CSA Official Press Release
Cloud Security Alliance Launches STAR Continuous, a Compliance Assessment Program for Cloud Service Providers
Chance to align security validation capabilities with cloud security compliance gives enterprises a competitive edge
SAN FRANCISCO – March 4, 2019 – RSA CONFERENCE 2019 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced STAR Continuous Self Assessment, the first release of an evolving continuous-compliance assessment program for cloud services that gives cloud service providers (CSPs) the opportunity to align their security validation capabilities with cloud security compliance and certification on an ongoing basis.
CSA STAR Continuous is an integral part of the CSA STAR program, the industry’s leading cloud governance and compliance program that enables organizations to increase their levels of assurance and transparency for security and privacy. STAR consists of three levels of assurance (Self-Assessment, Third-Party Certification and Continuous Auditing), based upon the CSA Cloud Controls Matrix (CCM), the Consensus Assessments Initiative Questionnaire (CAIQ), and the CSA Code of Conduct for GDPR Compliance. Future releases will be Level 2 Extended Certification with Continuous Self-Assessment and Level 3 Continuous Certification.
“In attempting to reduce the complexity and costs of traditional IT, more organizations are evaluating cloud options first before making any new IT investments. However, many CIOs remain apprehensive about transferring services into the cloud—cyber security, ownership of data, and privacy are key concerns. Simultaneously, security controls, compliance, and the call for increased transparency are rapidly becoming baseline expectations of users – especially enterprise customers. STAR Continuous, which offers increased reliability of results, transparency and ease of use of the CSP’s assurance reports will give enterprises a competitive advantage in today’s environment,” said Daniele Catteddu, CTO, Cloud Security Alliance.
Among its benefits, STAR Continuous gives CSPs the opportunity to:
- update a STAR Self-Assessment on a monthly basis (STAR Continuous Self-Assessment);
- support a third-party based certification (e.g. STAR Certification) with additional and updated information on the CSP security posture (STAR Certification/Attestation + STAR Continuous Self- Assessment); and
- establish a process to continuously audit a CSP security program or ISMS and offer proof of an ISMS that goes beyond the basic compliance certification model and for proof that there is a process in place that continually monitors critical aspects of the system (STAR Continuous Auditing).
In addition, it can help cloud service providers:
- provide top management with greater visibility so they can evaluate the effectiveness of their management system in real-time in relation to expectations of internal, regulatory and the cloud security industry standards;
- implement an audit that is designed to reflect how their organization’s objectives are aimed at optimizing the cloud services;
- demonstrate progress and performance levels that go beyond the traditional “point in time” scenario; and
- provide their customers with a greater understanding of the level of controls that are in place, along with their effectiveness.
CSA is committed to helping customers have a deeper understanding of their security postures and to that end developed the CSA STAR Program in 2011. Since that time, the organization has continued to invest heavily in its success. Among the milestones:
- CSA STAR Attestation, which combines the CSA’s best practices with SOC 2 attestation reporting developed by the American Institute of CPAs (AICPA).
- Governments and enterprises around the world referenced CSA STAR in 2014 as a requirement for their RFPs.
- CSA, in conjunction with Chinese certification body CEPREI, developed a version of CSA STAR for the Chinese market based on the CSA CCM and Chinese national standard GB/T 22080.
- Enhancements to the CSA STAR web page to provide site visitors with an improved user experience.
- Hiring of John DiMaria, formerly of the British Standards Institution (BSI). DiMaria was a key innovator and co-author of the CSA STAR Certification for cloud providers, in addition to designing and developing the CSA STAR webinars. Prior to joining CSA, DiMaria was an active volunteer where he was co-chair of the Open Certification Framework (OCF) and Cloud Trust Protocol (CTP) Working Groups.
To learn more or get started, download STAR Continuous Technical Guidance.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
Kari Walker for the CSA
About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.
For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.