-tier architecture that is used to build these solutions. The CSA Reference Architecture
does not get into all the details of how that architecture works, but instead gets into the details of
the security concerns and required services for each tier in the solution.

Presentation Services

Interaction with the user

Description

An example of Presentation Services is the website you see when you go to the online bank or the
voice on the phone when you call the airline reservation system.

Application Services

Development and implementation of business logic. Think of application services as the processes
that developers use to write code, as well as the code itself.

Description

Application services are the rules and processes behind the user interface that manipulate the data
and perform transactions for the user. In an online bank, this might be a bill payment transaction that
deducts the payment amount from the user’s account and sends a check to the payee. In addition
to the application services of an IT solution, the Application Services domain also represents the
development processes that programmers go through when creating applications.

Information Services

Managing Data

Information Services refers to the storage of data, usually in databases, or in files.

Description

One of the most common pain points across organizations is the amount of data generated across
the company, sometimes including redundant data (different perspectives for the same threat or

© Copyright 2021, Cloud Security Alliance. All rights reserved. 11

gap). All this data needs to be transformed into useful information that business asset owners
can use to prioritize, strategize, and manage the risk portfolio they own.This section manages the
extraction, transformation, cleansing, and loading of information into a common data model either
for analytical or operational goals. Typical Extract, Transform, and Load (ETL) data normalization, data
mining, balance scorecard, among other capabilities will reside here. This domain simplifies all these
sources of data by having a data management approach. All data containers are allocated on this
domain, where eventually they can be extracted, transformed, and loaded into the following:

• Operational data store: All day-to-day and transactional information will be allocated here,
using a 360 degree perspective around information assets (i.e. application and infrastructure
vulnerabilities, patching gaps, penetration test results, audit findings, and controls per asset).
• Data Warehouse: All historical transactions will be used to develop a data warehouse or data
mart that can measure the success obtained with the risk management program. Also, this
model can be used to identify behavior patterns, trends, tendencies, and systemic gaps
across the organization.

Infrastructure Services

Facilities, Hardware, Network and Virtual Environments.

Infrastructure Services can be visualized as the rows of computers, network cables, power supplies,
cooling vents, and fire suppression pipes you will see inside any standard data center.

Description

Infrastructure Services provide the basic core capabilities that support higher-level capabilities in
other areas of the architecture. This is the service layer that supports cloud applications visible to the
majority of cloud users. This level consists of virtual machines, applications, and databases. Often,
Infrastructure services will be deployed centrally and will run standard machine images, with all
necessary services preconfigured to support ease of integration and reliable connectivity and access.
As they provide a foundation, Infrastructure Services are largely invisible to end users of the cloud
service. For example, a customer will likely be required by due diligence to assure that cloud facilities
provide physical security to match the risk characteristics of the uses they make of cloud services,
but otherwise will ignore the operational details of how physical access controls are implemented.

Security and Risk Management (SRM)

Protecting data and managing risk, Security and Risk Management encompasses the passwords,
firewalls, and encryption that protect computer systems and data. It is the processes that define policies
and audit systems against those policies. It leverages ethical hacking and tools to test for vulnerabilities
within the systems. These services are what most people think of when they think of cyber security.

Description

The Security and Risk Management domain provides the core components of an organization’s

© Copyright 2021, Cloud Security Alliance. All rights reserved. 12

 Information Security Program to safeguard assets and detect, assess, and monitor risks inherent in
operating activities. Capabilities include Identity and Access Management, GRC (Governance, Risk
Management, and Compliance), Policies and Standards, Threat and Vulnerability Management, and
Infrastructure and Data Protection.

Source: https://cloudsecurityalliance.org/wp-uploads/2011/10/TCI_Whitepaper.pdf/

Cloud Controls Matrix (CCM) Section (Columns A to D)

A&A Audit & Assurance HRS Human Resources Security
AAC Audit Assurance & Compliance IAM Identity & Access Management
BCR Business Continuity Mgmt & Op Resilience IVS Infrastructure & Virtualization
CCC Change Control & Configuration Management IPY Interoperability & Portability
DSI Data Security & Information Lifecycle Management MOS Mobile Security
DCS Datacenter Security SEF Sec. Incident Mgmt, E-Disc & Cloud Forensics
EKM Encryption & Key Management STA Supply Chain Mgmt, Transparency & Accountability
GRM Governance, Risk Management and Compliance TVM Threat & Vulnerability Management

Figure 6: 16 Domains of the Cloud Controls Matrix v39

CCM Description
The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental
security principles and best practices to guide cloud vendors and to assist prospective cloud customers
in assessing the overall security risk of a cloud provider. The CSA CCM provides a controls framework that
gives detailed understanding of security concepts and principles that are aligned to the Cloud Security
Alliance guidance in 16 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on
customizations of other industry-accepted security standards, regulations, and controls frameworks
such as ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP. The CCM will
augment or provide internal control direction for service organization control reports attestations
provided by cloud providers.

Control Domain
The 16 domains were derived from CSA Security Guidance version 310 and major standards such as
ISO/IEC 27001 and ISO/IEC 27002. The domain defines what category the controls fall under. Column
A represents the Control Domain and Control name.

9
https://cloudsecurityalliance.org/research/working-groups/cloud-controls-matrix/
10
https://cloudsecurityalliance.org/research/guidance/

© Copyright 2021, Cloud Security Alliance. All rights reserved. 13

 Example Control Domain is
“Application and Interface
Security”.

AIS-02 means second control

in Application and Interface
Security Domain. The 2nd
control of AIS is “Customer
Service Requirements”

Figure 7: CCM Control Domain & Control ID Explanation

Control ID
Each domain is assigned an acronym. For example, the Application and Interface Security domain is
assigned the acronym AIS. Column B contains the control ID which consists of a three-letter control
domain acronym plus a sequential control number.

Control Description
There may be one or more controls under a domain. Each control has a control ID, which is the
domain acronym followed by a number. For example, AIS-02 means 2nd control in the Application
and Interface Security domain. (Another example is IAM-03, representing the 3rd control in the
Identity and Access Management domain). Column C includes the control specification description
of the purpose of the control.

AIS-02 purpose definition

surrounds when you give access

Figure 8: CCM Control Specification Explanation

CCM Section (Rows 8 to 140)

The CSA designed the Cloud Controls Matrix to cover all aspects of a cloud computing architecture in
16 domains. Explanations for each of the 16 domains follow:

© Copyright 2021, Cloud Security Alliance. All rights reserved. 14

A&A Application & Interface Security (AIS)
• Application programming interfaces (API) are a set of routines, protocols, and tools for
building software applications.
• Cloud Service Providers (CSP) expose a set of software interfaces or APIs that customers
use to manage and interact with cloud services.
• Organizations and third parties often build upon these interfaces to offer value-added
services to their customers.
• Security and availability of general cloud services is dependent upon the security of basic APIs.

AAC Audit Assurance and Compliance (AAC)

• Audit Assurance and Compliance is the awareness of and adherence to corporate and
legal obligations (e.g., corporate social responsibility, ethics, applicable laws, regulations,
contracts, strategies and policies). It includes the assessment and prioritization of corrective
actions deemed necessary and appropriate.
• Security and assurance services are a way in which third-parties play a role in compliance
assessment and communication.
• Auditing is a method to provide assurance that operational risk management activities are
thoroughly tested and reviewed.

Business Continuity Management & Operational

BCR
Resilience (BCR)
• Business Continuity is defined as a holistic management process that identifies potential
threats to an organization and the impacts to business operations that those threats, if
realized, might cause, and which provides a framework for building organizational resilience
with the capability for an effective response that safeguards the interests of its key
stakeholders, reputation, brand and value-creating activities. (Source: ISO 22301:2012)

CCC Change Control & Configuration Management (CCC)

• Change Control is a process for controlling modifications to hardware, firmware, software,
and documentation to protect the information system against improper modifications
before, during, and after system implementation. (NIST)
• Change Control is a part of Configuration Management.
• Configuration Management is a collection of activities focused on establishing and
maintaining the integrity of products and systems, through control of the processes for
initializing, changing, and monitoring the configurations of those products and systems
throughout the system development life cycle. (NIST)

© Copyright 2021, Cloud Security Alliance. All rights reserved. 15

 Data Security & Information Lifecycle
DSI
Management (DSI)
• Data Security Lifecycle – Create, Store, Use, Share, Archive, Destroy.
• Information Lifecycle Management (functions, actor, location) – Access, Process, Store.
• The Data Security Lifecycle is different from Information Lifecycle Management, reflecting
the different needs of the security audience.

DCS Datacenter Security (DCS)

• The security of a modern data center must take into account physical security, network
security, data security, and user security.
• It generally includes redundant or backup power supplies, redundant data communications
connections, environmental controls (e.g., air conditioning, fire suppression) and various
security devices.

EKM Encryption & Key Management (EKM)

• Encryption is the conversion of plaintext to ciphertext through the use of a cryptographic
algorithm. (Source: NIST)
• Key Management includes activities involving the handling of cryptographic keys and other
related security parameters (e.g., initialization vectors and passwords) during the entire life
cycle of the keys, including their generation, storage, establishment, entry and output, and
zeroization. (Source: NIST)

GRM Governance and Risk Management (GRM)

• Corporate governance is the set of processes, technologies, customs, policies, laws, and
institutions affecting how an enterprise is directed, administered, or controlled. Corporate
governance also includes the relationships among the many stakeholders involved and the
goals of the company involved.
• Information Risk Management is the process of identifying and understanding exposure to
risk and capability of managing it, aligned with the risk appetite and tolerance of the data
owner.
• An effective governance and enterprise risk management cloud computing program flows
from well-developed information security governance processes as part of the organization’s
overall corporate governance obligations of due care.

HRS Human Resources (HRS)

• Human Resources control minimizes the risk of the personnel closest to the data disrupting
operations and compromising the cloud.
• The areas the HR department should look after: Roles and responsibilities (e.g., through

© Copyright 2021, Cloud Security Alliance. All rights reserved. 16

 a RACI-style matrix), Background verification and screening agreements, Employment
agreement (e.g., NDA’s), Employment termination, Awareness and training of company
policies (i.e., Code or Business Conduct)

IAM Identity & Access Management (IAM)

• Identity and access management (IAM) enables the right individuals to access the right
resources at the right times for the right reasons.
• IAM addresses the mission-critical need to ensure appropriate access to resources across
increasingly heterogeneous technology environments, and to meet increasingly rigorous
compliance requirements.

IVS Infrastructure & Virtualization Security (IVS)

• Virtualization is one of the key elements of Infrastructure as a Service (IaaS) cloud offerings
and private clouds, and it is increasingly used in portions of the back-end of the Platform as
a Service (PaaS) and SaaS (Software as a Service) providers as well.
• Hypervisor Architecture Concerns - VM Guest Hardening, Hypervisor Security, Inter-VM
Attacks and Blind Spots, Performance Concerns, Operational complexity from VM Sprawl,
Instant-On Gaps, VM Encryption, Data Commingling, VM Data Destruction, VM Image
Tampering, In-Motion VM.

IPY Interoperability & Portability (IPY)

• Interoperability is the requirement for the components of a processing system to work
together to achieve their intended result. Components should be replaceable by new or
different components from different providers and continue to work.
• Portability provides for application and data components to continue to work the same
way when moved from one cloud environment to another without having to be changed.
Portability is achieved by removing dependencies on the underlying environment. A
portable component can be moved easily and reused regardless of the provider, platform,
operating system, location, storage or other elements of the surrounding environment.

MOS Mobile Security (MOS)

• Mobile computing is a very broad term that can be used to define any means of using a
computer while outside of the corporate office. This could include working from home or on
the road at an airport or hotel.
• The means to perform mobile computing could include kiosks used to remotely connect
to the corporate office, home computers, laptops, tablets or smartphones. Specialized or
integrated devices could also be considered as mobile computing devices.

© Copyright 2021, Cloud Security Alliance. All rights reserved. 17

 Security Incident Mgt, E-Discovery & Cloud
SEF
Forensics (SEF)
• Incident Response (IR) is one of the cornerstones of information security management.
It is the documentation of a predetermined set of instructions or procedures to detect,
respond to, and limit the consequences of a malicious cyber attack against an organization’s
information system(s). (NIST)
• Cloud forensics is the application of science to the identification, examination, collection,
and analysis of data while preserving the information and maintaining a strict chain of
custody for the data in cloud computing (as a subset of network forensics).
• Electronic discovery (also called e-discovery or eDiscovery) refers to any process in which
electronic data is sought, located, secured, and searched with the intent of using it as
evidence in a civil or criminal legal case.

Supply Chain Mgt, Transparency and

STA
Accountability (STA)
• Supply chain management, transparency and accountability addresses the need for ensuring
due care is taken in the cloud providers supply chain, as well as the risks associated with
governing data within the cloud.

TVM Threat and Vulnerability Management (TVM)

• Threat and vulnerability management programs provide a way to assess the potential
business impact and the likelihood of threats and risks to an organization’s information
infrastructure before those events occur. (ISACA)
• Threat and vulnerability management programs include three major elements:
– An asset inventory
– Threat and vulnerability analysis
– Vulnerability management

Control Assignment Process

(Intersection of EA component and CCM Specification)

As previously mentioned, each of the mapping spreadsheets identifies EA containers and CCM
control elements where appropriate. An example of the mapping process would include the Clear
Desk Policy of the Business Operations Support Services. Located within the Data Governance
container is a policy component regarding the need for a clear desk defined as:

“A corporate policy which ensures that sensitive information is not left out in the open for viewing or
theft by unauthorized users.”

© Copyright 2021, Cloud Security Alliance. All rights reserved. 18

This corresponds with:

• EA Key: BOSS.Data Governance.Clear Desk Policy

• EA Domain: BOSS
• EA Container High Level: Data Governance
• EA Container Mid Level: Clear Desk Policy
• Key ID: 20
• Column: P

There are four CCM Controls designated as the main focus of the EA’s Clear Desk Policy, designated
in column P with the CCM Control IDs themselves.

AIS-04: Application & Interface Security - Data Security / Integrity (row 11)

• Policies and procedures shall be established and maintained in support of data security
to include (confidentiality, integrity, and availability) across multiple system interfaces,
jurisdictions, and business functions to prevent improper disclosure, alteration, or
destruction.
• Justification: A complete set of policies for a corporation in compliance with ISO 27001
and NIST 800-53 include limiting improper disclosure. A clean desk policy reduces risks
associated with need to know of trusted insiders and authorized/unauthorized visitors to a
corporate facility.

HRS-09: Human Resources - Training / Awareness (row 70)

• A security awareness training program shall be established for all contractors, third-party
users, and employees of the organization and mandated when appropriate. All individuals
with access to organizational data shall receive appropriate awareness training and regular
updates in organizational procedures, processes, and policies relating to their professional
function relative to the organization.
• Justification: Training for all policies and procedures falls under the jurisdiction of the
Human Resources department. This includes the Clean Desk Policy

HRS-11: Human Resources - Workspace (row 72)

• Policies and procedures shall be established to require that unattended workspaces do not
have openly visible (e.g., on a desktop) sensitive documents and user computing sessions
are disabled after an established period of inactivity.
• Justification: The Workspace control specifically calls out the desktop/laptop computing
requirements of screen locking after walking away from a desk.

© Copyright 2021, Cloud Security Alliance. All rights reserved. 19

MOS-14: Mobile Security - Lockout Screen (row 117)

• BYOD and/or company-owned devices are configured to require an automatic lockout

screen, and the requirement shall be enforced through technical controls.
• Justification: As with the Workspace CCM control, mobile devices add to the overall risks
associated with an organization and should be treated with the same care as other end points.

In all, of the 48 thousand cells examined between the EA and the CCM, roughly 3,600 items were
deemed as within the spirit of the domain and thereby marked.

EA to CCM Mapping Statistics

The purpose of the mapping between the Enterprise Architecture 2.0 and Cloud Controls Matrix 3.0.1
demonstrates how both can be used as a guide to securing an enterprise architecture. The below
statistics are meant to show the results of this mapping.

Given the generalized descriptions used in both the EA column and CCM row components the
mappings capture the main spirit of any convergence recognized by the WG rather than a technical
exactness. An exact mapping would require granular technical descriptions which would normally be
the responsibility of anyone using this document. The EA mapping provides a guide to ensuring their
actual enterprise architecture was secure. This would be followed by testing to verify control design
and effectiveness.

First we show the mapping universe which comprises a 133 (Rows) x 360 (Cols) matrix with 48K cells.
SRM is the largest EA domain with over 14K cells. This means there are over 14K intersection points
between the CCM controls and all SRM components.

Total item count: EA Component Group by CCM Domain

Then we show the count of the controls that have been identified as relating to each components
security. In this mapping 3,565 relevant intersections of the EA V2.0 and CCMv3.01 have been
identified as securing the EA.

© Copyright 2021, Cloud Security Alliance. All rights reserved. 20

Coverage item count: EA Component Group by CCM
Domain

Finally below we show the percentage of the controls identified as relating to each EA component. In
this mapping the count of 3,565 controls indicates 7.4% of the cells.

Percent coverage: EA Component Group by CCM Domain

Summary
Many organizations use underlying Enterprise Architecture framework components in designing and
controlling their environments, including ITIL, CoBIT, TOGAF and the Jericho Forum11. The EA can assist
in converting existing processes and assessments or performing cloud control gap reviews.

Another use case for the EA surrounds its big picture view of an organization’s security posture. The
Cloud Controls Matrix and companion Consensus Assessment Initiative Questionnaire (CAIQ) provides
an internal assessment tool for determining where successes or deficiencies exist. The mapping
described here allows a capability to assess with CCM/CAIQ and present findings with the EA.

We hope you find this tool useful and look forward to your feedback.
11
https://publications.opengroup.org/white-papers/security/jericho-forum

© Copyright 2021, Cloud Security Alliance. All rights reserved. 21

References
Cloud Security Alliance - Reference Architecture - v2.0, Release Date: February 25, 2013, available @
https://cloudsecurityalliance.org/artifacts/tci-reference-architecture-v2-0/

Cloud Security Alliance - Cloud Control Matrix v3.01, Release Date: August 3, 2019, available @
https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v3-0-1/

NIST Special Publication 500-292, NIST Cloud Computing Reference Architecture, Recommendations
of the National Institute of Standards and Technology, by Fang Liu, Jin Tong, Jian Mao, Robert Bohn,
John Messina, Lee Badger and Dawn Leaf, September 2011, available @ https://nvlpubs.nist.gov/
nistpubs/Legacy/SP/nistspecialpublication500-292.pdf

ISO/IEC 17789:2014, Information technology — Information technology — Cloud computing

— Reference architecture, October 2014, available @ https://standards.iso.org/ittf/
PubliclyAvailableStandards/c060545_ISO_IEC_17789_2014.zip

ISO/IEC 17788:2014, Information technology — Cloud computing — Overview and vocabulary,

October 2014, available @ https://standards.iso.org/ittf/PubliclyAvailableStandards/c060544_ISO_
IEC_17788_2014.zip

© Copyright 2021, Cloud Security Alliance. All rights reserved. 22