CSA Security, Trust & Assurance Registry (STAR) Arrow to Content

CSA Security, Trust and Assurance Registry (STAR) Overview

The CSA Security, Trust and Assurance Registry (STAR) Program is a comprehensive set of offerings for cloud provider trust and assurance. The CSA STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is used by customers, providers, industries and governments around the world. STAR consists of 3 levels of assurance, which currently cover 4 unique offerings. All offerings are based upon our succinct yet comprehensive list of cloud-centric control objectives in our Cloud Controls Matrix (CCM). CCM is the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. Below is an overview of the STAR offerings.

CSA STAR PROGRAM OFFERINGS

CSA STAR is based upon two key research components of the CSA GRC Stack:

Cloud Controls Matrix (CCM) - As a controls framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. https://cloudsecurityalliance.org/research/ccm/

Consensus Assessments Initiative Questionnaire (CAIQ) - This is a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. It provides a series of "yes or no" control assertion questions which can then be tailored to suit each unique cloud customer's evidentiary requirements. https://cloudsecurityalliance.org/research/cai/

OCF Structure

LEVEL ONE: CSA STAR Self-Assessment

CSA STAR Self-Assessment is a free offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. Cloud providers either submit a completed The Consensus Assessments Initiative Questionnaire (CAIQ), or to submit a report documenting compliance with Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices. www.cloudsecurityalliance.org/star/self-assessment/

LEVEL TWO: CSA STAR Attestation

CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers. www.cloudsecurityalliance.org/star/attestation/

LEVEL TWO: CSA STAR Certification

The CSA STAR Certification is a rigorous third party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Controls Matrix. www.cloudsecurityalliance.org/star/certification/

LEVEL THREE: CSA STAR Continuous Monitoring

Currently under development and scheduled for 2015 release, CSA STAR Continuous Monitoring enables automation of the current security practices of cloud providers. Providers publish their security practices according to CSA formatting and specifications, and customers and tool vendors can retrieve and present this information in a variety of contexts. www.cloudsecurityalliance.org/star/continuous/

GETTING INVOLVED WITH CSA STAR

Users of Cloud Services

Users of cloud services should engage with their providers and insist that they participate in CSA STAR. This is very often done during the procurement of cloud services and during RFPs (Requests for Proposals). Having published security practices in STAR simplifies and accelerates your vetting of vendors, while assuring a more consistent level of security practices on the part of cloud providers on a global basis.

If your cloud providers refuse to participate in CSA STAR, you have the option of asking them to privately complete and return a copy of the Consensus Assessments Initiative Questionnaire (CAIQ) or Cloud Controls Matrix (CCM). However, we greatly encourage you to insist that the provider participate in STAR. One private CAIQ form helps you, but provider transparency helps the entire community of cloud users.

Cloud Service Providers

Cloud Service Providers receive many benefits by participating in CSA STAR. Ultimately, the most important product feature you are selling is Trust, and CSA STAR provides the most comprehensive assurance that your cloud services can be trusted.

  • Exposure within the global STAR registry
  • Use of the CSA STAR logos and brand
  • Out of the box compliance with customer requirements
  • Economies of scale in responding to customer due diligence and security vetting

IT Auditors and Certification bodies

If you are currently in the business of providing audit, attestation or certification services, we would encourage you to consider participating in CSA STAR Level Two. As large portions of our IT systems are migrated to cloud computing, your business of providing IT assurance will grow by offering the leading global standard for cloud-specific security assurance. Depending upon your specific business, location and focus, you may want to offer either CSA STAR Attestation or CSA STAR Certification or both.

Security Solution Providers and Consultants

If you provide professional services, CSA is encouraging the development of practices based upon CSA STAR to assist both providers and customers in secure cloud adoption – it is a shared responsibility. If you develop security products and security-as-a-service solutions, you may want to consider how you can integrate CSA STAR related data and best practices directly into your solution. Much of our intellectual property can be leveraged royalty free.

CSA STAR: The Future of Cloud Trust and Assurance

CSA STAR is the industry’s most powerful program for assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, harmonization of standards and eventually continuous monitoring. The best practices and initial level can be achieved at no cost, and we encourage providers and consumers to adopt STAR to enable trust in cloud computing.

For More Information

General Inquiries: [email protected]

CSA STAR Certification Auditors: https://cloudsecurityalliance.org/star/certification/#_auditors

CSA STAR Attestation Auditors: https://cloudsecurityalliance.org/star/attestation/#_auditors

STAR Registry Entries

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

Acer CyberCenter Services Inc.

http://www.aceredc.com/eDC/English/default.asp

Acer CyberCenter Services Inc.(ACCSI) is 100% owned by Acer Inc. with about 250 employees. ACCSI runs the data center related services and is also known as Acer e-Enabling Data Center(Acer eDC). Investment of the data center is over US$100M to provide professional IT management services to businesses since 2001. Except data center hosting services, we…

Read More..

Submission Info

Date Listed: November 20, 2013
Last Modified: July 30, 2014.

Additional Info

What is this?

Service supports enterprise identity.

Service supports file sharing.

Service supports a mobile app.

Service performs penetration testing.

Achievers Corporation

http://www.achievers.com/

Achievers delivers the only true cloud-based Employee Success Platform™ that enables remarkable business success. Designed specifically to meet the complex needs of today’s changing, modern workplace, it is the most engaging software specifically designed to engage, align and recognize employees. It is software employees love to use every day in over 110 countries.

Read More..

Submission Info

Date Listed: April 16, 2014
Last Modified: July 30, 2014.

Additional Info

What is this?

Service supports enterprise identity.

Service supports file sharing.

Service supports a mobile app.

Service performs penetration testing.

Acquia

http://www.acquia.com

Acquia offers enterprises unparalleled freedom to innovate and increase business agility by creating extraordinary web experiences. The fastest growing open cloud platform for integrated digital experiences, Acquia enables content rich, complex global organizations to rapidly deploy and manage dynamic digital experiences in an open source way. Co-founded by the Drupal project’s creator in 2007, Acquia…

Read More..

Submission Info

Date Listed: January 12, 2013
Last Modified: March 26, 2014.

Additional Info

What is this?

Service category: Development

Service supports enterprise identity.

Service supports file sharing.

Service supports a mobile app.

Service performs penetration testing.