DivvyCloud is proud to announce that we have just released the Cloud Security Alliance Cloud Controls Matrix (CSA CCM) as a new insights pack.

What is CSA CCM?
Cloud native frameworks such as the CSA CCM allow companies to embrace the many benefits of the public cloud without opening up a Pandora’s box of risk. The CSA CCM provides organizations with the needed structure, detail, and clarity relating to information security tailored to the cloud industry, and has become the generally agreed upon standard of US-based financial services companies on how they will govern their use of the cloud.   Many financial institutions use the CSA CCM because it encompasses multiple security frameworks across multiple organizations and allows them to look at their legacy frameworks and determine which portions are covered.

DivvyCloud has taken this framework of cloud-specific controls and implemented it as one of our Insight Packs.  This operationalizes the controls, allowing DivvyCloud customers immediate, and continued visibility into policy violations and automated remediation of those violations.

The CSA CCM strengthens existing information security control environments in a number of ways:

  • It emphasizes business information security control requirements;
  • It reduces and identifies consistent security threats and vulnerabilities in the cloud;
  • It provides standardized security and operational risk management;
  • It seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

Dive Into DivvyCloud’s CSA CCM Insight
CSA CCM has directives AIS-04, BCR-07, BCR-10, BCR-11, IAM-01, IAM-12, IVS-01, and IVS-03.  All of these require that you have Global API Accounting Configured so that it records API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the specific cloud service. Global API Accounting provides a history of API calls for each account, including API calls made via the management console, SDKs, command line tools, and other cloud services.  Without this, you are in violation of CSA CCM. With DivvyCloud our “Cloud Account Without Global API Accounting Config” Insight will identify when this is violated and customers can build an automation to remediate. For example, in AWS, this would mean DivvyCloud would use the API write credentials to turn on AWS CloudTrail for the resource in question.

Interested in learning more? Get your free trial of DivvyCloud and see the CSA CCM Insight Pack in action.



DivvyCloud mitigates security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.