CSA STAR: Securing the Cloud and Beyond

CSA’s Security, Trust, Assurance and Risk (STAR) program is in its 13th year and is one of the offerings we have developed that I am most proud of. I would even go so far as to say we are the gold standard for cloud provider assurance, as our public registry contains listings for over 2,500 cloud service security assessments, including the most popular providers businesses depend upon. Many CISOs have told me, “If the cloud provider isn’t in the STAR Registry, we aren’t buying the service.”

The Pillars of STAR

CSA STAR’s power lies within the depth and breadth of its capabilities, which we refer to as its pillars.

First is the Cloud Controls Matrix (CCM), the industry standard for security controls and the foundation for our program.

Next is our assessment portfolio, which includes both Level One Self Assessments and Level Two Third-Party Assessments delivered as SOC 2 Type 2 Attestations or ISO/IEC 27001 Certifications.

Third is our aforementioned STAR Registry, which includes all of the assessments. I have to say that I take special pride in our Registry, as in the beginning several naysayers told us that publicly posting assessment information would never catch on. It appears transparency is here to stay.

Fourth is our auditing education, with versions for enterprises, cloud providers, and auditors.

Fifth is our STAR Enabled Solutions pillar, which is our licensing program for technology companies to include the capabilities of STAR within their solutions.

The final pillar is STAR Extended, which I admit is a little bit more ambiguous than the rest of the pillars, but refers to the capability to view STAR as a platform upon which new solutions can be built to address a variety of different needs. A great example of STAR Extended is the recent addition of the EU Cloud Code of Conduct (CoC) to our Registry, showing the cloud providers that adhere to this code as a demonstration of GDPR support.

The Future of STAR

We are rightfully proud of the quality, capabilities, and popularity of the STAR program today, but what will the future bring? I am fond of saying that I can predict the future, I just don’t know when it will happen. So what follows are some of the major updates I can foresee, just don’t ask me for a timeframe!

I have to begin with artificial intelligence, because no other technology is going to have a bigger impact on the world. A simple way to think about AI is as a duality. We have to provide assurance of AI and we will also use AI to transform assurance as we know it. Last year, CSA stood up our AI Safety Initiative to create the necessary research, education, and certification for trusted AI, with an initial focus on generative AI. So, you can expect an expanded controls framework and enhancements across each pillar to add generative AI assurance. I don’t think it will be terribly long before you see a whole host of AI companies in our Registry, as well as an ability to assess the AI security and safety of existing cloud providers.

The Yin to that Yang will be leveraging AI to provide new and richer capabilities to STAR. This is a little bit harder to predict, but I think we are going to roll out many new services and have a much more accurate viewpoint of a cloud provider’s trustworthiness due to all of the data generative AI can process. Just to give you an example of my own experimentation with GPT prompts, I have been able to take STAR self-assessments out of our Registry and give GPT instructions to score the quality of the security answers, and I have been pretty impressed. An easier one to predict is AI-enabled language translation making our rich information more accessible globally.

The next area I would mention is in the general category of bringing together other standards, certifications, and regulatory requirements under one umbrella. Our ability to map CCM controls with other standards gives us a leg up in extending CSA STAR to other cloud provider assurance programs. I could envision mutual recognition and allowing CSA STAR to replace several custom requirements. I could even see CSA STAR replacing unique national requirements. I am interested in understanding how customer-driven assessments could be shared among a pool of enterprises as a complement to our existing self and third-party assessments.

The final area I will leave you with is CSA’s own governance and transparency as it relates to STAR. With the evolution of the Internet as a guide, I can foresee a future need to give countries a strong voice in how STAR works within their countries and in addressing national security requirements. ICANN was created in 1998 to facilitate the transfer of Internet governance from the US to international stakeholders, while keeping the Internet operating and interoperable. I have no idea if we will need to go that far, but I can tell you we are committed to doing what is right.

CSA STAR has defied the odds by starting as a grassroots effort for transparent cloud security and has become a globally respected sign of trust. Whether you are a cloud provider, customer, tech company, or assurance provider, I encourage you to dig more deeply to learn what STAR can do for you.