Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Listen Now: 'Real-Talk on Opportunities for Security Teams to Fight AI with AI'

What is the CSA STAR Program? An Intro for Beginners

Home
Industry Insights
What is the CSA STAR Program? An Intro for Beginners

Blog Article Published: 09/24/2024

Written by Megan Theimer, Content Program Specialist, CSA.

Has someone brought up the CSA STAR Program or the CSA Cloud Controls Matrix and you have no idea what that means? This blog is the place to start for all of you non-IT professionals and cloud newbies.

As defined on Wikipedia, cloud computing is a way to access computer resources on-demand, without managing them yourself. Organizations across the globe have come to find that hosting their work on the cloud is usually the way to go. It provides flexibility, efficiency, and cost savings. While this rapid adoption of cloud computing has transformed how businesses operate, it has also introduced new security challenges.

The Cloud Security Alliance (CSA) aims to help organizations confidently navigate these challenges. To do this, we developed the Security, Trust, Assurance, and Risk (STAR) program. The STAR program is all about assessing the security practices of cloud computing services. It gives both cloud service customers and providers a trusted way to manage the risks associated with cloud computing.

A core set of cloud security policies called the Cloud Controls Matrix (CCM) forms the basis of the STAR program. The other elements of the STAR program include:

  • Assessments: A collection of globally recognized cloud security assessments.
  • The Registry: A publicly accessible archive of over 2,000 STAR Assessments.
  • Education: Training and certificate programs for individuals.
  • Solutions: Products or services that utilize CCM.
  • Extended: The elements of STAR delivered in a customized fashion.

In this blog, we’ll explore these various aspects of the program and their benefits.


Background

Security isn't just about implementing security protocols, it's about verifying their effectiveness. Organizations want to ensure their defenses are practical and tested. And while many organizations have always had reliable security measures in place, the cloud brought with it many unknowns.

The STAR program responds to this growing need for more transparent and trusted security measures for cloud computing. Everyone involved with the cloud can use STAR. This includes cloud service providers, cloud service customers, regulators, and auditors. Essentially, STAR serves as a universal language of trust in the cloud.


The Cloud Controls Matrix (CCM)

CSA's CCM is a spreadsheet that lists 197 individual policies that contribute to robust cloud security. These policies follow industry best practices and align with approximately 40 leading standards and regulations. However, CCM stands out as the first security framework developed specifically for the cloud.

We didn't build CCM around any one specific cloud vendor. This helps organizations that use multiple cloud platforms to build out one security program for all of them.

CCM can be used in many ways:

  • Assess the cloud security of your organization.
  • Compare your security to other organizations.
  • Assess the cloud security of your current or potential cloud providers.
  • Learn if providers follow other standards like ISO 27001.
  • Clarify the security responsibilities of the cloud provider versus the customer.


STAR Assessment Portfolio

The STAR program offers several globally recognized cloud security assessments that follow the CCM. The assessments fall under two levels: STAR Level 1 (self-assessments) and STAR Level 2 (third-party assessments).

The STAR Level 1 self-assessments are free to access and allow cloud providers to document their security policies. Level 1 is great for organizations that need a cost-effective way to show customers that they’re secure.

STAR Level 2 consists of third-party independent assessments conducted by Certified STAR Auditors. You can choose between CSA STAR Attestation and CSA STAR Certification. You should definitely pursue Level 2 if your organization operates in a medium to high-risk environment.


STAR Registry

The CSA STAR Registry is a publicly accessible archive of over 2,000 STAR Level 1 and Level 2 assessments. The STAR Registry benefits both cloud customers and cloud providers by:

  • Enabling customers to easily confirm the cloud security policies of their cloud provider.
  • Streamlining the cloud service selection process for cloud customers by providing a list of thousands of trusted services.
  • Providing a simple way for cloud providers to demonstrate their values of transparency, accountability, and security.
  • Allowing cloud providers to choose the level of assessment that will work best for them.
  • Increasing transparency of the expected shared security responsibilities between cloud providers and customers.

All cloud providers should submit to the STAR Registry - it’s free to participate in STAR Level 1. Any cloud customer should look at the submissions in the STAR Registry to ensure their provider is secure.


Education for Auditors

A growing knowledge gap has highlighted the need for cloud security audit education. Auditors understand high level risks well, but can lack knowledge of the cloud and how to adapt their techniques to this new domain. Cloud engineers and developers understand the technical details of the cloud well, but can lack knowledge of security standards.

CSA has created two different educational offerings to bridge this gap. These offerings help individuals understand cloud security risk management, cloud attacks, and cloud security audits.

  • The CCAK: The first credential available for professionals to demonstrate their expertise in auditing cloud computing systems.
  • STAR Lead Auditor Training: A self-paced course to help assessors and service providers learn how to audit against the CCM.


STAR Enabled Solutions

A STAR Enabled Solution is a product or service that utilizes CCM. To achieve the designation, it must meet the security requirements outlined by the STAR program. Depending on the specific product or service, a STAR Enabled Solution might serve to:

  • Simplify alignment to CCM controls.
  • Automate the validation of cloud security based on CCM.
  • Streamline cloud assessment processes for cloud customers.
  • Allow for the adoption of continuous auditing practices.


STAR Extended

STAR Extended delivers the various components of the STAR program in a customized fashion. This allows entities in the cloud service market to utilize STAR even if their region/industry has specific requirements. STAR Extended ensures that any type of organization can take advantage of STAR.


Next Steps

If all this information still seems a little confusing, CSA can help! You can dive deeper into each aspect of the STAR program with our FAQ series:

Also visit the STAR home page to learn more about the program overall. For specific questions, we invite you to contact [email protected].

CCAKCloud Controls MatrixSecurity GuidanceStandardsSTARTransitioning to the cloud

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Download the Guide to AI Governance & Risks
Register for the Zero Trust Summit 2024
Discover the Benefits of CSA Corporate Membership
Trending This Week
#1 How to Earn the Certificate in Cloud Security Knowledge (CCSK)
#2 The 6 Phases of Data Security
#3 CSA STAR Level 2: STAR Attestations and Certifications
#4 Fully Homomorphic Encryption vs. Confidential Computing
#5 Machine Learning for Threat Classification
Enhance your cloud security skills with CSA's online training options.
Related Articles:
FedRAMP Moderate Equivalency for Cloud Service Providers Explained

Published: 09/19/2024

Burdens and Benefits of Shared Security Responsibility Model (SSRM) in Cloud Computing

Published: 09/13/2024

Maximize Cloud Security Excellence: The Power of CSA Corporate Membership

Published: 09/10/2024

AI Regulations on the Horizon: Transforming Corporate Governance and Cybersecurity

Published: 09/10/2024