Cisco Makes Cloud Controls Framework Public

Cisco announced it is making its Cloud Controls Framework (CCF), a comprehensive set of international and national security compliance and certification requirements, available to the public.

The standards have been aggregated into one framework, providing a ‘build-once-use-many’ approach for achieving compliance with a broad range of international and national cloud security certifications, including SOC 2, ISO, FedRAMP and others. 

The CCF release includes guidance on how to implement the controls as well as the audit artifacts needed to demonstrate that the controls are operating effectively.

On an international level, the framework privacy certifications include Germany’s BSI C5, the Spanish ENS, Japan’s ISMAP, PCI DSS v3.2.1, the EU Cloud Code of Conduct and Australia’s IRAP.

Prasant Vadlamudi, Cisco’s head of global cloud compliance, said the release of the CCF would help organizations achieve security compliance certification faster using a consolidated audit strategy and would improve the security posture of SaaS offerings.

“It creates a drive-subscriber approach, allowing various functions within the organization to focus on controls in their areas of expertise,” he explained. “For example, the engineering team can focus on CCF controls in their realm. We want engineers to dedicate their time and knowledge to build better products and features.”

DevOps Unbound Podcast

Cisco Controls Framework: Making Security Foundational

Vadlamudi said the CCF helps developers free up their time while making security and compliance foundational in developing products and services.  

He added that, as Cisco develops and updates the CCF to keep up with evolving security frameworks, the company will continue to release new versions to the public.

“We believe that any framework that can enable the security community to build more secure SaaS offerings should be used and made public,” he said. “Together, we can build a better secure internet.”

John Yun, vice president of product strategy at ColorTokens, a provider of autonomous zero-trust cybersecurity solutions, said there was no doubt the release of Cisco CCF to the public would benefit organizations leveraging Cisco cloud services.

“However, such a move has a larger ramification across the industry—where cloud service providers as well as security vendors are not simply focused on their offerings but willing to collaborate to assist enterprises in tackling the difficult challenges of cloud compliance,” he added. 

Proven Guidance

He noted frameworks like the CCF are useful as a form of proven guidance and best practices to ensure compliance, which is currently highly sought after.

“When you consider the rapid pace of cloud application development coupled with the increase in overall cloud adoption, enterprises simply cannot keep pace,” he said. “In the area of compliance and security, in particular, they are under tremendous strain.”

Yun explained that while he doesn’t expect a flood of such frameworks to be released publicly, he does expect other organizations will follow suit.

“Many organizations are migrating from on-premises to the cloud and, in some cases, multi-cloud environments,” he noted. “The journey has not been easy for many organizations, as the benefits inherent in the cloud—anywhere access, its ephemeral nature, dynamic scalability—are also available to cyberattackers, making attacks increasingly difficult to detect.”

He said many are coming to the realization that they need to partner with security experts to evolve their overall security posture and, in some cases, have a fresh look at the latest cloud security innovations available.

“While many are playing catch-up today, as organizations adopt a new POV for their security and compliance for the cloud, I expect a significant improvement in their security posture,” Yun said. 

Boris Gorin, co-founder and CEO at Canonic Security, a cybersecurity startup protecting SaaS business applications, called Cisco’s CCF release a welcome development.

He pointed out that security breaches mostly happen due to controls being overlooked or improperly implemented rather than because of a lack of standards or processes.

“Therefore, if we look at existing processes for managing third-party systems and integrations, there’s a ton of room for improvement; any set of requirements aiming at standardization is certainly an improvement,” he said.

However, if organizations lack context for every SaaS solution they use—the data it holds, the access model that is in place, the integrations it facilitates—then, from Gorin’s perspective, if they don’t monitor these continuously, another standard, as good as it can be, isn’t going to make much of a difference.

Sounil Yu, chief information security officer at JupiterOne, a provider of cyber asset management and governance solutions, added that frameworks like Cisco’s CCF enable organizations to normalize expectations about what evidence helps them meet various compliance requirements around the world.

“We have much to learn from each other when it comes to how we can make the practice of security easier and more efficient, especially across multiple geographical regions,” he said. “Even if there are flaws in this framework, we should applaud the efforts of large enterprises like Cisco who are willing to share their best practices to help democratize security for everyone else.”

Vadlamudi noted the cloud has completely changed the way services are offered to customers. 

“No matter the industry or the region, customers are increasingly asking organizations to demonstrate their commitment toward security and privacy, chiefly through independent certifications,” he said. “At Cisco, we take that responsibility very seriously.”  

 He explained that as newer cloud-focused technologies evolve, so will the cloud security and privacy certifications and standards.

“They will continue to evolve to enable organizations to scale and address the risk using the latest technologies,” Vadlamudi said.

As certifications and standards become more complex across industries and countries, it makes it ever more difficult for organizations to keep pace. Yet it is now a central sales driver and a highly resource- and time-intensive process.

“A framework like the Cisco CCF provides organization with a scalable solution to the ever-evolving cloud security and privacy requirements,” he said. 


Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 227 posts and counting.See all posts by nathan-eddy

Integrated Security Data PulseMeter

Step 1 of 7

What percentage of your organization’s security data is integrated into a SIEM or data repository you manage? (Select one)(Required)