Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
Member Portal
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Get 50% off the Cloud Infrastructure Security training bundle with code 'unlock50advantage'

Modern Day Vendor Security Compliance Begins with the STAR Registry

Published 12/20/2024

Home
Industry Insights
Modern Day Vendor Security Compliance Begins with the STAR Registry
Written by Troy Leach, Chief Strategy Officer (CSO), CSA.

We require a modern approach to accurately assess our use of current technology.

This month marks 25 years since I managed my first cybersecurity attack.

At the time, I was CTO for an internet service provider that suffered the compromise, which in those days was mostly script kiddies defacing webpages to show they had circumvented what limited ACL protections we had in place.

It was then that I was first introduced to audit principles, derived from the financial industry, as a means to demonstrate assurance that the same type of attacks would be prevented in the future. The challenge, however, was that the framework I was shown was not designed to address emerging threats. It was something that had been refined by decades of mainframe and other unrelated technology.

I recall the frustration of listening to “old men,” probably younger than I am now, telling me to apply frameworks conjured in the 1970s. They said these frameworks were adequate for distributed computing, with no consideration for the extensive external network interactions, use of third-party open-source code, and other new dependencies.

Now we have seen history repeat itself in the modern enterprise that has embraced cloud services. There has been an attempt to assess cloud technology by the same means as what has been used for on-prem operations.

Cloud frameworks, like the Cloud Controls Matrix (CCM), have since been introduced as a mechanism to address this challenge. These frameworks leverage existing controls that have been refined over the years, along with an approach that has relevant requirements for the growing use of cloud environments.


2025 Regulation and the Growing Burden of Assessments

With more than 90% of organizations now relying on cloud services and the vast majority of software being designed as cloud-native, the challenge of managing third-party risk has grown exponentially. Additionally, for certain industry sectors, 2025 will introduce many new requirements for third-party governance.

Examples of new requirements include the Digital Operational Resiliency Act (DORA) and APRA CPS 230, which will look for independent validation of service providers supporting financial institutions. For anyone processing credit or debit card payments, PCI DSS v4.0.1, with a new appendix for “multi-tenant service providers,” will become required in March 2025. There are many more examples too, like NIS2.

The traditional approach of each organization individually assessing every one of the hundreds or thousands of cloud service providers they are interested in is likely unattainable for both individual companies and the vendors.

Let’s think about it for a moment. A typical vendor security assessment requires 40-60 hours of internal resources, costing approximately $5,000-$7,500 per vendor when accounting for personnel time, documentation review, and follow-up activities. For an enterprise with 2,000 CSPs, this translates to roughly 100,000 person-hours and $12-15 million annually – an unsustainable investment that diverts critical resources from other security initiatives. The vendor will also be challenged to accomplish the same tasks over and over again for hundreds of clients or more.


One Approach to Efficiency: The CSA STAR Program and CCM Framework

CSA created the CCM as a baseline for cloud-unique controls that should be assessed as part of good security governance. It maps to dozens of global frameworks to identify commonalities and differences between it and more traditional assessments.

The STAR Registry is a free, public repository of cloud services assessed against the CCM by self-attestation or independent Certifying Bodies (as part of a SOC2 or ISO27001) and serves as a transparent declaration of the current security maturity of a vendor offering cloud services.

CCM and the STAR Registry enable enterprises to better evaluate CSPs against multiple frameworks simultaneously, assuring consistent compliance and reducing duplication of effort for all parties.

There will always likely be additional validation required, but CCM and STAR may help to demonstrate appropriate due diligence and reduce assessment time by an estimated 60-70% through pre-validated controls and standardized reporting.


Efficiency Gains: Streamlined Onboarding and Pre-Mapped Compliance

Several studies have concluded that pre-assessment and regular internal audits reduce overall compliance cost by a significant margin.

For example, a STAR Level 2-certified SaaS provider with ISO 27001 certification already demonstrates adherence to several DORA and PCI DSS controls, cutting internal manual review time for onboarding by more than half.

Additionally, this leads to shorter time-to-completion for vendor evaluations, allowing staff to use services they need more quickly and improving internal resource utilization by having IT and Security concentrate on other critical responsibilities.

The reality is also that internal security professionals will not have expertise in all the various specialized technologies, architectures, and cloud controls that organizations use. Leveraging external security professionals to evaluate these should elevate the confidence in corporate use.

For cloud providers, this could lead to a lower cost of certification, minimizing the duplication of assessments to meet customer requests and demonstrating incremental maturity as they progress from a self-attestation questionnaire in STAR Level 1 to an independent assessment in STAR Level 2.


Strategy for Using STAR and CCM for Procurement

If you are considering integrating STAR attestations into your onboarding or ongoing security governance of CSPs, keep these practices in mind:

  • Policy Integration: Update procurement and vendor risk management policies to prioritize STAR-listed CSPs, requiring at least STAR Level 1 for low-risk vendors and Level 2 for high-risk vendors.
  • Know Your Share: The CCM includes the shared security responsibilities for each of the 197 controls. Use the transparency of STAR attestation to discuss those assumed responsibilities with the CSP and determine if they align with your internal expectations.
  • Mind the Gap: Develop gap assessment procedures for vendors that are not yet STAR-certified or additional requirements that are needed to assess against other frameworks that are mapped to STAR.
  • Vendor Communication: Discuss with your CSPs what services are included within their STAR certification(s) to assure they address what your organization consumes.
  • Continuous Monitoring and Improvement: Build automation and establish continuous monitoring of CSP security for ongoing compliance. More to come on this next year in “Part II” of this blog, as we introduce our Compliance Revolution initiative.

One quick plug: While the STAR database is free to anyone to access, if you are a member of CSA, you can request access to an API that provides the entirety of the Registry and all ongoing updates.


Looking Forward

As regulatory requirements evolve and cloud adoption accelerates, the daunting task of managing thousands of cloud vendors may become unmanageable without standardized assessment frameworks. STAR could be a cornerstone of efficient third-party risk management that reduces manual auditing from stretched internal resources and allows staff to focus on more high-value security responsibilities.

The framework's ability to reduce duplicative efforts while maintaining robust security validation makes it an invaluable tool in the modern third-party risk management space.

As we move toward 2025's regulatory deadlines, the question isn't whether to standardize vendor assessment processes, but how quickly organizations can implement efficient frameworks like STAR to meet the growing demands of cloud security governance.

And this is not the end. We are in the midst of yet another cycle of change of assessing risk associated with Generative AI technology such as LLMs, agentic technology, and orchestration.

In Part II of this blog, we’ll address how assurance will need to evolve once again and how the STAR program and the upcoming AI Controls Framework can help manage future risk.

To conclude Part I however, I’ll say that security leaders must embrace current tools not only as a means of compliance, but as strategic enablers of trust and efficiency in a rapidly evolving cloud landscape.

For additional reading, consider the following sources:

Cloud Controls MatrixComplianceStandardsSTAR

Share this content on your favorite social network today!

Cloud Assurance
Related Resources
STAR
The industry's standard for security assurance in the cloud.
Cloud Controls Matrix & CAIQ v4
The standard cybersecurity control framework.
Trusted Cloud Provider
Demonstrate your commitment to holistic security.
Latest from CSA
Register for CSA’s Virtual FinCloud Security Summit
Key Management for Public Cloud Migration
Cloud Security for Startups 2024
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Texas Attorney General’s Landmark Victory Against Google

Published: 12/20/2024

Winning at Regulatory Roulette: Innovations Shaping the Future of GRC

Published: 12/19/2024

The EU AI Act and SMB Compliance

Published: 12/18/2024

Managed Security Service Provider (MSSP): Everything You Need to Know

Published: 12/18/2024