How to Achieve CSA STAR Compliance

Written by Ashwin Chaudhary, CEO, Accedere.

We know that a lot of organizations want to achieve the Cloud Security Alliance’s STAR Level 1 Self-Assessment or Level 2 Certification. However, some organizations face challenges in understanding the process, documentation, and approach to achieve such a desired certification. Here is a little help.

Let us first understand what is CSA STAR?

The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings. STAR encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM). Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to. It ultimately reduces complexity and helps alleviate the need to fill out multiple customer questionnaires. Any organization wanting to achieve CSA STAR needs to onboard a Cloud Service Provider (CSP) who will fill out the Consensus Assessments Initiative Questionnaire (CAIQ) and submit it to CSA STAR.

What is the CCM?

The CSA CCM is a cybersecurity control framework for cloud computing and the foundation that the STAR program is built upon. The CCM is composed of 197 control objectives that are structured in 17 domains covering all key aspects of cloud technology. It can be used as a tool for the systematic assessment of a cloud implementation and provides guidance on which security controls should be implemented by which actor within the cloud supply chain. The controls framework is aligned to the CSA Security Guidance for Cloud Computing and is considered a de-facto standard for cloud security assurance and compliance. The CCM v4 Implementation Guidelines provide structured guidance on how to use the CCM and support to users on how to implement the CCM controls. For each control, it includes more detailed instructions around what the cloud provider should do. In certain cases, the guidelines also provide assistance to the cloud customer.

What does a CSP do?

As mentioned above, the organizations will onboard a CSP who will help them complete the following two documents and steps to earn their CSA STAR Level 1 or 2 Certification.

• The CAIQ is the questionnaire associated with the CCM. The CAIQ is a set of questions to determine if the CCM controls have been implemented and it is a prerequisite to attain STAR Level 2.
• ISO 27001 + CCM or SOC 2 + CCM are the audits/assessment methodologies that will be used to confirm your compliance to achieve STAR Level 2.

What is CAIQ?

Version 4 of the CCM now includes the CAIQ in the same document. The CAIQ can be used to assess a cloud service provider and eliminates the need for multiple questionnaires from individual cloud consumers.

The CAIQ is a set of “yes or no” questions to be answered by the CSP. This questionnaire provides information to the Cloud Service Customer (CSC) to facilitate the decision of whether or not a CSP can provide a secured environment for the CSCs and their end customers’ data.

To earn a marketing advantage, the CSP needs to ensure completeness of the right information in the CAIQ. Information provided must provide the necessary assurance to the CSC that the CSP has implemented the CCM Controls to protect the cloud environment and data.

The CAIQ questionnaire is curated in such a way as to support organizations when they interact with cloud providers during the cloud providers assessment process by giving organizations specific questions to ask about the provider's operations and processes.

It also outlines the security capabilities and security posture of cloud providers to their customers, publicly or privately, in a standardized way using the terms and descriptions considered to be best practices by CSA.

Points to be considered while filling the columns in the CAIQ Questionnaire

Question ID

This column should not be updated as it is protected.

Assessment Question

This column should not be updated as it is protected.

CSP CAIQ Answer (Selection Column)

• Yes
  • The CCM control in question is implemented and meets the requirement.
  • An appropriate Shared Security Responsibility Model (SSRM) ownership indicates the responsible and accountable party for implementation.
• No
  • The CCM control in question is not implemented and has not met the requirements.
  • In the Implementation Description column document status of implementation or who has taken on ownership (possibly a third party).
  • An appropriate Shared Security Responsibility Model (SSRM) ownership indicates the responsible and accountable party for implementation.
• NA
  • The CCM control in question is not in scope and not applicable to the cloud assessment.
  • Shared Security Responsibility Model (SSRM) ownership column should be the responsibility of the CSP since the CSP is responsible for implementation but has made the decision that it is not applicable. In the Implementation Description column, document justification for non-applicability.

Shared Security Model Responsibility (SSRM) Control Ownership (Selection Column)

This column is prepared based on CCM v4’s Supply Chain Management, Transparency, and Accountability (STA) domain controls (1-6) and their implementation guidelines.

• CSP-Owned
  • The CCM Control in question needs to be implemented by CSP.
  • CSP is responsible and accountable.
• CSC-Owned
  • The CCM Control in question needs to be implemented by CSC.
  • CSC is responsible and accountable.
• Third-party outsourced
  • The CCM Control in question needs to be implemented by a third-party CSP.
  • CSP is accountable.
• Shared CSP and CSC
  • The CCM Control in question needs to be implemented by CSP and CSC.
  • CSP and CSC are responsible and accountable.
• Shared CSP and third-party
  • The CCM Control in question needs to be implemented by CSP and third-party.
  • CSP is accountable.

CSP Implementation Description (Optional/Recommended) (Text Column)

• CSP Implementation description should be documented on how the control is implemented.
• Description should be documented relevant to question in focus and not in general nature.

CSC Implementation Description (Optional/Recommended)

• CSC Implementation description should be documented on what actions the CSC must take to implement the control in question.
• Description should be documented relevant to question in focus and not in general nature.
• Description relevant for the CCM control implementation must cover
  • Policies
  • Procedures
  • Tool used
  • Metrics collected
  • Analysis performed, and
  • Monitoring activities

Providing the right information in the CAIQ questionnaire is the key for the CSP to increase and improve

• Client base
• Market share
• Revenue
• Profitability

Achieving STAR Level 2

The CSA STAR Attestation leverages the requirements of the AICPA governed SOC 2 Type 2 Attestation along with the CSA Cloud Controls Matrix. Assessment review periods are determined by the client but should be no less than 6 months. For STAR Attestation, the renewal period is every 12 months. You must have a SOC 2 Type 2 Attest report to apply for STAR Attestation, or you can get the SOC 2 Type 2 and STAR together. Alternatively, you may go with the ISO/IEC 27001 certification route along with the CCM controls to achieve the same objective.

About the Author

Ashwin Chaudhary is the CEO of Accedere. He is a CPA from Colorado, MBA, CITP, CISA, CISM, CGEIT, CRISC, CISSP, CDPSE, CCSK, PMP, ISO27001 LA, ITILv3 certified cybersecurity professional with about 20 years of cybersecurity/privacy and 40 years of industry experience. He has managed many cybersecurity projects covering SOC reporting, Privacy, IoT, Governance Risk, and Compliance.