What is the Cloud Security Alliance and Why Should I (as Someone Selling or Buying Cloud Services) Care?
This blog was originally published by Pivot Point Security here.
If you’re not involved in cloud services you’re probably frozen in ice somewhere. With SaaS penetration nearing 100% of businesses, what is the state of cloud security?
To talk about the biggest issues and answers in cloud security today, a recent episode of The Virtual CISO Podcast features John DiMaria, Assurance Investigatory Fellow and Research Fellow at Cloud Security Alliance (CSA). The show’s host is Pivot Point Security CISO and Managing Partner, John Verry.
“The OWASP of Cloud Security”
How did a long-time thought leader like John DiMaria end up at CSA? The globally recognized CSA STAR certification program is his passion, which he helped found.
CSA is a nonprofit, vendor-neutral organization started in 2008. “It’s definitely the largest cloud security association in the world,” John D asserts. “We have about 120,000 followers and single members and over 400 corporate members.”
Like its counterpart OWASP, CSA offers the security community an enormous amount of free research and guidance. CSA also directs the CSA STAR (for security, trust, assurance and risk) framework and two-level assessment program, which includes a public registry.
“CSA helps organizations understand cloud security by tracking what’s relevant and staying on top of all the newest things and the moving targets that we see every day,” relates John. “Obviously, there are more perks for members. But even as a non-member there’s just a huge amount of information that’s available for free.”
“I put CSA right up there with people like OWASP,” John V adds. “It’s where I go when I want information.”
Transparency and Trust in the Cloud
Along with its research, CSA’s core contribution to improving cloud security is its CSA STAR registry and certification program based on its Cloud Controls Matrix (CCM). CSA STAR is a de facto global standard for cloud security assurance. It documents the security and privacy controls of many popular SaaS offerings, as well as those of less know n cloud service providers (CSPs) that align with it.
“CSA STAR is really about transparency and trust in the cloud,” shares John D. “There are very specific rules and regulations around cloud specific environments. CSA STAR is a multifaceted, multi-tiered approach to—depending on where you’re at from a risk appetite perspective—how you want to prove your compliance posture to organizations.”
Cloud environments can be “pretty much invisible” to buyers/users in many cases. This makes a provider’s willingness and ability to publicly represent their compliance with the rigorous CCM framework with its 197 control objectives all the more valuable—for either procurement or marketing.
Laser Focused on Cloud Security
“We created STAR as a service to help cloud service providers understand where they’re at in terms of compliance posture, meeting regulatory requirements and compliance with local and state government regulations,” John D says. “STAR is really specific to the cloud because most of your platforms do not address the cloud specifically. Take ISO 27001, for instance. It’s fairly generic… What are you referencing as the best practices? What are you referencing as security controls that need to be in place? How do you know you’ve covered everything?”
The Cloud Controls Matrix and the STAR Program measure and benchmark a CSP’s security posture against those best practices and controls. The CCM also emphasizes the shared responsibility model across CSPs and their clients.
2 Attestation Levels
A huge benefit of STAR is its two-tier attestation program. Level 1 is self-attestation using the Consensus Assessments Initiative Questionnaire (CAIQ). Level 2 is a third-party certification based on ISO 27001 requirements overlaid on the Cloud Controls Matrix framework rather than the ISO 27001/27002 controls.
A third attestation level, which encompasses continuous monitoring against critical metrics, is close to being released as a Proof of Concept (PoC), with a pilot program to follow.
“It’s a pass/fail report,” John D discloses. “There’s no confidential information that’s traded. It’s just either you’re meeting the requirements or you’re not.”
To hear the complete show with John DiMaria from Cloud Security Alliance, click here.
Interested in how CSA STAR compares with the ISO 27017:2015 “code of practice” for cloud services? Give this blog post a look: ISO 27017 vs. CSA STAR – The Two Leading Cloud Security Standards Compared
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.