CSA CCM CCC-05
Change Agreements

Change agreements are an important part of managing cloud environments. They help ensure that changes to customer-owned environments and tenants are only made when explicitly authorized through service level agreements between cloud service providers (CSPs) and cloud service customers (CSCs). Having clear change agreements in place protects customers and provides transparency.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. You can download the full CCM from the Cloud Security Alliance website.

The CCM provides a controls framework for cloud computing. It was developed through collaboration between CSPs and stakeholders in the cloud community. You can find more information in the CCM FAQ.

Who should care?

A few different roles should pay attention to change agreements:

  • Cloud architects designing environments that span CSP and CSC responsibilities
  • Compliance officers ensuring proper controls are in place
  • IT managers responsible for change management processes
  • Legal teams drafting and reviewing service level agreements
  • DevOps engineers making frequent environment changes

What is the risk?

Without proper change agreements in place, a few bad things could happen:

  • Unauthorized changes could be made to customer environments leading to outages, data loss, or security issues
  • Lack of clear responsibilities could lead to finger-pointing between CSPs and CSCs when incidents occur
  • Compliance violations if required change controls are not followed
  • Inefficiencies if every change requires explicit approval

The risks are higher for organizations with strict change control requirements or highly dynamic environments requiring frequent changes. But putting proper agreements in place can mitigate most of the risk.

What's the care factor?

For most organizations, having some level of change agreement is important but may not be the top security priority, especially if the cloud footprint is small or changes are infrequent.

However, change agreements are essential for a few cases:

  • Enterprises with formal change management policies
  • Regulated industries with strict change control requirements (e.g. financial services, healthcare)
  • Organizations with complex hybrid cloud/on-prem environments
  • Businesses using many cloud services requiring frequent changes

When is it relevant?

Change agreements make sense any time a CSC is using CSP services that may require changes impacting the CSC's environment. This could span IaaS, PaaS and SaaS offerings.

Some examples of relevant changes could be:

  • Patching/upgrading underlying infrastructure
  • Modifying network configurations
  • Updating access controls
  • Changing service options/features

Change agreements are less relevant for fully CSP-managed services where the CSC has no control or visibility into the underlying environment. They also may not be needed for very small, static environments.

What are the trade-offs?

Implementing change agreements comes with a few potential downsides:

  • Added complexity in the change management process
  • Potential delays to make changes if CSC approval is required
  • Additional overhead in keeping agreements up-to-date
  • Challenges with granularity (e.g. defining what changes require approval)

There is a balance between having appropriate oversight and being overly restrictive. Organizations should right-size change agreements based on their risk tolerance and agility needs.

How to make it happen?

Here are some key steps to put change agreements in place:

  1. Define roles & responsibilities - Clarify which changes are owned by the CSP vs CSC. Use a RACI matrix.
  2. Determine change categories - Group types of changes based on risk and impact (e.g. standard, minor, major, emergency).
  3. Set approval thresholds - Outline which roles can approve different categories of changes. Avoid bottlenecks.
  4. Establish communication channels - Agree on how change requests and approvals will be handled (e.g. ticket system, email).
  5. Document exceptions - Note any changes pre-approved or that don't require CSC authorization.
  6. Include in service agreements - Reference change agreements in contracts and SLAs between CSPs and CSCs.
  7. Implement change controls - Follow agreed procedures. Log all changes. Perform audits.
  8. Review and update - Assess effectiveness of change agreements. Modify as needed based on feedback.

What are some gotchas?

A few things to watch out for when implementing change agreements:

  • Ambiguity in CSP/CSC responsibilities can lead to confusion. Be specific where possible.
  • Avoid requiring approval for every little change which can slow things down. Emphasize material changes.
  • Emergency changes may need to bypass normal approvals. Have a process to handle expedited changes.
  • Be cautious relying on CSP approvals for regulated industry compliance. Customers may still be ultimately responsible.
  • Change agreements need to be kept in sync with other security controls. Don't manage them in a silo.

What are the alternatives?

While change agreements are a best practice, there are some other options to consider:

  • Rely on CSP change management - For simple environments, CSCs can fully delegate change responsibility to the CSP. Ensure CSP has mature controls.
  • Implement compensating controls - If unable to get CSP change agreements, CSCs can put in additional detective controls to identify unapproved changes.
  • Use infrastructure-as-code - Adopting IaC allows environments to be defined as code and changes to go through standard SDLC controls. Reduces change surface.

Each of these approaches has pros/cons to evaluate based on the organization's use cases and constraints.

Explore further

Here are some additional resources to learn more about change agreements and related controls:

Blog

Learn cloud security with our research blog