CSA Security, Trust & Assurance Registry (STAR) 
RegistryAbout the CSA Security, Trust & Assurance Registry (STAR)
The Cloud Security Alliance (CSA) has launched the Security, Trust & Assurance Registry (STAR ) initiative at the end of 2011. The CSA STAR is the first step in improving transparency and assurance in the cloud. The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.
The objective and mission of CSA STAR are improving trust in the cloud and ICT market by offering transparency and assurance. STAR wants to give response to the need of different categories of cloud customers and providers, from those with low risk profile and simple compliance requirements to those organizations with high-risk profile and complex governance structure.
The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.
It is based on a multilayered structure defined by the Open Certification Framework Working Group.
The three layers are:
- STAR Entry - Self Assessment : Publication of the results of a due diligence self assessment based on CSA Consensus Assessment Initiative (CAI) Questionnaire and/or Cloud Control Matrix (CCM).
- STAR Certification / Attestation: Publication of available results of a third party assessment based on CCM and ISO27001 or AICPA SOC2.
- STAR Continuous: Publication of results of security properties monitoring, based on Cloud Trust Protocol (CTP).
Each of the layer wants to address demands for different level of assurance, for instance a small business with a not critical application in the cloud might be satisfied with the results of a provider self assessment, while an organization with a complex cloud environment and valuable asset to protect might require that the assessment is performed by a qualified and independent third part or a even more sophisticated assessment based on a continuous verification of some key parameters and SLAs.
STAR offers information about the security and privacy protection practices implemented by service providers. STAR is a transparency registry: it contains the results of assessments that organizations want to voluntarily publish in the CSA-STAR portal. The assessments are based on CSA best practices.
IMPORTANT NOTE: currently CSA STAR Certification assessment are conducted based on CCM v1.4 and ISO/IEC 27001:2005.
Starting from March 2014, customers will be able to decide if they want to be assessed against CCM v1.4 or CCM v3.
The use of the "double standards" will be in place for 12 months, until February 2015. This measure is taken to facilitate the transition to CCM v3 for adopters of CCM v1.4.
Beginning in March 2015 all the customers will be audited against CCM v3.
STAR Registry Entries
Acer CyberCenter Services Inc.
http://www.aceredc.com/eDC/English/default.aspAcer CyberCenter Services Inc.(ACCSI) is 100% owned by Acer Inc. with about 250 employees. ACCSI runs the data center related services and is also known as Acer e-Enabling Data Center(Acer eDC). Investment of the data center is over US$100M to provide professional IT management services to businesses since 2001. Except data center hosting services, we…
Read More..Submission Info
Date Listed: November 20, 2013
Acquia
http://www.acquia.comAcquia offers enterprises unparalleled freedom to innovate and increase business agility by creating extraordinary web experiences. The fastest growing open cloud platform for integrated digital experiences, Acquia enables content rich, complex global organizations to rapidly deploy and manage dynamic digital experiences in an open source way. Co-founded by the Drupal project’s creator in 2007, Acquia…
Read More..Submission Info
Date Listed: January 12, 2013
Last Modified: February 22, 2013.
Additional Info
What is this?Service category: Development
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Amazon AWS
https://aws.amazon.com/
Amazon Web Services provides a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers hundreds of thousands of businesses in 190 countries around the world. With data center locations in the U.S., Europe, Brazil, Singapore, and Japan, customers across all industries are taking advantage of the following benefits: Low Cost, Agility and Instant…
Read More..Submission Info
Date Listed: July 20, 2012
Aria Systems
http://www.ariasystems.comThe Aria Subscription Billing Platform enables companies – from small businesses to enterprise organizations – to make the most of their digital commerce opportunities.
Read More..Submission Info
Date Listed: December 22, 2012
Last Modified: February 23, 2013.
Additional Info
What is this?Service category: Backoffice
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Box.com
https://www.box.com/
Founded in 2005, Box provides a secure content sharing platform that both users and IT love and adopt. Content on Box can be shared securely internally and externally, accessed through iPad, iPhone, Android and PlayBook applications, and extended to partner applications such as Google Apps, NetSuite and Salesforce. Headquartered in Los Altos, CA, Box is…
Read More..Submission Info
Date Listed: June 10, 2012
Last Modified: February 12, 2014.
Additional Info
What is this?Service category: Cloud Storage
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
CapLinked
http://www.caplinked.comCapLinked’s intuitive, cloud-based platform makes it easier to manage and close business transactions. CapLinked enables its customers to coordinate on asset sales, financings, mergers & acquisitions, and other types of complex deals with secure workspaces. Customers can manage and syndicate deals, conduct due diligence, handle investor reporting, and network with other users.
Read More..Submission Info
Date Listed: April 17, 2013
Chunghwa Telecom
http://www.cht.com.tw/en/Chunghwa Telecom is Taiwan’s leading telecom service provider. The company provides fixed-line, mobile, Internet, data and cloud services (hicloud) to consumer and business customers in Taiwan. Hicloud has comprehensive services with reliability, flexibility, high availability and security in IaaS, PaaS, SaaS domains, including hicloud CaaS, hicloud VPC, hicloud box(e), hicloud Mall, etc.
Read More..Submission Info
Date Listed: July 02, 2013
Citrix ShareFile
http://www.sharefile.com/Citrix ShareFile provides software that helps businesses exchange files easily, securely and professionally. Designed specifically for business users, ShareFile offers customized usage and branding solutions, award-winning customer service, security for data transfer and storage, and mobile apps and tools that allow users to easily access and share files from any device — anytime, anywhere. The…
Read More..Submission Info
Date Listed: November 22, 2013
Last Modified: November 23, 2013.
Close IT Support T/A Support on the Spot
http://www.supportonthespot.co.uk/Support on the Spot are a specialist Private cloud service provider offering IaaS and the only UK provider to provide not only server infrastructure but also client desktop infrastructure as a service. having achieved qualifications and accreditations in our fields, Support on the Spot have a proven record as a Trusted Cloud Service Provider.
Read More..Submission Info
Date Listed: June 15, 2013
Last Modified: July 04, 2013.
Additional Info
What is this?Service category: Cloud Infrastructure
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
CloudSigma AG
https://www.cloudsigma.com/CloudSigma is an innovative Infrastructure-as-a-Service (IaaS) provider. We provide high availability, flexible cloud servers and cloud hosting in both Europe and the US. CloudSigma was founded to meet the growing need for a pure IaaS that places little or no restrictions on how its users deploy their computing resources. With CloudSigma, customers can provision processing,…
Read More..Submission Info
Date Listed: July 31, 2013
Cvent, Inc.
https://www.cvent.com/Cvent is the global leader in event management software. Since 1999, we have helped thousands of organizations to host hundreds of thousands of events. Along the way, we’ve developed additional software tools for event and meeting planners, marketers and other professionals. Customers in more than 100 countries now use Cvent software to plan events, find…
Read More..Submission Info
Date Listed: December 21, 2012
Last Modified: February 23, 2013.
Additional Info
What is this?Service category: Marketing
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Digital Sense Hosting
http://www.digitalsense.com.auDigital Sense is an Australian based data centre company and cloud services company.
Read More..Submission Info
Date Listed: January 16, 2014
Egnyte
http://www.egnyte.com/Egnyte is the only file sharing platform that adheres to data gravity – the simple idea that not all files were meant to be “up in the cloud”. Egnyte provides deployment models that solve all enterprise file sharing use cases: cloud-only file sharing (upload files from any computer or mobile device to the cloud for…
Read More..Submission Info
Date Listed: October 25, 2013
Evolve IP
http://www.EvolveIP.netEvolve IP is The Cloud Services Company™. Designed from the beginning to provide organizations with a unified option for cloud services, Evolve IP enables decision-makers to migrate all or select IT technologies to its award-winning cloud platform. Evolve IP’s combination of security, stability, scalability, and lower total cost of ownership is fundamentally superior to outdated…
Read More..Submission Info
Date Listed: May 01, 2013
Last Modified: July 04, 2013.
Additional Info
What is this?Service category: Cloud Infrastructure
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Falk-Enrich GmbH License12
http://www.license12.com/Made for IT procurement professionals and executives, License12 web-based services allow for a systemic digitalization of a broad variety of software procurement contracts. Engineered as a SaaS solution from scratch, falk-enrich GmbH offers the platform to everyone seeking corporate access to all contracts via ContractSafe®, accompanied by in-depth value analytics and benchmark support for optimizing…
Read More..Submission Info
Date Listed: May 26, 2012
Last Modified: February 23, 2013.
Additional Info
What is this?Service category: IT Management
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
FASTWEB
http://www.fastweb.itFASTWEB is the largest alternative fixed-line telecommunications provider in Italy. The quality of FASTWEB’s service and its ability to meet customers’ needs are the two main assets of FASTWEB’s strategy. FASTWEB’s history is consistent with this, both as first telecommunications provider in the world to build a next-generation full-IP network and as the first company…
Read More..Submission Info
Date Listed: October 21, 2013
FireHost
http://www.firehost.com
FireHost is the leader in secure cloud hosting, protecting critical data and brand reputations for companies with significant security, compliance, performance and managed services needs. Since 2009, it has made hacker awareness, management, and prevention a standard part of every customer’s secure cloud hosting environment, blocking more than 60 million attacks on behalf of its…
Read More..Submission Info
Date Listed: September 14, 2012
Last Modified: June 10, 2013.
Additional Info
What is this?Service category: Cloud Infrastructure
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
HP Enterprise Cloud Services – Virtual Private Cloud (VPC)
http://www.hp.com/enterprise/cloud
HP Enterprise Cloud Services – Virtual Private Cloud (VPC) is the first enterprise-class vendor to publish a CSA STAR report. HP is the first enterprise-class vendor to provide both an assessment questionnaire and controls matrix. This service provides you with infrastructure and networking services without the high cost of owning and managing your own equipment…
Read More..Submission Info
Date Listed: March 28, 2013
Last Modified: April 17, 2013.
HP Enterprise Cloud Services for Government (ECS-G)
http://www.hp.com/enterprise/cloud
HP Enterprise Cloud Services for Government (ECS-G) is an ISO27001 certified Virtual Private Cloud (VPC) which is one of the first Cloud Services to gain the Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR) Certification within the UK. This service provides our Public Sector clients with desktop, infrastructure and networking without the high…
Read More..Submission Info
Date Listed: December 13, 2013
HP Software-as-a-Service
http://www8.hp.com/us/en/software-solutions/software.html?compURI=1224674
For over a decade, HP has been leveraging the cloud to deliver industry leading and award winning HP software solutions. The SaaS-delivered portfolio of IT Performance Suite solutions addresses all three key responsibilities of the IT organization; strategy, applications, and operations. Software as a Service offers IT professionals confidence in using SaaS to respond to…
Read More..Submission Info
Date Listed: December 19, 2012
Last Modified: September 09, 2013.
Intracom Telecom
http://www.intracom-telecom.comIntracom Telecom is a global telecommunication systems vendor and a system integrator. With 35 years experience and strong presence in the EMEA region, Intracom Telecom delivers Wireless Network Systems, Telecom Software Solutions and ICT Services & Solutions to telecommunication and enterprise customers. Intracom Telecom is the first system integrator to have designed, built and operated…
Read More..Submission Info
Date Listed: April 30, 2013
Last Modified: September 25, 2013.
Additional Info
What is this?Service category: Networking
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Krescendo
http://www.krescendo.comKrescendo offers advanced, global data management and analysis solutions built to client specification, developed rapidly and delivered as a service. On demand design and development, cloud-based delivery. Krescendo makes it easy for investment banks and multinationals to perform governance, budgeting and re-forecasting of people, projects, programs, assets, or enable service management.
Read More..Submission Info
Date Listed: October 12, 2012
Last Modified: December 06, 2013.
Additional Info
What is this?Service category: Backoffice
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Laconic Security
http://www.laconicsecurity.com/Laconic Security was founded in 2007 to address the vacuum in the cloud data security space with innovative and responsible solutions. Its premier product, Laconic Vaults, delivers absolute data privacy to help organizations maximize the potential of cloud storage savings.
Read More..Submission Info
Date Listed: March 02, 2013
Last Modified: July 04, 2013.
Additional Info
What is this?Service category: Security
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
MaaS360 by Fiberlink
http://www.maas360.com
Fiberlink is the recognized leader in cloud solutions for secure enterprise mobile device and application management. Its cloud-based MaaS360 platform provides IT organisations with mobility intelligence and control over mobile devices, applications and content to enhance the mobile user experience and keep corporate data secure across smartphones, tablets and laptops. MaaS360 helps companies monitor the…
Read More..Submission Info
Date Listed: December 31, 2012
Last Modified: January 02, 2013.
Additional Info
What is this?Service category: IT Management
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Microsoft Dynamics CRM Online
http://crm.dynamics.com/
Computing in the cloud raises questions about security, data protection, privacy, and data ownership. Microsoft Dynamics CRM Online is hosted in Microsoft data centers around the world, and it is designed to offer the performance, scalability, security, and service levels business customers expect. We have applied state-of-the-art technology and processes to maintain consistent and reliable…
Read More..Submission Info
Date Listed: April 05, 2012
Last Modified: December 04, 2013.
Additional Info
What is this?Service category: CRM
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Microsoft Office 365
http://www.microsoft.com/office365/
Computing in the cloud raises questions about security, data protection, privacy and data ownership. Microsoft® Office 365 (including Microsoft® Exchange Online, Microsoft® SharePoint Online, and Microsoft® Lync™ Online branded services) is hosted in Microsoft data centers, around the world and is designed to offer the performance, scalability, security and service levels business customers expect. We…
Read More..Submission Info
Date Listed: December 02, 2011
Additional Info
What is this?Service category: Collaboration
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Microsoft Windows Azure
http://www.windowsazure.com/
Computing in the cloud raises questions about security, data protection, privacy, and data ownership. Windows Azure is hosted in Microsoft data centers around the world, and it is designed to offer the performance, scalability, security, and service levels business customers expect. We have applied state-of-the-art technology and processes to maintain consistent and reliable access, security,…
Read More..Submission Info
Date Listed: March 30, 2012
Last Modified: December 04, 2013.
Additional Info
What is this?Service category: Cloud Infrastructure
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
MicroStrategy
https://www.microstrategy.com/Founded in 1989, MicroStrategy (Nasdaq: MSTR) is a leading worldwide provider of enterprise software platforms. With direct operations in 26 countries worldwide and over 3,200 employees, our mission is to provide the most flexible, powerful, scalable and user-friendly platforms for analytics, mobile, identity and loyalty—offered either on premises or in the cloud. With over 25%…
Read More..Submission Info
Date Listed: November 02, 2013
Mimecast
http://www.mimecast.comMimecast provides email management as a single service in the cloud that helps customers slash on-premise email storage requirements, ensure complete email availability, email security and email compliance, while providing services to help customers get more from their email. Mimecast’s core Services are Email Continuity, Security and Archiving. Mimecast’s service is low risk, future proof,…
Read More..Submission Info
Date Listed: January 09, 2012
Last Modified: December 12, 2013.
Additional Info
What is this?Service category: Cloud Storage
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Netskope
http://www.netskope.com/
Netskope is the cloud app analytics and policy company. Only Netskope eliminates the catch-22 between being agile and being secure and compliant by providing complete visibility and enforcing sophisticated policies in cloud apps. Netskope performs deep analytics and lets decision-makers create policies in a few clicks that protect corporate data and optimize cloud app usage…
Read More..Submission Info
Date Listed: January 07, 2014
New World Telecommunications Limited
http://www.newworldtel.com
New World Telecommunications Limited (NWT), a member of New World Development Company Limited (HK Stock Code: 17), is a pioneering telecom service provider in Hong Kong. Being a customer-focused company, NWT is dedicated to offering top-quality international voice and innovative data services for its customers in Hong Kong and overseas. NWT’s Cloud Enterprise Solution (CES)…
Read More..Submission Info
Date Listed: September 05, 2013
Last Modified: October 02, 2013.
NewBase Computer Services Pty Ltd
http://www.newbase.com.au/NewBase was established in Queensland Australia in 1992 with a specific focus: ‘Technology for Business Solutions’. Our philosophy leads us to work towards ensuring strong customer relationships by providing exceptional client service and support by means of: employing only the highest calibre staff, focusing on only “best of breed” products and supporting an internal structure…
Read More..Submission Info
Date Listed: February 24, 2014
Okta Inc.
https://www.okta.com/
Okta is an enterprise grade identity management service, built from the ground up in the cloud and delivered with an unwavering focus on customer success. The Okta service provides directory services, single sign-on, strong authentication, provisioning, workflow, and built in reporting. Enterprises everywhere are using Okta to manage access across any application, person or device…
Read More..Submission Info
Date Listed: August 10, 2013
Last Modified: March 08, 2014.
OneNet
OneNet is a pioneer and New Zealand market leader in cloud computing. Established in 2000, OneNet is the third entrepreneurial IT business established by its founders since 1983. The first company, Financial Systems Limited, was a systems integrator servicing multinational firms operating in New Zealand. The second company, The Great Elk Company Limited, was a…
Read More..Submission Info
Date Listed: June 15, 2012
Last Modified: February 23, 2013.
Additional Info
What is this?Service category: Cloud Infrastructure
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Ping Identity
https://www.pingidentity.com
Ping Identity believes secure professional and personal identities underlie human progress in a connected world. Our identity and access management platform gives enterprise customers and employees one-click access to any application from any device. Over 900 companies, including 45 of the Fortune 100, rely on our award-winning products to make the digital world a better…
Read More..Submission Info
Date Listed: April 08, 2013
Last Modified: July 04, 2013.
Additional Info
What is this?Service category: Security
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
PODFather Ltd
http://www.podfather.comPODFather is a business software company specialising in solutions for mobile field force, with a focus on logistics, construction and field service. A secure, cloud-based management application used by scheduling staff, has a companion secure PDA application used by the mobile field force.
Read More..Submission Info
Date Listed: December 12, 2013
Poste Italiane S.P.A.
http://www.poste.itPoste Italiane is a national leader in digital services providing financial, logistics, postal, insurance, digital communication, mobile, TLC, cyber security and cloud services to large companies, Public Administrations, SMEs and professionals. To provide secure services and protect customers, on-line services and transaction, Poste Italiane has created its internal Computer Emergency Response Team (CERT), called PI…
Read More..Submission Info
Date Listed: January 31, 2014
Projectplace International
https://www.projectplace.com/Projectplace is Europe’s leading, social, project-collaboration software in the cloud. Over 120,000 projects have benefited from using our all-in-one tool.
Read More..Submission Info
Date Listed: April 24, 2013
Last Modified: July 04, 2013.
Additional Info
What is this?Service category: Project Management
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Pulsant Limited
http://www.pulsant.comPulsant are leading providers of Cloud Hosting, Colocation, Network and Managed Hosting services across the UK and Europe. Our 10 state of the art data centre facilities deliver efficiency, resiliency, continuity and ultra-fast connectivity and flexible packages allow your hosting needs to grow with your business. Our PulsantEnterprise Cloud solution is designed for organisations who…
Read More..Submission Info
Date Listed: November 06, 2013
Last Modified: December 12, 2013.
RapidCompute – Division of Cybernet
http://www.rapidcompute.comRapidCompute is the latest in a long list of IT service offerings from Cybernet. RapidCompute is an Infrastructure-as-a-Service (IaaS) cloud platform that combines enterprise class infrastructure with the expertise and support structure that is the hallmark of Cybernet’s product portfolio. RapidCompute offers a high performing, standards-based, flexible and robust cloud solution. It is our core…
Read More..Submission Info
Date Listed: July 14, 2013
Red Hat OpenShift
https://www.openshift.com
OpenShift is Red Hat’s free, auto-scaling Platform as a Service (PaaS) for applications. As an application platform in the cloud, OpenShift manages the stack so you can focus on your code.
Read More..Submission Info
Date Listed: April 15, 2013
Last Modified: July 04, 2013.
Additional Info
What is this?Service category: Cloud Infrastructure
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Ribose
http://www.ribose.comRibose helps individuals and organizations worldwide cooperate effectively through its social collaboration platform. By focusing on the “whole of collaboration”, Ribose has taken online social collaboration to a new level. Whether planning social events for family and friends or running complex business projects, you will find that Ribose makes it easy, effective and genuinely fun.
Read More..Submission Info
Date Listed: October 30, 2013
ServiceNow
http://www.servicenow.comServiceNow is the enterprise IT cloud company. We transform IT by automating and managing IT service relationships across the global enterprise. Organizations deploy our service to create a single system of record for IT and automate manual tasks, standardize processes, and consolidate legacy systems. Using our extensible platform, our customers create custom applications and evolve…
Read More..Submission Info
Date Listed: January 03, 2014
SHI International, Corp.
http://www.shicloud.com/From software and hardware procurement to deployment planning, configuration, data center optimization, IT asset management and cloud computing, SHI offers custom IT solutions for every aspect of your environment. Privately-held and under the guidance of our current ownership since 1989, SHI has experienced tremendous growth in size and scope through neither merger nor acquisition. Our…
Read More..Submission Info
Date Listed: March 23, 2012
Last Modified: February 23, 2013.
Additional Info
What is this?Service category: Cloud Infrastructure
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Skyhigh Networks
http://www.skyhighnetworks.com/
Skyhigh Networks allows our customers to enable and accelerate the safe and profitable adoption of cloud services across their company. We leverage our 20 years of experience and expertise in Internet technologies and businesses, and the latest in data analysis, networking, cloud-scaling and security technologies to deliver a game changing, highly available, service provider-scale, multi-tenant,…
Read More..Submission Info
Date Listed: February 28, 2013
Last Modified: July 04, 2013.
Additional Info
What is this?Service category: Security
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Sliced Tech
http://www.slicedtech.com.au/Sliced Tech is a leading Australian managed services provider providing enterprise public, community and private cloud services. Sliced Tech provides services to commercial and government customers seeking IaaS, PaaS and SaaS solutions backed by contracts and SLAs. Sliced Tech has owns and manages cloud infrastructure within data centres across Australia, enabling customers to leverage a…
Read More..Submission Info
Date Listed: February 24, 2014
SoftLayer
http://www.softlayer.com
SoftLayer provides global cloud infrastructure built at Internet scale. Our full-featured API and sophisticated automation tools let you control a powerful, on-demand platform that seamlessly spans physical and virtual devices. With 100,000 servers under management, we are the largest privately held Infrastructure-as-a-Service provider in the world, with 25,000 leading-edge customers ranging from technology startups to…
Read More..Submission Info
Date Listed: November 09, 2012
Last Modified: December 23, 2013.
Additional Info
What is this?Service category: Cloud Infrastructure
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Solutionary
http://www.solutionary.com/
As a cloud-based Managed Security Services provider, Solutionary reduces the information security and compliance burden, delivering flexible managed security services that align with client goals, enhancing organizations’ existing security program, infrastructure and personnel. The company’s services are based on experienced security professionals, data-driven and actionable threat intelligence, and the ActiveGuard® service platform that provide expert…
Read More..Submission Info
Date Listed: December 02, 2011
Last Modified: February 23, 2013.
Additional Info
What is this?Service category: Security
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Symantec.cloud
http://www.symanteccloud.com/
Symantec.cloud provides a management platform service that helps a business to administer, monitor, and protect its enterprise information resources more effectively. Our portfolio of protection services for E-Mail, Web, Instant Messaging and Cloud Managed Endpoint Solutions assists IT leaders in their effort to provide security, enforce policy and regulations, maintain their service delivery levels and…
Read More..Submission Info
Date Listed: October 19, 2012
Last Modified: February 23, 2013.
Additional Info
What is this?Service category: Security
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Telecom Italia S.p.a. Hosting Evoluto
http://www.telecomitalia.com/
Telecom Italia offers technological infrastructures and platforms in which voice and data are converted into advanced telecommunications services – as well as the latest ICT and Media solutions. Telecom Italia, TIM, Virgilio, La7 and MTV Italia, Olivetti are the Group’s main brands, symbols familiar to consumers and a guarantee of reliability and skill. Being close…
Read More..Submission Info
Date Listed: May 19, 2012
Last Modified: February 23, 2013.
Additional Info
What is this?Service category: Cloud Infrastructure
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Terremark
http://www.terremark.com/
Terremark, a Verizon Company, is a leader in transforming and securing enterprise-class IT on a global scale. A subsidiary of Verizon Communications Inc. (NYSE, Nasdaq:VZ), Terremark sets the standard for IT deployments with advanced infrastructure and managed service offerings that deliver the scale, security, and reliability necessary to meet the demanding requirements of enterprises and…
Read More..Submission Info
Date Listed: June 10, 2012
Last Modified: February 23, 2013.
Additional Info
What is this?Service category: Cloud Infrastructure
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Trackyou Ltd
http://www.trackyou.co.uk/Trackyou Ltd provide cutting edge tracking solutions. Established for over a decade we have gone from strength to strength, offering government and private sector with our innovative solutions.
Read More..Submission Info
Date Listed: February 12, 2014
Varolii Corporation
http://www.varolii.com/Varolii Corporation’s cloud-based SaaS Interact product provides customer interaction management and business continuity communications voice, text, email and smartphone solutions for over 450 clients from the healthcare, finance, airlines/transportation, telecomm, utilities and retail industries.
Read More..Submission Info
Date Listed: November 14, 2012
Last Modified: February 23, 2013.
Additional Info
What is this?Service category: Customer Support
Service supports enterprise identity.
Service supports file sharing.
Service supports a mobile app.
Service performs penetration testing.
Wipro Technologies
http://www.wipro.com
Wipro Ltd (NYSE:WIT) is a global information technology, consulting and outsourcing company with 145,000 employees serving over 900 clients in 61 countries. The company posted revenues of $6.9 billion for the financial year ended Mar 31, 2013. Wipro helps customers to do business better leveraging our industry-wide experience, deep technology expertise, comprehensive portfolio of services…
Read More..Submission Info
Date Listed: January 11, 2014
FAQ
1) Q. What is the CSA STAR?
A. The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud computing services, thereby helping users assess the security of cloud providers that they currently use or with whom they are considering contracting. It is a simple but powerful idea, cloud providers post self assessments of their cloud services, CSA makes these assessments publicly available and cloud consumers can use this data to make informed purchasing decisions.
The CSA STAR service is based upon the CSA Governance, Risk and Compliance (GRC) Stack, a collection of four integrated research projects that provide a framework for cloud-specific security controls, assessment, greater automation, and real time GRC management. In addition to registry entries for cloud providers, we will also include special entries for technology solutions and services that integrate CSA GRC Stack components.2) Q. When will the CSA STAR be publicly available?
A. The CSA STAR has been available for provider submissions since early in Q4 2011, and is located at https://cloudsecurityalliance.org/star/.
3) Q. Are there any costs for CSA STAR listings or usage?
A. The CSA STAR Self Assessment is free for both providers to submit registry entries and for consumers to use the registry for research.
The only cost for STAR is associated with the CSA STAR Certification CERTIFICATE. For more information please see “STAR Certification, Policy & Price” at https://cloudsecurityalliance.org/star/certification/#_price
4) Q. What are the Consensus Assessments Initiative Questionnaire and Cloud Controls Matrix, and how do I use them for my own self assessment?
A. The Cloud Controls Matrix (CCM), provides a controls framework that gives detailed descriptions of security concepts and principles in 13 domains that are aligned with Cloud Security Alliance guidance. As a framework, the CSA CCM provides organizations with necessary structure, detail, and clarity regarding information security in the cloud industry. Providers may choose to submit a report documenting compliance with Cloud Controls Matrix.
The Consensus Assessments Initiative Questionnaire (CAIQ, pronounced “cake”) is based upon CCM and provides industry-accepted ways to document which CCM security controls exist in IaaS, PaaS, and SaaS offerings. CAIQ provides a set of over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider. Providers may opt to submit a completed CAIQ, which will likely be the easiest option for those provider that have not already developed a CCM report.
A special LinkedIn forum (http://www.linkedin.com/groups?home=&gid=4066598) dedicated to CSA STAR support questions is available and moderated by volunteer experts from the community.
5) Q. Why did the CSA feel it was necessary to launch CSA STAR?
A. CSA believes that encouraging transparency and positive competition among cloud providers, with security as a market differentiator, is the right way to think about security in our computer systems. In these early days of cloud adoption, voluntary self-regulation of cloud providers is preferable to heavy-handed governmental regulation.
6) Q. How does the process work for getting listed on CSA STAR?
A. Cloud providers submit a completed CAIQ or CCM whitepaper through our website. CSA will verify submission authenticity and will perform a basic check of content accuracy. CSA will then digitally sign the entry and add it to the public registry.
As for September 2013, companies can also submit their entry as STAR Certification, third party assessment.7) Q. What are the benefits to cloud providers of being listed on CSA STAR?
A. Cloud providers have the benefit of being recognized as a security conscious organization. They will gain exposure to information security, assurance and risk management professionals, who are a key part of the cloud service procurement process. Providers will also be able to streamline their responses to customer due diligence inquiries and “one off” audits.
8) Q. What are the consumer benefits for CSA STAR?
A. Consumers have the benefit of accessing greater information about the security protections cloud providers are promoting. Informed consumers make better decisions.
9) Q. Won’t a public registry of security self assessments create new threat vectors for hackers to exploit?
A. No. The CAIQ is intended to allow a provider to document its security practices without going into a level of detail that would expose sensitive information. For example, a provider will likely document whether or not they regularly perform application layer penetration testing, but would not likely publish detailed results of web scanning tools.
10) Q. Can I get private help with my self-assessment questions?
A. Yes, a special mailbox, star-help@cloudsecurityalliance.org has been setup for questions you do not wish to post in the LinkedIn group, and is managed by our volunteer experts. Be aware that the amount of support you are able to get may not be sufficient depending upon your questions, and you may need to engage with a professional services firm to assist you.
11) Q. As a consumer, how do I use the CSA STAR?
A. How a consumer uses CSA STAR will depend upon their business requirements, the type of cloud service they intend to use, and their tolerance of risk. In general it will tend to reduce the scope of their provider due diligence and provide information to assist in narrowing the focus of audits and other provider inquiries.
12) Q. Is CSA providing independent verification of the provider security controls?
A. No. The CSA does not guarantee the accuracy of CSA STAR Self-Assessment entries.
13) Q. Does the CSA STAR automatically update registry entries when the provider changes its security controls?
A. No. Providers should update their entries to reflect material changes.
14) Q. What will prevent a cloud provider from providing false and misleading information about the security of their cloud service?
A. Public scrutiny will challenge inappropriate uses of CSA STAR. Individuals concerned about objectively false information in the CSA STAR may contact us at star-abuse@cloudsecurityalliance.org.
15) Q. Will cloud providers be required to maintain their registry entries?
A. Yes. CSA will mark entries older than one year to be deprecated, and will remove the entries completely after an additional 6 months.
Submit a Question
Have questions you would like to see answered? Please direct them to star-questions@cloudsecurityalliance.org or through the form below:
PGP Public Key Block
Key ID: 7E8A54CF
Key Fingerprint: F391 743C 652C 50DA F089 AFD9 1E16 5E37 7E8A 54CF
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)
mQINBE6smA4BEADQMxewlNg25UgEnbfp6CXt4SEPOeglQD4Mi4BK4W4dwJpCoDdx
7rICE7hzdSAiSDeCg49Kkdii9Liq7oOGXdcMioOqVeEQYwP183564r6GoQPKdGSz
fZJKgEHlXqBtjoYUBm9pX495L0KueJQxhhzCPAEvOrUFuw7MW6XhiNzsohGchclD
7xLzrgZawsy0jeD6vh4ttpy5gzzzfBwEq+aYzg1FDAAPQbMuhzP88uG+SdEKbkPy
szgt0A2a4ODKpqrisnnfH9SR3PWvH8lOf+nouuwucbTcgNvXAGaArCwlJk239WLh
0RmS3cynQyF0NFBqQKBCiu1JBHGcUF0F15ShLdsPkX7ajoPOPJDKYlMpB9n9BOY8
oiCCQLvG307A3LpVdOoMCg02ABZFITf2viSzrX09JVdcMu9zdCr3gd+cS7BpBeif
EUH+IfDlsyhmeBQrY9t9IWkMZIjahm9nwj1lIUbzkJpiSa5Ew5255jOmAndPM/1j
GX2omAyzazD0s3Dxu8fD7MNmAtJUDJQ6aZIkKHVE7f5ZulHvi8m9c59LC3camc+q
EY02qcNH6GgRmcJ+3VdbTwkgjZGLVK80tKUfYD1yK/Zk4alN3oiR7/XtAMXHYUL5
5436zuRoGsAITaEtavGpHclcNzFQu8l/iZnyLKqq//kXSAOJCyAW0Cc3wwARAQAB
tD1DbG91ZFNlY3VyaXR5QWxsaWFuY2UgU1RBUlMgPHN0YXJzQGNsb3Vkc2VjdXJp
dHlhbGxpYW5jZS5vcmc+iQI+BBMBAgAoBQJOrJgOAhsDBQkSzAMABgsJCAcDAgYV
CAIJCgsEFgIDAQIeAQIXgAAKCRAeFl43fopUzxMZD/9ptlGOXJfr+WW/mAFKzgV/
yvPTMwRQ7IpMt+OhIHmNIZ70h7/zcQQOXXvh9QaczJlA2ixv599kLCPkx4ixSiln
kZmvN4y/Qg/tbEIHl60TRLnjrBQAx5leQrdiL0QZbWiBpRncYG4VUn+alqlRvtuD
xPgKgLCHdiyD1YM7ggHIDA71daN/sJHyTSdHVz4Kevi1ozglcHQceQgz8Jqd56MR
50okpqlZOoics3qfwWx6zFRU0yr+3pr3zIIXlsyvS/ZzmhIp/g3rxT3RR9UUelG3
08n2D401XJVjWadAYRZVBjb4VqugWyASuhY7RiDmaF1qQbMp+NB625RgVmHRRpgO
MmUtwXfK4TmJHEtbzKnaJueF5hDjmCgMHg3JrjKSnThGawjNcLgVc9G9Ovnz0TM5
wKuENk8R+FLh78uBSWikAKMVsrt+HYEfI6TlxevP8Yqrovk3+96z8NKNlN6F4V4S
5zJuu74ZeK6FwdvOr8xMvDNCE9zd6WmfCQV26c2mHIdxXRXAHKNJgVNRCFKUv7Ar
8h407PGOktVRTFd+ojmPLBtAFN4u0Cbn0Lkn5FTTpcTXbh64yi80uLNcF61THcKr
E4QyOxiEJhA+XK5Fd37eRLkSv0+I/KH3z/04iYKY5mMoq4UDUsWPz14JYGX/Vclg
Ox3axwPFZkC/cb741h2h17kCDQROrJgOARAA9N4csh5F21Jc/LGWJLGn+RPYLWkQ
4B9CSWuQUhCVTcKWj/Wnc7J97Xpg2tB5dFMNwTkotI93JKPE1GpxwKAuTWXwhEgw
tT77+VvCOFN1jOGaK/xlwLAN9P8cRokQlHNw82TpawiHwcw8Kf25U3h9MbgSwWmC
A5vkKQqUm2hx8UrgIgK7qB0tKSmVeCgoOS4uUaYp7YgGArbF8TcoEXZ51Hm5XXUO
wxwLbfiZEhEV6lDAMgzhqfqE3T3uXDbuwqsS6oMsrJbhy6zJN14FI0gtD/mITfcg
S7LFBB5wdxgpYe28C2ZlLn41iIxcmQ3waLivO5iuhx6o9IV3TKiovfDaDKz+TFCM
Epi6w2ClbI+XFxz0LxOt99uNzNhVmB6PCVLwsktUVgf5ufa2iC1JV1HW/fkSBVaL
5mZeAxt7HlJfbDNfYTVTL2AxFljFz5AiiM9m0JfXBqHAbBxbsIqFZhRfWAvPqx7K
ee0IXymcmB+CMKw//8/+sJ9oi1eIT8wTo4BgZJadVoL2J70QcUscws5eGCc9F3z2
W/Y9vruno0sHkxN0hhDh6Vs1hAtilx4I1nPVO/Xim4gC0HyVz3UYEm7g1tMpUx0o
bvFCbQiYUZY5nRE1Gu0V8XCBQwaYU39gfRKytDRXVqCePz3eWTGwaItHiPB/woJV
JDiD9GzAvDnnLzEAEQEAAYkCJQQYAQIADwUCTqyYDgIbDAUJEswDAAAKCRAeFl43
fopUz+4QEACSFsbkUFbjxHRVcQiNXimiTVR3Km5ZLIBwLFvc+hGNOMtTr75kZqA5
pQf/XI/nuh7MuoVXFxxJ5LIS86cdRfLAMGDRM/d4MWDLvnU1HxG45+H8nqCqPJIU
V5BVfJjVrlkIp4oQDbeRJyP4LrkQsyM2Phm5Xkoj74bRlg7M3ETxkkIigpV7s9bO
aHYEJuRiVo38DXC0S7kiQZauvlHFLnyH74c4ZOGg+DUVm6OqNgxiDUZsyS5aeGRL
3gh8HZhxsPpcB9uqQBiAIGsFUhW4Ri4QUhk18tNgYN9hZDQWKhGATzzhqpkywGIp
sJE6uNC9deR6jCIl1jK/dQfT/TvnmO5a64rfoBk3VbJhbbCWVb3u71vF/CQ5lgf9
BjH1+iJSF+MG3Q3sHrJkJzajovkV4MH2K0j8an8Fjxr3epCUds3oGXSy7/p+N+j3
E5Eje48TgTYVamQL6zTVH00c8GkyhRrrc6z/0vgnHBSMkJcfswv0ML6JBLcRNCVx
xZvP0c30ilOBisnTth2kOOuJnLgcsEZopU55EZOhenonVLzJX9dGuvLwPrw8i3Q0
HWbKuTeNwy2U82mSBHoXeNNke5aPaB1U17+eLflb9QOWy3YoOt+mGN8h+TI/dN26
juO9IqyGcfBJOAbeaAT+AWWTay10321NrK4h9Cz0ccrqn5cxVa6YNg==
=i7uM
-----END PGP PUBLIC KEY BLOCK-----
Terms & Conditions
Effective as of November 14, 2011
These Terms and Conditions (“Terms”) constitute a binding agreement between the Cloud Security Alliance (CSA) and the entity (“Provider”) submitting a document for posting (“Security Disclosure”) on the Cloud Security Alliance Security Trust & Assurance Registry (“CSA STAR℠ Registry”).
BY SUBMITTING YOUR CSA STAR™ SECURITY DISCLOSURE FOR POSTING ON THE CSA STAR℠ REGISTRY, YOU ACKNOWLEDGE AND AGREE TO THE FOLLOWING TERMS.
1. The Cloud Security Alliance CSA STAR℠ Registry
The CSA STAR℠ Registry is a publicly accessible registry that documents the security controls provided by various cloud computing offerings. It is based upon the CSA Governance, Risk, and Compliance (GRC) Stack, a collection of four integrated research projects that provide a framework for cloud-specific security controls, assessment, and greater automation and real-time GRC management.
2. Submission of Security Disclosure
Provider may submit a description of its security controls to the CSA for display on the CSA STAR℠ Registry by doing the following:
- Provider must prepare a Security Disclosure, which is a written document that contains its response to the CSA Consensus Assessments Initiative Questionnaire (CAIQ) or that describes its compliance with the controls that are set forth in the CSA Cloud Controls Matrix (CCM);
- Provider must upload the Security Disclosure and the completed STAR Application Form on the CSA STAR℠ website as explained in the CSA STAR℠ FAQs;
After Provider has uploaded its Security Disclosure, CSA will verify the authenticity of the submission, perform a basic check to ensure that the application is complete, and upload the Security Disclosure on the CSA STAR℠ Registry.
CSA may refuse to post, or may delete, any Security Disclosure that in its sole judgment violates these Terms.
3. Ongoing Use and Maintenance
Provider must update its Security Disclosure from time to time, but not less than once in any twelve (12) month period, in order to take into account the changes in its internal security controls and procedures.
CSA will mark any Security Disclosure that is older than 365 days to be deprecated, and will remove from the CSA STAR℠ Registry any such obsolete Security Disclosure within six months if the Security Disclosure has not been updated.
When the Security Disclosure has been accepted for posting on the CSA STAR℠, Provider may indicate on its website and in its promotional material that:
“[Company]’s Security Disclosure is posted on the Cloud Security Alliance STAR Registry, www.cloudsecurityalliance.org/STAR.”
If a Security Disclosure has not been updated in the prior 365 days, Provider must promptly remove any such notice from its website and promotional materials.
Provider is allowed to link from its website to the page of the CSA STAR℠ Registry where its Security Disclosure is posted.
4. Rules of the CSA STAR℠ Registry
Provider will not do any of the following:
- Post any content or material that infringes any copyright, trademark, patent, trade secret or other intellectual property right of a third party or that is unlawful, harmful, tortious, defamatory, libelous, objectionable or inappropriate as determined by CSA, or could constitute or encourage conduct that would be considered a criminal offense, give rise to civil liability, or violate any law or regulation;
- Post any content or material that it is under a contractual obligation to keep private or confidential;
- Impersonate any person or organization, or misrepresent an affiliation with another person or organization;
- Upload to the Registry any file or link that do not comply with these Terms or that contains viruses, corrupted files, or any other similar software or programs that may adversely affect the operation of the CSA STAR℠ Registry or the CSA website, or any feature of the CSA website;
- Share or transfer password or other access information that allows for making modifications to the Security Disclosures with any other party, temporarily or permanently.
5. Termination; Suspension
CSA may delete or block any or all Security Disclosures associated with Provider at any time and without notice, if CSA determines in its sole discretion that Provider has violated these Terms, the law, or for any other reason.
CSA assumes no liability for any such deletion or blocking, and reserves the right to permanently prohibit Provider from posting Security Disclosures on the CSA STAR℠ Registry.
6. Fees
The CSA STAR℠ Registry is free to Providers to submit Security Disclosures for posting on the STAR Registry, and for consumers to use the Registry for research. In the future, CSA may elect to charge a fee for posting to the STAR Registry, or to limit the number of postings that a single entity may post on the CSA STAR℠ Registry at no cost.
7. Representations and Warranties of Provider
Provider represents and warrants that:
- It has the right and authority to post the Security Disclosure without any restriction;
- Its Security Disclosure is and will remain at all times true, accurate, correct, complete and up-to-date;
- The information provided in the Security Disclosure is not confidential or trade secret information of Provider or any third party, and may be published on the CSA STAR℠ Registry without restriction;
- It owns the content submitted, displayed, published or posted on the Security Disclosure and the display of the Security Disclosure on the CSA STAR℠ Registry will not violate the copyrights, trademark rights, trade secrets, or any other intellectual property rights, contract rights or other rights of any person or entity.
8. Representations and Warranties of CSA
CSA has no obligation to ensure that a Security Disclosure is true, accurate, correct, complete, or up-to-date.
CSA DOES NOT MAKE ANY REPRESENTATION OR WARRANTY WITH RESPECT TO THE CSA STAR℠ REGISTRY. THE CSA STAR℠ REGISTRY IS PROVIDED “AS IS” WITHOUT ANY WARRANTY OF ANY KIND, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.
9. Limitation of Liability
Provider will be solely responsible for any direct, indirect, incidental, consequential, or punitive damages, or any other losses, costs, or expenses of any kind (including legal fees, expert fees, or other disbursements) that may arise, directly or indirectly, from the Security Disclosure submitted by Provider, including but not limited to any harm caused by any misrepresentation, inaccuracy, errors, in the Security Disclosure.
CSA does not endorse any provider or any posting. CSA is not responsible for the information or other material that may appear in any Security Disclosure posted by Provider or any third party on the CSA STAR℠ Registry. CSA assumes no responsibility or liability that may arise from or be related to the content of the CSA STAR℠ Registry, including but not limited to claims for negligence, misrepresentation, unfair or deceptive practices, defamation, libel, or slander.
UNDER NO CIRCUMSTANCES, INCLUDING NEGLIGENCE, SHALL CSA BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT RESULT FROM THE USE OR INABILITY TO USE THE CSA REGISTRY OR THE DECISIONS MADE OR ACTIONS TAKEN BY CUSTOMERS OR POTENTIAL CUSTOMERS OR PROVIDER BASED ON THE INFORMATION POSTED ON A SECURITY DISCLOSURE; OR FROM PROVIDER’S USE OF, OR INABILITY TO USE, THE CSA STAR℠ REGISTRY; OR FROM MISTAKES, OMISSIONS, INTERRUPTIONS, DELETION OF FILES, ERRORS, DEFECTS, OR DELAYS IN OPERATION OR TRANSMISSION; OR FROM LOSS OF PROFITS, USE, DATA, GOODWILL, OR OTHER INTANGIBLES; OR FROM THE COST OF PROCUREMENT OF SUBSTITUTE PRODUCTS OR SERVICES; OR FROM THE LOSS OF SECURITY OF INFORMATION THAT PROVIDER SUBMITTED IN CONNECTION WITH THE POSTING OF THE SECURITY DISCLOSURES ON THE CSA STAR℠ REGISTRY, OR THE UNAUTHORIZED INTERCEPTION OF ANY SUCH INFORMATION BY THIRD PARTIES, OR FROM ANY FAILURE OF PERFORMANCE WHETHER OR NOT CAUSED BY EVENTS BEYOND CSA’S REASONABLE CONTROL, INCLUDING BUT NOT LIMITED TO ACTS OF GOD, COMMUNICATIONS LINE FAILURE, THEFT, DESTRUCTION, OR UNAUTHORIZED ACCESS TO THIS SITE’S RECORDS, PROGRAMS, OR SERVICES.
IN NO EVENT SHALL CSA’S TOTAL LIABILITY FOR ALL DAMAGES, LOSSES, AND CAUSES OF ACTION RELATED TO, OR CONNECTED WITH ANY SECURITY DISCLOSURE EXCEED ONE DOLLAR (US $1.00). SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES; AS A RESULT, THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO PROVIDER.
10. Intellectual Property
CSA is the copyright owner of the CSA STAR℠ Registry. No portion of the CSA STAR℠ Registry may be used in any manner, or for any purpose, without CSA’s express written permission, except as provided for herein.
CSA or its licensors own the trademark CSA STAR℠, and all names, logos, trademarks, or service marks posted on or contained in the CSA STAR℠ Registry. None of these names, logos, or marks may be used without CSA’s prior written approval.
Provider retains all right, title, and interest, including all intellectual property rights in its Security Disclosure. Provider shall have the right to use its Security Disclosure in any way it chooses, subject to these Terms. However, except as otherwise specifically agreed in advance and in writing by CSA, any communication or material that Provider transmits to the CSA STAR℠ Registry in any manner and for any reason will not be treated as confidential or proprietary.
11. License to Display Security Disclosure
By submitting a Security Disclosure for posting on the CSA STAR℠ Registry, Provider hereby grants to CSA a limited, non-exclusive, sub-licensable, worldwide, fully-paid, royalty free license to use, modify (for formatting purposes), publicly display, reproduce, and distribute such Security Disclosure without the need to obtain any third party’s permission. This license includes the right to host, index, cache, and tag any Security Disclosure, as well as the right to post the Security Disclosure on any media or platform known or hereinafter developed.
12. Indemnification
Provider will indemnify, defend and hold harmless CSA and its officers, employees, agents from and against any and all loss, costs, expenses (including reasonable attorneys’ fees and expenses), claims, damages and liabilities resulting from, related to or associated with the Security Disclosure(s) (including all versions or drafts thereof) that Provider posts or uploads on the CSA STAR℠ Registry and any violation of these Terms by Provider, including but not limited to any action by a third party claiming that the Security Disclosure is not true, accurate, correct, complete and up-to-date, or otherwise do not meet any requirement set forth in these Terms.
13. Miscellaneous
Conflict – If there is any conflict between these Terms and any other terms posted on the CSA Site with respect to the operation of the CSA STAR℠ Registry, these Terms will govern and supersede any such other terms.
Entire Agreement – These Terms, together with the general Terms and Conditions of use of the CSA site, make up the entire agreement between CSA and Provider relating to the CSA STAR℠ Registry, and replace any prior understandings or agreements (whether oral or written) regarding the CSA STAR℠ Registry.
Force Majeure – CSA’s failure to comply with these Terms because of an act of God, war, fire, riot, terrorism, earthquake, actions of federal, state or local governmental authorities or for any other reason beyond the reasonable control of CSA, will not be deemed a breach of these Terms.
Governing Law – This Agreement will be governed by and construed in accordance with the laws of the State of California without regard to conflicts of law principles. All disputes regarding this the CSA STAR℠ Registry or this Agreement will be subject to the federal, state, and local courts for Santa Clara County, California.
Headings – The headings in these Terms are for Provider’s convenience and reference and do not limit or affect these Terms.
Modifications – CSA reserves the right to revise the Terms at any time and for any reason, and such revisions shall be effective immediately upon notice thereof, which may be given by any means including posting the updated version of the Terms on the site. If Provider does not request that its Security Disclosure be removed from the CSA STAR℠ Registry within ten (10) days after such notice has been given, Provider will be deemed to have accepted the revised terms.
No Partnership – The posting of Provider’s Security Disclosure on the CSA STAR℠ Registry forms no partnership. Neither Provider nor CSA has the power or the authority to obligate or bind the other.
Severability – If any provision of these Terms is found by a court of applicable jurisdiction to be unlawful, void, or unenforceable, the provision will be deemed severed from these Terms and will not affect the validity and enforceability of any remaining provisions.
Waiver – If CSA fails to act with respect to Provider’s breach of these Terms on any occasion, CSA is not waiving its right to act with respect to future or similar breaches.
14. How to Contact CSA STAR™
If you have any question about this document or about the CSA STAR℠ Registry, please contact us a star-help@cloudsecurityalliance.org.
STAR Certification & STAR Attestation Submission
Please contact star-certification@cloudsecurityalliance.org for information about these Level 2 Certifications.
STAR Self-Assessment Submission
Eligibility for listing on the STAR Registry is contingent on the submission of self-assessment reports that document compliance to CSA-published best practices. The registry is intended to allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences.
The CSA STAR Information Center provides an FAQ, Support Forum and more.
Cloud providers can submit two different types of reports to indicate their compliance with CSA best practices:
- Consensus Assessments Initiative Questionnaire (CAIQ) Download here
- Cloud Controls Matrix (CCM) Download here
CSA STAR Registry Terms and Conditions
Your submission is subject to the CSA STAR Terms and Conditions. We encourage you to review these Terms and Conditions, which govern your use of the CSA STAR Registry.
Submitting self-assessment reports to CSA easy!
Simply fill out the required fields in the form below. Then click the “Browse” button to select the self-assessment report from your computer. When you are finished, click the “Submit” button and your submission is complete.
Your submission will be reviewed by CSA for accuracy and we will follow up via email to verify your entry. If you have questions about your submission, please contact: star-help@cloudsecurityalliance.org
If you have difficulty using this form, please contact: webmaster@cloudsecurityalliance.org
Extended attributes courtesy
of Skyhigh Networks.
Security, Trust
& Assurance Registry
STAR is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings.
Welcome New Members
The CSA is a member-driven organization, chartered with promoting the use of best practices for providing security assurance within Cloud Computing. We would like to welcome our newest members:
CradlePoint- Adallom
- Elastica
- Cornerstone OnDemand
- SoftLayer
Translate CSA
Get Involved
Learn how you can participate in Cloud Security Alliance's goals to promote the use of best practices for providing security assurance within Cloud Computing.
Cloud Security Readiness Tool
Take a short survey that assesses your current IT environment with regard to systems, processes, and productivity. The survey information creates a custom non-commercial report that provides recommendations on your IT state and helps you evaluate the benefits of cloud computing.
Get Started Now