STAR Self Assessment
About CSA STAR Self-Assessment
CSA STAR Self Assessment is free and open to all cloud providers and allows them to submit self assessment reports that document compliance to CSA-published best practices.
Since the initial launch at the end of 2011, the CSA has seen tremendous growth in STAR Self Assessment, with major cloud players including Amazon Web Services, Box.com, HP, Microsoft, Ping Identity, Red Hat, Skyhigh Networks, Symantec, Terremark and many other submitting entries into the registry. These cloud providers recognized the need to provide transparency and assurance of their cloud services to corporations and end users, who are increasingly requesting visibility into the security controls provided by various cloud computing offerings. The CSA STAR Self Assessment is open to all cloud providers.
Cloud providers can submit two different types of reports to indicate their compliance with CSA best practices:
- The Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document what security controls exist in IaaS, PaaS and SaaS offerings. The questionnaire (CAIQ) provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. Providers may opt to submit a completed Consensus Assessments Initiative Questionnaire.
- The Cloud Controls Matrix (CCM), which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. Providers may choose to submit a report documenting compliance with Cloud Controls Matrix.
CSA strongly encourages all IaaS, SaaS and PaaS providers, large and small, to complete a self-assessment for publication. In doing so, they will address some of the most urgent and important security questions buyers are asking and can dramatically speed up the purchasing process for their services.
In addition to cloud provider self assessments, CSA STAR will also provide listings to solution providers who have integrated CAIQ, CCM and other GRC Stack components into their compliance management tools. This will help customers extend their GRC monitoring and reporting across their enterprise and in concert with multiple cloud provider relationships. Interested parties can go to our GRC Stack site to view all of the related tools and understand how they may be leveraged to simplify and even automate aspects of cloud compliance. Providers interested in submitting should monitor https://www.cloudsecurityalliance.org/star/ for more details and updates.
1) Q. What is the CSA STAR?
A. The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. It is a simple but powerful idea. Cloud providers post self assessments of their cloud services and CSA makes these assessments publicly available. Cloud consumers can use this data to make informed purchasing decisions.
2) Q. Are there any costs for CSA STAR listings or usage?
A. The CSA STAR is free for both providers to submit registry entries and for consumers to use the registry for research.
3) Q. What is the Consensus Assessments Initiative Questionnaire and Cloud Controls Matrix, and how do I use them for my own self assessment?
A. The Cloud Controls Matrix (CCM), provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. Providers may choose to submit a report documenting compliance with Cloud Controls Matrix.
The Consensus Assessments Initiative Questionnaire (CAIQ, pronounced “cake”), is based upon CCM and provides industry-accepted ways to document which CCM security controls exist in IaaS, PaaS, and SaaS offerings. The questionnaire (CAIQ) provides a set of over 295 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. Providers may opt to submit a completed CAIQ. This will likely be the easiest option for those who have not already developed a CCM report.
A special LinkedIn forum (http://www.linkedin.com/groups?home=&gid=4066598) dedicated to CSA STAR support questions is available and moderated by volunteer experts from the community./.
4) Q. Why did the CSA feel it was necessary to launch CSA STAR?
A. CSA believes that catalyzing transparency among cloud providers and encouraging a positive competition, with security as a market differentiator, is the right way to think about security in our computer systems. In these early days of cloud adoption, voluntary self-regulation of cloud providers is preferable to heavy handed governmental regulation.
5) Q. How does the process work for getting listed on CSA STAR?
A. Cloud providers submit a completed CAIQ or CCM whitepaper through our website. CSA will verify submission authenticity and will perform a basic check of content accuracy. CSA will then digitally sign the entry and add it to the public registry.
6) Q. What benefits are there for cloud providers being listed on CSA STAR?
A. Cloud providers have the benefit of being recognized as a security conscious organization, and will gain exposure to information security, assurance and risk management professionals which are a key part of the cloud service procurement process. Providers will also be able to streamline their responses to customer due diligence inquiries and “one off” audits.
7) Q. What are the consumer benefits for CSA STAR?
A. Consumers have the benefit of having greater information about the security protections cloud providers are promoting. Informed consumers make better decisions.
8) Q. Won’t a public registry of security self assessments create new threat vectors for hackers to exploit?
A. No. The CAIQ is intended to allow a provider to document its security practices without going into a level of detail that would expose sensitive information. For example, a provider will likely document whether or not they regularly perform application layer penetration testing, but would not likely publish detailed results of web scanning tools.
9) Q. Can I get private help with my self assessment questions?
A. Yes, a special mailbox, [email protected].org has been setup for questions you do not wish to post in the LinkedIn group, and is managed by our volunteer experts. Be aware that the amount of support you are able to get may not be sufficient depending upon your questions, and you may need to engage with a professional services firm to assist you.
10) Q. As a consumer, how do I use the CSA STAR?
A. How a consumer uses CSA STAR will depend upon their business requirements, the type of cloud service they intend to use and their risk tolerance levels. In general it will tend to reduce the scope of their provider due diligence and provide decision support information to assist in narrowing the focus of audits and other provider inquiries.
11) Q. Is CSA providing independent verification of the provider security controls?
A. No. The CSA does not guarantee the accuracy of CSA STAR entries.
12) Q. Does the CSA STAR automatically update registry entries when the provider changes its security controls?
A. No. Providers should update their entries to reflect material changes.
13) Q. What will prevent a cloud provider from providing false and misleading information about the security of their cloud service?
A. Public scrutiny will challenge inappropriate uses of CSA STAR. Individuals concerned about objectively false information in the CSA STAR may contact us at [email protected].
14) Q. Why doesn’t CSA create a provider certification instead?
A. A high quality provider certification program is a much more complicated initiative. Widely varying business use cases for cloud computing will dictate very different assurance requirements. One will have a much different risk profile if they are using the cloud to store pictures of their family pet as opposed to highly confidential financial systems or trade secrets. CSA is involved in several different industry initiatives that are addressing this issue. We are supporting partners of Common Assurance Maturity Model (CAMM), a project that will eventually provide third party assurance based upon maturity scoring. We are actively involved in the standards community to develop next generation standards related to cloud security. In addition, our tools map to important standards and regulations organizations must comply with today, such as PCI/DSS, HIPAA, NIST and ISO 27001.
We are opposed to creating yet another compliance mandate governing a very dynamic cloud industry. CSA feels transparency of security practices and scrutiny of providers via a crowdsourcing public is something the industry can leverage today that holds great promise to improve security baselines in the industry. We feel this agile approach to security assurance using market forces will be an important complement to rigorous certifications.
15) Q. Will cloud providers be required to maintain their registry entries?
A. Yes. CSA will mark entries older than one year as “expired” and will be indicated as such in the registry.
16) Q. What future developments related to CSA STAR can we expect?
A. It is our belief that the major developments of the future will arise from third party solution providers to extend and automate CSA STAR by integrating STAR solutions directly into their products and services.
Submit a Question
Have questions you would like to see answered? Please direct them to [email protected] or through the form below:
Terms & Conditions
Effective as of November 14, 2011
These Terms and Conditions (“Terms”) constitute a binding agreement between the Cloud Security Alliance (CSA) and the entity (“Provider”) submitting a document for posting (“Security Disclosure”) on the Cloud Security Alliance Security Trust & Assurance Registry (“CSA STAR℠ Registry”).
BY SUBMITTING YOUR CSA STAR™ SECURITY DISCLOSURE FOR POSTING ON THE CSA STAR℠ REGISTRY, YOU ACKNOWLEDGE AND AGREE TO THE FOLLOWING TERMS.
1. The Cloud Security Alliance CSA STAR℠ Registry
The CSA STAR℠ Registry is a publicly accessible registry that documents the security controls provided by various cloud computing offerings. It is based upon the CSA Governance, Risk, and Compliance (GRC) Stack, a collection of four integrated research projects that provide a framework for cloud-specific security controls, assessment, and greater automation and real-time GRC management.
2. Submission of Security Disclosure
Provider may submit a description of its security controls to the CSA for display on the CSA STAR℠ Registry by doing the following:
- Provider must prepare a Security Disclosure, which is a written document that contains its response to the CSA Consensus Assessments Initiative Questionnaire (CAIQ) or that describes its compliance with the controls that are set forth in the CSA Cloud Controls Matrix (CCM);
- Provider must upload the Security Disclosure and the completed STAR Application Form on the CSA STAR℠ website as explained in the CSA STAR℠ FAQs;
After Provider has uploaded its Security Disclosure, CSA will verify the authenticity of the submission, perform a basic check to ensure that the application is complete, and upload the Security Disclosure on the CSA STAR℠ Registry.
CSA may refuse to post, or may delete, any Security Disclosure that in its sole judgment violates these Terms.
3. Ongoing Use and Maintenance
Provider must update its Security Disclosure from time to time, but not less than once in any twelve (12) month period, in order to take into account the changes in its internal security controls and procedures.
CSA will mark any Security Disclosure that is older than 365 days to be deprecated, and will remove from the CSA STAR℠ Registry any such obsolete Security Disclosure within six months if the Security Disclosure has not been updated.
When the Security Disclosure has been accepted for posting on the CSA STAR℠, Provider may indicate on its website and in its promotional material that:
“[Company]’s Security Disclosure is posted on the Cloud Security Alliance STAR Registry, www.cloudsecurityalliance.org/STAR.”
If a Security Disclosure has not been updated in the prior 365 days, Provider must promptly remove any such notice from its website and promotional materials.
Provider is allowed to link from its website to the page of the CSA STAR℠ Registry where its Security Disclosure is posted.
4. Rules of the CSA STAR℠ Registry
Provider will not do any of the following:
- Post any content or material that infringes any copyright, trademark, patent, trade secret or other intellectual property right of a third party or that is unlawful, harmful, tortious, defamatory, libelous, objectionable or inappropriate as determined by CSA, or could constitute or encourage conduct that would be considered a criminal offense, give rise to civil liability, or violate any law or regulation;
- Post any content or material that it is under a contractual obligation to keep private or confidential;
- Impersonate any person or organization, or misrepresent an affiliation with another person or organization;
- Upload to the Registry any file or link that do not comply with these Terms or that contains viruses, corrupted files, or any other similar software or programs that may adversely affect the operation of the CSA STAR℠ Registry or the CSA website, or any feature of the CSA website;
- Share or transfer password or other access information that allows for making modifications to the Security Disclosures with any other party, temporarily or permanently.
5. Termination; Suspension
CSA may delete or block any or all Security Disclosures associated with Provider at any time and without notice, if CSA determines in its sole discretion that Provider has violated these Terms, the law, or for any other reason.
CSA assumes no liability for any such deletion or blocking, and reserves the right to permanently prohibit Provider from posting Security Disclosures on the CSA STAR℠ Registry.
The CSA STAR℠ Registry is free to Providers to submit Security Disclosures for posting on the STAR Registry, and for consumers to use the Registry for research. In the future, CSA may elect to charge a fee for posting to the STAR Registry, or to limit the number of postings that a single entity may post on the CSA STAR℠ Registry at no cost.
7. Representations and Warranties of Provider
Provider represents and warrants that:
- It has the right and authority to post the Security Disclosure without any restriction;
- Its Security Disclosure is and will remain at all times true, accurate, correct, complete and up-to-date;
- The information provided in the Security Disclosure is not confidential or trade secret information of Provider or any third party, and may be published on the CSA STAR℠ Registry without restriction;
- It owns the content submitted, displayed, published or posted on the Security Disclosure and the display of the Security Disclosure on the CSA STAR℠ Registry will not violate the copyrights, trademark rights, trade secrets, or any other intellectual property rights, contract rights or other rights of any person or entity.
8. Representations and Warranties of CSA
CSA has no obligation to ensure that a Security Disclosure is true, accurate, correct, complete, or up-to-date.
CSA DOES NOT MAKE ANY REPRESENTATION OR WARRANTY WITH RESPECT TO THE CSA STAR℠ REGISTRY. THE CSA STAR℠ REGISTRY IS PROVIDED “AS IS” WITHOUT ANY WARRANTY OF ANY KIND, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.
9. Limitation of Liability
Provider will be solely responsible for any direct, indirect, incidental, consequential, or punitive damages, or any other losses, costs, or expenses of any kind (including legal fees, expert fees, or other disbursements) that may arise, directly or indirectly, from the Security Disclosure submitted by Provider, including but not limited to any harm caused by any misrepresentation, inaccuracy, errors, in the Security Disclosure.
CSA does not endorse any provider or any posting. CSA is not responsible for the information or other material that may appear in any Security Disclosure posted by Provider or any third party on the CSA STAR℠ Registry. CSA assumes no responsibility or liability that may arise from or be related to the content of the CSA STAR℠ Registry, including but not limited to claims for negligence, misrepresentation, unfair or deceptive practices, defamation, libel, or slander.
UNDER NO CIRCUMSTANCES, INCLUDING NEGLIGENCE, SHALL CSA BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT RESULT FROM THE USE OR INABILITY TO USE THE CSA REGISTRY OR THE DECISIONS MADE OR ACTIONS TAKEN BY CUSTOMERS OR POTENTIAL CUSTOMERS OR PROVIDER BASED ON THE INFORMATION POSTED ON A SECURITY DISCLOSURE; OR FROM PROVIDER’S USE OF, OR INABILITY TO USE, THE CSA STAR℠ REGISTRY; OR FROM MISTAKES, OMISSIONS, INTERRUPTIONS, DELETION OF FILES, ERRORS, DEFECTS, OR DELAYS IN OPERATION OR TRANSMISSION; OR FROM LOSS OF PROFITS, USE, DATA, GOODWILL, OR OTHER INTANGIBLES; OR FROM THE COST OF PROCUREMENT OF SUBSTITUTE PRODUCTS OR SERVICES; OR FROM THE LOSS OF SECURITY OF INFORMATION THAT PROVIDER SUBMITTED IN CONNECTION WITH THE POSTING OF THE SECURITY DISCLOSURES ON THE CSA STAR℠ REGISTRY, OR THE UNAUTHORIZED INTERCEPTION OF ANY SUCH INFORMATION BY THIRD PARTIES, OR FROM ANY FAILURE OF PERFORMANCE WHETHER OR NOT CAUSED BY EVENTS BEYOND CSA’S REASONABLE CONTROL, INCLUDING BUT NOT LIMITED TO ACTS OF GOD, COMMUNICATIONS LINE FAILURE, THEFT, DESTRUCTION, OR UNAUTHORIZED ACCESS TO THIS SITE’S RECORDS, PROGRAMS, OR SERVICES.
IN NO EVENT SHALL CSA’S TOTAL LIABILITY FOR ALL DAMAGES, LOSSES, AND CAUSES OF ACTION RELATED TO, OR CONNECTED WITH ANY SECURITY DISCLOSURE EXCEED ONE DOLLAR (US $1.00). SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES; AS A RESULT, THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO PROVIDER.
10. Intellectual Property
CSA is the copyright owner of the CSA STAR℠ Registry. No portion of the CSA STAR℠ Registry may be used in any manner, or for any purpose, without CSA’s express written permission, except as provided for herein.
CSA or its licensors own the trademark CSA STAR℠, and all names, logos, trademarks, or service marks posted on or contained in the CSA STAR℠ Registry. None of these names, logos, or marks may be used without CSA’s prior written approval.
Provider retains all right, title, and interest, including all intellectual property rights in its Security Disclosure. Provider shall have the right to use its Security Disclosure in any way it chooses, subject to these Terms. However, except as otherwise specifically agreed in advance and in writing by CSA, any communication or material that Provider transmits to the CSA STAR℠ Registry in any manner and for any reason will not be treated as confidential or proprietary.
11. License to Display Security Disclosure
By submitting a Security Disclosure for posting on the CSA STAR℠ Registry, Provider hereby grants to CSA a limited, non-exclusive, sub-licensable, worldwide, fully-paid, royalty free license to use, modify (for formatting purposes), publicly display, reproduce, and distribute such Security Disclosure without the need to obtain any third party’s permission. This license includes the right to host, index, cache, and tag any Security Disclosure, as well as the right to post the Security Disclosure on any media or platform known or hereinafter developed.
Provider will indemnify, defend and hold harmless CSA and its officers, employees, agents from and against any and all loss, costs, expenses (including reasonable attorneys’ fees and expenses), claims, damages and liabilities resulting from, related to or associated with the Security Disclosure(s) (including all versions or drafts thereof) that Provider posts or uploads on the CSA STAR℠ Registry and any violation of these Terms by Provider, including but not limited to any action by a third party claiming that the Security Disclosure is not true, accurate, correct, complete and up-to-date, or otherwise do not meet any requirement set forth in these Terms.
Conflict – If there is any conflict between these Terms and any other terms posted on the CSA Site with respect to the operation of the CSA STAR℠ Registry, these Terms will govern and supersede any such other terms.
Entire Agreement – These Terms, together with the general Terms and Conditions of use of the CSA site, make up the entire agreement between CSA and Provider relating to the CSA STAR℠ Registry, and replace any prior understandings or agreements (whether oral or written) regarding the CSA STAR℠ Registry.
Force Majeure – CSA’s failure to comply with these Terms because of an act of God, war, fire, riot, terrorism, earthquake, actions of federal, state or local governmental authorities or for any other reason beyond the reasonable control of CSA, will not be deemed a breach of these Terms.
Governing Law – This Agreement will be governed by and construed in accordance with the laws of the State of California without regard to conflicts of law principles. All disputes regarding this the CSA STAR℠ Registry or this Agreement will be subject to the federal, state, and local courts for Santa Clara County, California.
Headings – The headings in these Terms are for Provider’s convenience and reference and do not limit or affect these Terms.
Modifications – CSA reserves the right to revise the Terms at any time and for any reason, and such revisions shall be effective immediately upon notice thereof, which may be given by any means including posting the updated version of the Terms on the site. If Provider does not request that its Security Disclosure be removed from the CSA STAR℠ Registry within ten (10) days after such notice has been given, Provider will be deemed to have accepted the revised terms.
No Partnership – The posting of Provider’s Security Disclosure on the CSA STAR℠ Registry forms no partnership. Neither Provider nor CSA has the power or the authority to obligate or bind the other.
Severability – If any provision of these Terms is found by a court of applicable jurisdiction to be unlawful, void, or unenforceable, the provision will be deemed severed from these Terms and will not affect the validity and enforceability of any remaining provisions.
Waiver – If CSA fails to act with respect to Provider’s breach of these Terms on any occasion, CSA is not waiving its right to act with respect to future or similar breaches.
14. How to Contact CSA STAR™
If you have any question about this document or about the CSA STAR℠ Registry, please contact us a [email protected].