The Italian Agency for National Cybersecurity Embraces the STAR Program

Written by Daniele Catteddu, CTO, CSA and John DiMaria, Assurance Investigatory Fellow, CSA

Flashback: In the 1980s, ISO 9001 was taking the world by storm. The paradigm of what quality looked like had changed. Nothing you did prior seemed to make any difference. Organizations were putting suppliers on notice that if they were not ISO 9001 certified within a year or had a plan to get there, they would be dropping them as a supplier. You can imagine the chaos that ensued.

Assessment firms could not keep up. The mandate for certification was in response to poor quality, especially in the automotive industry, and had reached a fever pitch. It took months to get a certifying body to audit you. Even the US Government eventually gave up the MIL-Specs and accepted ISO 9001 certification. I’ll never forget my favorite quote from Joel Barker: “When a paradigm shifts, we all start at ground zero.” The bar had been raised and a new sheriff was in town.

Fast forward to today where not only quality but data security and privacy are huge concerns. Cloud computing is taking the world by storm and in fact, is becoming more of the norm than just a consideration. As history repeats itself, enterprise organizations and governments are more concerned than ever about security. They’re either demanding detailed self-assessments or certification, depending on the level of risk the cloud service provider poses to the organization. Governments are launching “Cloud First” programs that outline the stipulations that must be met before an organization can start offering cloud services to the public sector in their country.

Understanding that each country’s culture and needs are different, they need a common denominator that would promote a level playing field and be global in nature. Yes, there are generic standards like ISO/IEC 27001, but while a good foundation, they do not address sector-specific requirements for the cloud.

The CSA STAR Program Begins

Back in 2011, CSA launched the STAR Program and Open Certification Framework, a cloud-specific governance, assurance, and transparency program aimed to streamline the risk-based decision protocol in the cloud service evaluation process. This was a program created with the idea to leverage existing leading standards and improve on them, a program looking at simplifying compliance via a multi-recognition approach.

The CSA Security, Trust, Assurance and Risk (STAR) Program is a multi-stakeholder initiative that promotes the security, privacy, and trust of cloud services. It was created as a response to the need for harmonizing the approach to security standards and certifications in order to bring cloud computing closer to all the stakeholders and key actors in the IT market, including public authorities, which are the main users of cloud services.

Adoption of STAR by the Italian Agency for National Cybersecurity

Since its inception, the STAR Program has been steadily growing and maturing and it represents today the most widely used cloud security compliance program in the market, with over 1600 services included in its public registry. Not only this, but the STAR Program has also been adopted and leveraged by several countries in the world as a tool to evaluate services to be offered to the national public sector. This process of adoption and recognition of STAR started in 2014 when the Infocomm Development Authority of Singapore established a path for the recognition of STAR Level 2 within their Multi-Tier Cloud Security (MTCS) Certification Scheme. Over the course of years, other Government and National Agencies worked with CSA to simplify, streamline or support their national accreditation processes for cloud service.

Recently, the Italian Agency for National Cybersecurity (ACN) reaffirmed the key role of the Cloud Controls Matrix and the STAR Program as part of the definition of security requirements for cloud services offered for public administration and their certification. This affirmation represents another step forward in CSA’s mission to help organizations improve their use of cloud computing and it's been a pleasure to see the ACN act as a driver for some of the change that was needed in order for cloud computing to become a viable option for public and private sector organizations within Europe.

In addition, on the 28th of January 2022, the Italian Government has published a tender for the creation of a National Cloud (Polo Strategico Nationale) via Public-Private Partnership. The tender for a total value of 723.300.000,00 Euro mandates for compliance with STAR Level 2.

The new minimum security requirements communicated by ACN as part of the Italy Cloud Strategy apply to cloud services (IaaS/PaaS/SaaS) that manage Public Administration (PA) data classified on 3 levels of importance: Ordinary, Critical and Strategic. The new qualification schema provides for the use of the STAR Level 2 third party audit for cloud services that manage Critical and Strategic information, effectively reinforcing the security requirement previously defined by AGID (Agency for Digital Italy), which established the suitability of STAR Level One (self-assessment) for SaaS services only. Further evidence will therefore be required for most of the one hundred and fifty Italian companies that had previously chosen to join the level one STAR Program to be admitted to the cloud services marketplace for the PA.

Cloud computing is becoming more and more widespread, thanks to its growing adoption by the private sector, public institutions, and specific bodies. The decision by the ACN to confirm the role of the Cloud Controls Matrix, a product of the STAR Program, as a fundamental tool for security requirements for cloud services provided for public administration and for their certification, is a recognition of the importance that CSA attributes to information security in this sector.

Italy has taken a huge step forward in its efforts by making it clear that they're adopting the Cloud Controls Matrix and STAR Program as key pillars within their framework for defining security requirements for cloud services offered for public administration.

About CSA

The Cloud Security Alliance (CSA), an international not-for-profit organization dedicated to defining and promoting best practices for cloud computing security, has announced that a major cloud provider has been registered in its STAR Program.

The STAR Program currently includes over 1600 companies around the globe and has been further extended with many new participants, including major European data centers.