STAR Testimonial: Implementation and Beyond

CSA’s STAR Attestation is the first cloud-specific attestation program designed to quickly assess and understand the types and rigor of security controls applied by cloud service providers. The CSA Security Update podcast is hosted by John DiMaria, CSA Assurance Investigatory Fellow, and explores STAR, CSA best practices, research, and associated technologies and tools.

This blog is part of a series where we edit key CSA Security Update episodes into shorter Q&As. In today’s post, John interviews Deepak Gupta, Co-founder and CTO at LoginRadius. He answers questions about the STAR Attestation implementation process, weaving CCM controls into their current management system, and challenges STAR solved for the organization.

Listen to the full podcast here.

Why STAR?

John DiMaria: We have a special guest today, Deepak Gupta. He is an entrepreneur with a strong background in different technical fields including SaaS architecture, API design, cloud infrastructure design, and cybersecurity.

So, working at LoginRadius, managing over a billion user accounts around the globe, what are some of the main security challenges that you face as a cloud service provider?

Deepak Gupta: A few of the challenges that most cloud providers in the industry are facing include how we are complying with government regulations and privacy, how to deliver these security compliance and security assurance measures to our customers, and getting into the remote environment.

JD: I find there’s usually a few different reasons why organizations go down the road of 27001 certification and STAR Attestation. In the same cases they act as a market differentiator and raise the bar in terms of your level of assurance and transparency. So, why have you achieved them?

DG: I think it’s kind of a mix. Attaining these standards demonstrated that we at LoginRadius maintain the highest possible standards regarding the trust of our customers, and by extension, their users. That is why we have always pushed security in each function of our business. We are also differentiating against our competition and other cloud vendors. We are setting the standard that, by using this digital identity, our customers don't need to worry about security policies and frameworks.

Implementation Approach

JD: I know that our listeners are always interested in the approach to implementation because there’s lots of regulatory requirements and compliance issues you have to meet both internally and externally. So can you give us a look into how you weaved STAR controls into your current management system?

DG: We started this process a few years ago. In the beginning when we started LoginRadius, I already had a security background in compliance and understanding different policies and frameworks. So as we started the company and its initial framework, a lot of infrastructure grew as the company did. The key thing in implementing these security standards and policies is to manage buy-in. Management and leadership have to understand the value of these standards in helping customers secure their information.

Once we have buy-in from leadership, the actual implementation can start. We have to go through each function and review each policy. Organizations shouldn’t implement these in a way that would hurt their productivity and efficiency. If you design it in this way, it can better help protect internal customer and company data.

What Challenges Did STAR Solve?

JD: Going off of that, what challenges did STAR reduce or solve in your organizations, or what challenges were you expecting it to solve?

DG: A few years ago when I was looking into it, I thought “Why didn’t someone build a specific framework for cloud service providers?” That’s when I came to know about CSA STAR. When I found it, I saw it had all the best practices for any software service platform vendor. It has a collaboration and combination of various different compliances specific to cloud providers.

The STAR Program builds trust within the organization, helping customers and partners. As studies update policies and frameworks, it also helps us keep up to date with the latest security standards. Overall, STAR solves a lot of challenges around the topic of new industry trends related to data breaches, cybersecurity attacks, and cloud service delivery.

The Future of STAR

JD: In your experience, in the future, do you see where certifications will become mandated as an initial screening process for organizations?

DG: Everyone is using the internet and is a part of the cloud somewhere. We have AI, IoT, and more coming up in machine learning. A lot of things are happening in this cloud computing era. Everybody has to use a cloud. They can’t still use on-prem or legacy systems, but have to go with the cloud if they want to sustain their business. Therefore, I think that security standards and certifications are already becoming a mandate for cloud vendors.

All cloud service vendors have to comply with certifications. Otherwise they can’t build the trust they need with their customers, impacting their business overtime.

JD: Awesome, thanks so much.

To continue the conversation, contact CSA at [email protected].

Click here for more information regarding STAR certification and the different levels of STAR.