How cloud security controls are layered across preventive, detective, and corrective tiers — and a complete walkthrough of the 17 domains of the CSA Cloud Controls Matrix v4.
Sign in to mark this article as read and track your progress.
Cloud security controls fall into three functional layers that work together to reduce risk:
| Layer | Purpose | Cloud Examples |
|---|---|---|
| Preventive | Stop an attack before it succeeds | MFA enforcement, IAM least privilege, encryption at rest, WAF rules |
| Detective | Identify an attack in progress or after the fact | CloudTrail, GuardDuty, VPC Flow Logs, SIEM alerting |
| Corrective | Respond to and recover from an attack | Automated incident response, snapshot restoration, credential revocation |
A common mistake is investing heavily in preventive controls while neglecting detective and corrective ones. Attackers adapt to prevention; detection and response determine how much damage occurs when prevention is bypassed.
The Cloud Security Alliance (CSA) Cloud Controls Matrix is the most widely adopted cloud security framework for control mapping. Version 4 organises 197 controls across 17 domains:
| # | Domain | Abbreviation | Focus Area |
|---|---|---|---|
| 1 | Application and Interface Security | AIS | Secure SDLC, API security |
| 2 | Audit Assurance and Compliance | AAC | Audit planning, evidence gathering |
| 3 | Business Continuity Management and Operational Resilience | BCR | RTO/RPO, DR planning |
| 4 | Change Control and Configuration Management | CCC | Change management, baseline configs |
| 5 | Cryptography, Encryption and Key Management | CEK | Key lifecycle, algorithm standards |
| 6 | Data Center Security | DCS | Physical security of provider facilities |
| 7 | Data Security and Privacy Lifecycle Management | DSP | Data classification, residency, deletion |
| 8 | Governance, Risk and Compliance | GRC | Policy, risk management, regulatory compliance |
| 9 | Human Resources | HRS | Background checks, termination procedures |
| 10 | Identity and Access Management | IAM | Authentication, authorisation, privileged access |
| 11 | Infrastructure and Virtualisation Security | IVS | Hypervisor hardening, network segmentation |
| 12 | Interoperability and Portability | IPY | Vendor lock-in, data portability |
| 13 | Logging and Monitoring | LOG | Log collection, retention, SIEM |
| 14 | Security Incident Management, E-Discovery and Cloud Forensics | SEF | IR planning, evidence preservation |
| 15 | Supply Chain Management, Transparency and Accountability | STA | Third-party risk, vendor auditing |
| 16 | Threat and Vulnerability Management | TVM | Vulnerability scanning, patch management |
| 17 | Universal Endpoint Management | UEM | Device management, endpoint security |
The CCM is structured so each control maps to:
CEK-01 for Encryption and Key Management policy)This multi-framework mapping makes CCM exceptionally valuable for organisations that must demonstrate compliance across multiple standards simultaneously.
IAM-06 (User Access Provisioning): Establish a process for granting and revoking access rights based on least privilege. Access reviews must occur at minimum annually.
CEK-03 (Encryption Change Management): Cryptographic algorithms, key lengths, and protocols must align with industry standards and be reviewed when vulnerabilities are discovered.
LOG-05 (Audit Log Monitoring): Audit logs must be reviewed regularly for anomalous activity. Automated alerting must be configured for high-severity events.
SEF-05 (Incident Response Planning): Incident response plans must address cloud-specific scenarios including provider outages, data breaches, and account compromises.
For each CCM control, the responsibility is tagged as:
In IaaS environments, the majority of CCM controls are customer responsibilities. In SaaS environments, significantly more fall to the provider — but customers remain responsible for identity, data classification, and configuration.
The CSA CCM gives security teams a structured vocabulary for cloud control requirements, a cross-framework mapping to simplify compliance, and a clear responsibility assignment for every control. It is the recommended starting point for any cloud security programme assessment.