CSA Security, Trust & Assurance Registry (STAR)
Validating Authenticity of STAR Registry Files
File attachments in the CSA STAR Registry are compressed and digitally signed with gpg (GnuPG) 2.2.3. The below key can be used to verify each file’s authenticity.
Username: "CloudSecurityAlliance STARWatch"
Fingerprint: 0795 5495 94D1 0ACF 2F9B 3EC1 D9C7 ECF0 7A82 41C6
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFod07wBEAChQ3eB9svmqUhjJQ1wSwvS0sXETxrXev3leQmbEUYZrnxNnjKK uEtry31C23JGLqUuSWV+bTrJL8xaas/xz7vaQPS+tW7jpaEsZCOiHZAml+cSwhIn +/rDgf8zmFqblTfzaP9Ewl1+vVq1sPCNrOXoq4pyr6potDm186dqv/yZCJCjfm+r 5GoEmnrE1iKvGhDXVQsf16EdpvE/XQrpha6vHwNPwOFeiSJE/bLwut49cmx62YLI Ny8m/zkgeM0Ayrr7H6WDXvb9DGasdIM1RhG7Y4+LAY59Av22ahBdPfaQ++7divR9 2D5SN0um9CCVSyxA8N3TG6SxaxRmwn30N2jY5ilv/sUqeXVqnwcHOHWgPfvHJNQU PQE8fRxdJQP5tg3A2SsMySHXsoZkRJo6P+LFz0Xv+l+frKS5e81iGjaW1LxgCIaS N1sFznkqU65u79Vc+5W7DjVb9vmd6ZvxvmOiY7rDp0+IEEoUEaLxOnRFV5JYfNgz ik5TL8yw5IjSnkJzxWMmCuMQlyQJJk5SBI90qxSXHERcVYDIRLPJEagG9plWi9Ko YdhPlKJVnES6pMXWKOBszpuzPx7RgpctoZ2Nf49oSba25Z1am326RX+ihXhnXVTn GU5+/ByTk2sK8tyiqgfzRILiAZSY7X9NJpY8QcHh4OkW+4Rp7C+9zchUQwARAQAB tDZDbG91ZFNlY3VyaXR5QWxsaWFuY2UgU1RBUldhdGNoIDxzdGFyd2F0Y2hAc3Rh ci53YXRjaD6JAk0EEwEKADcCGwMCHgECF4AWIQQHlVSVlNEKzy+bPsHZx+zweoJB xgUCWi7y4QULCQgHAgYVCAkKCwIDFgIBAAoJENnH7PB6gkHGax0P/RYubxCxZYVn QOYERVoJQaMpPjs3Tk9saFki8TArTSTmi/SK9xVa0qxLjWkHNmBoaaKBsY+ItkZX 6OEjel6otpcrGTOyKdkNPcEKwYU+ZIhSsVt7gKcyL93seTPdL2xO4wQn6MHEAiGc WqYGdY7LN/hYzS3irdXnoW6gM8E4qZvMfNekRng+ogsseELMqndJ9+p2mjkKzf7F c7e0FicQ5eo2RbhRxz2EHDM5j5vjVSDBj7UFs9JakQ3icIuAEk81eAAwOQjqqzzC NzYpn22p4pre42YIUQRSKNF+qRP8IKPN44mbNIgPzMnqviNHnL5DYPWqzNeoo6WY nNpFUmXAPZZrnV0TdSlOuD+f+m/2YL/dME5q1XWqJH7oNtGRD27gjoeiq62rgrYI ogZqR6sbbi4VH7GRRkrv5gxuM7PjGv/nZbSWQp1tPgrZT5zIQZlrqdgiqwgjz4C8 BzUj9oZvb079sl1E0WxN+xD+aut+kvhTmUbrkRoByJBwyIDf8s+r0JF+qnwOgbQL mpBmEDvdLlGlklkmUofeXCHj/26XQd7xoDqv3j7BWjXkn9UlWGqyTLr48VCV3/kW qi89EcIIibBG4vB8qstEU6gVz7qadz/4ZwwoCMtC/P1ibTldp5qMDnTOfSh40n1D Crn1cXb9GK5648z97+jSZpHT4JYs60VUiQIzBBMBCgAdFiEE85F0PGUsUNrwia/Z HhZeN36KVM8FAlod1DkACgkQHhZeN36KVM+EoA/9FgDnsnDa4YEBN5mgWkNa/iZ5 02niXPvqLIuDCkABQoZ/0W8o2Vwg5Wu1292bTz/B3Kjf0SVi1PSLJ9KKWlOvIGBA GdaxsRwGwUdjFCDBks/SpSWBQNhEUz1n/D7TFF9FVpNLToyH1mgyIIf/V2kM4W7y fM7MOFAQoDrdFOaxK0XxUnvoD3zzt2WAc87w+gvWJjGcWnjkiNpdFhESHM4V+Jih DbU5aAfEO1CA7mN2QBjwlIRE5cYCcSNjfg5B3zmxmZ/uAtrpj1CIj/4XGsAFVZDP f4WwN08ixwFWSqMnm8AhrFvu2elEXKT9Ser1z9Ernnr9WVrfREcwIrgt6PLwuO/6 0WQu9PalKM88LnHCtYN+A9N0EXWg+8fMHBz1OJPdnvjLfbL5ZczdK3rX7SZd16LS xoaKQf7a/zrXEDjiXNFtJV1WK2AGaVo/65aWGEZ+u5ozpbxo5bbafW/m8GfPYh1G jf6Q0zWDEx6PbaJVjT6VHHbdr98r3aDJPWbxt3UqmB2PGHgoEwwhW8oUXv07ehGe xchc8Dppmdh59q3HE8Qt5Ejte/SwwqWIXaLo7Xe0ft9lSRkb358MVD9slwly5QeN KWS1baT4NvI8RqWm/AWjWzws58CFXYLwPGy6xORIWuQYc+c9RWX2EjuIfX22TBIt IPvClGR44UjBPIe9t0eJAjMEEwEKAB0WIQSpC/mVc1AUj2a/dVQWDUVTXiZ5kwUC Wh3URgAKCRAWDUVTXiZ5k/8tD/9a/pt0T4M/WWjuf504g8vsfQY3ZoR3og4PaXMh kZsPdl6x7Ys+yHLh7InwlWIWY00edgYaO8YiyhtKY5OAzFoAJl3FkKBYtl9QqZNs n1T2lGgZHNpdzUdZG7snIqrOiC7V93hC645x2UfYhaUqvcxv/vrPGcTVHS2FxqNL js74rzc4MmhzDxzthyvLwFKpWDfntLH35VPLipr4ljFZIxPoux+dK7IRsyaYt1iJ Zk7LRfjfoLnR4ApacAlo3WoTvQ7pXwGALeumNZkKdFXoER4gf/b+HMaFDen3rYSJ 8iL7EJIG4qyudvJUbMi/lT4M6Owdvec4jIDFa0LTgpLXLZ7eZ7Ap9UPUDUJl+UWn FlrXqauf5RwWpCNj2gyVaOwnFVNOzZAjUE7HWJ9QUg0eWhKjByHiNcIQ0uXzLjCU O2asaMKhAZ4MlKu0uT0Go7HFwxcryjaiTEQYyKJwZKzZnsGoEVGL+iCzoNdj+icS 9y+RIvMheqmmmdmU9d409ad0IM7173kUAe6kgLrAmsRf/FZ6DwsdLiGBQD0D3yOH OArwK2bLI9/1lKFG/7p1erXC7h5uU/A7K7luQFY3W2eFBvSO2sJuClkEIjD6G5B6 914utWa3GeVaByOqNOYJCWwfLW0ZG2YxD3fNWZG/vfAvRFBVkVDGanLjIuidtajP 5r3quYkCMwQTAQoAHRYhBK3D1clviy7Qvs4crvFcrcSgD4F0BQJaHdRPAAoJEPFc rcSgD4F0xDUQAL33nHwPk7b31hxCJcyuMY0RH6n76G/ikykoKjFzaW58xLp2yLy3 UNQHcojHIJHDFflSSZtp4xRin9Q0Ujd+8PD0D7AC0PjGjdBDa2LgO6zqEB/sZvNh J8F45ZqO5oyOjc148/mVaTfw//zoPGf745dXn3pFqDI9OINjxherSae3rU77kr1g c2Bx4139XX6bQ7DkCuCZUtVNrGVJudaFNBmV4km95SmdtgjJtAH7RVr6hr6qtqGx pOpTe6zN7SwYNiKyIGoGflCjZWRU/6NKairs7jXI/S0wfsov1/GT6qRxN9vgn3fT xA18bRfY3KAX/qTScV8s9FPLhO+lt1AjPt4Rg2Mvc0In+jwSroQX5IIM5d/VDsFc KHH9P3rVCdexnJz9T8eyQXFrA5E6AvwkDP+ubFqi9EpmyZIGom0pOsbSY+WJ/edx 80jhd8zcjnk1rwDd+YPUiF5U+hXYdbbg/9DLtk1Rv33tfKNWpQTaLw63By0a+pOU qnOQM03GxE/NUrP4CPBydNhKdYmUczIyphNbcNrKSll2ZIrVJUdnuJDXbldvTn5o tBkoKfDU/J/16uDYQnDpADpG5kYqgxxAsItUBgJHrwHMGqIpRlkyV6EQ5eMK7pYr pLEBAmxbiqlMm8ktySyUu6am7K309vi8paz5Ghgbvry+CfhGJ2dZAHw0iQIzBBMB CgAdFiEEfc/tO+1eXKE5urAeHxemWAzi2roFAlod1FcACgkQHxemWAzi2rre6A/9 HWWc6NIgXTt2cRiVXuZEwb/kiF+OpadwAtcs3MXQcrgYZgzPFPu140WZOI3hA4I5 DADyANzl8Lw2a9RxZJlI5eLum+EhOnnHou3mIvz+JLLfHf8xs1XoHkNuANEwfJeM 8GbLrEfzcZ4ajQQfXE0VdaGJ7bD7xX8IX8yawhWTWpQUgKuX81xCLxC/e+yoz79+ owFViQozZMFHthzlCf8HZtYTe/d78cKoe2LS5OMLPS9KOOmUym/Wv1AFeP8+zgZV 0sxHxV7pEgWHB4KAg9B50/u+wdiHYTzn+WmEMeXJ+xYXggviro1hv5Plcjr4HznN IdGgELDijt8jgpdaH8EN4hDsi8wfitFBwXPghO5uz6xdj6D9iVZkqp6IQVOuIYK7 QeBLgLosCCALtb0QQFLnAygNW5esRLjMtXIbsz9I2XhO4/qMeo8Z/PqUrfmkfR2A 2Fk72coprocO1+LGNQD7ObnlW1bQ9JMj/2IBGOv6kQAW2pL4/46wx+gAifZ0fK1W rCPvdYw8mITZKzOk2FMF+n2Glm9PpeW8AojsRXpl2fn/m19V2u4ndkFea1nTTBeM iWYJGYs5M9VgnKwB4NWNLy5XE8qEYnb9kTfZ6hD/eGKWZYxy56+i/8JRMfRZTk0P 2t5djaukj/DXk2xhigy9I4iuARPakQv4gw1XY7GtZyG5Ag0EWh3TvAEQAKw9Q7MT 1vn53QbpTod2xVyAYcWfrh9z64KYidm5PcMQO/vtBZ2aBLzVfuFxTUUjAf7WiRwa UEbEc/n8fERamLWWJl7/t0BSIAhJTfAIjux0V09A/eHVJCZFGqxILjghcZfR6YyB xKc0eztB4/Ayx+GZ3otCcOtEpCTv3mcQPLFOqKOmvvvEpSGHc0E5wdMVigJXKtY6 6qa1DaZJ6BkRVLs5fMsL5WawRQM+QYxdqK5BYOkcEs40e7bKHZo4B6Bp6O51XYhj NirYAUAvvY8xnIEsIw5oBPUUbBGKvywMY1MmldXnbdBtOMXW0c+9aPQnjDrVnYrM dhKsjaVZBy+aS3fD5YtkX6QXPQFSbm1UQ6LkiGpaxHgZR2qKsrn8O4g2aVL6Nm8F fhCJDpAIpo/8v0EERK/TW34HKi+xYIdw6A0IlWeEYKKYXLELmdf8r+Zd0yQ9D49L 82omSlZDUvpNQG4cLqhP0KaF8AeceDw5BWqT8rUPGgJ3rNZUoFC0T1bbUbcsoIf+ MOhsH/lBDd5cLChw13O/bgarCP4rzz6HlunzdvN3BU+kEzPtGX+7RacuCK1ofWAl OVoXP4vhiM2ZT7RmTMA6djohbDHE5LGguf5HY6jfl1p4GpfqbLvlq6dLzw9jCfw/ QhMCzGCeILtrArzQc4VIv+nBp/mt33r3MBQ/ABEBAAGJAjYEGAEKACAWIQQHlVSV lNEKzy+bPsHZx+zweoJBxgUCWh3TvAIbDAAKCRDZx+zweoJBxiPwD/kB9yy1YNGI GCziC552Gc08+sRzDzuRMwFn5d6YjsMMXF9qexrck4lbxI3rQewI1AHBoYfTErS3 x7Lji+ErcPJwul2rKn4hwtippA5M2XRdnZt1r0hO2yM7pPMLEl/UyJBaPBsdi5D5 pXn3DU76TV3CW2Ld35+r+AePzD/kPxqbwHxLRLrrMK4ZSnBB4SdXxQJgeURpGp2r jm/t2zw/s2eoMyeRcvjU+yYoKkokz+2Dde7qZ+1TjxLDq38hzkM39RrNbNXxZC9E 41zVEFzYsWx/XU2E3UTDF56vS+eDXekBJG90NWA0Tbhrw4neqUPXJWKbkeNCzbiK 6O65VM5bGnQSaWKhZn5TDFJoqMaI40uFoP6nVetPW039S2cphf3754k7G/RjvLye W6bhX9Z6IC8EE2KJs/kOk3iVA6yxNlxMy2A+GdbTkuz3DizWyFWiYeEv8ILb7tm3 2aO8mcLc/RLm1U7lKD2kdK46crpe4tKtHXAjy9Uk9DfygFjxlwKxDxAOinZupuI7 oXtfHJZN5ElEe4Aw4JvFXsLPxv/NfCZ4fVtbkhR7Ec7TDrj+L27iyz2lzxElu0Et L6A0CD3F621OHbmp7NEjlIylO3u0KPJPjwdA9UclWOTvQOZmhPXtUmFovHGUEqgN fBpsXGgaSsWysMoVhFaj2J5oE7MA5THqTA== =CyV6 -----END PGP PUBLIC KEY BLOCK-----
CSA STAR: The Future of Cloud Trust and Assurance
CSA STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, and harmonization of standards. The STAR program provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.
STAR consists of three levels of assurance (Self Assessment, 3rd party certification and continuous auditing), based upon:
- The CSA Cloud Controls Matrix (CCM)
- The Consensus Assessments Initiative Questionnaire (CAIQ)
- The CSA Code of Conduct for GDPR Compliance
The CCM, the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. CCM is currently considered a de-facto standard for cloud security assurance and compliance.
The CAIQ is based upon the CCM and provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix.
The CSA Code of Conduct for GDPR Compliance is a tool created in collaboration with industry experts and representatives from EU national data protection authorities to assist organizations in adhering to the European General Data Protection Regulation. The CSA’s Code include all the necessary requirements a Cloud Service Provider has to satisfy in order to comply with the EU GDPR.
One of most essential features of the STAR program is its registry that documents the security and privacy controls provided by popular cloud computing offerings. This publicly accessible registry is designed for users of cloud services to assess their cloud providers, security providers and advisory and assessment services firms in order to make the best procurement decisions.
CSA STAR is based upon two key research components of the CSA GRC Stack:
Cloud Controls Matrix (CCM) - As a controls framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing.
The Consensus Assessments Initiative Questionnaire (CAIQ) - Based upon the CCM , the CAIQ provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix and CSA best practices.
CSA STAR PROGRAM ASSESSMENT AND CERTIFICATIONS
LEVEL ONE: CSA STAR Self-Assessment
CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers either submit a completed The Consensus Assessments Initiative Questionnaire (CAIQ), or to submit a report documenting compliance with Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.
LEVEL ONE: CSA GDPR Code of Conduct Self-Assessment
The Code Self-Assessment consist in the voluntary publication on the STAR Registry of two documents:
- Code of Conduct Statement of Adherence, and
- Self-assessment results based on the PLA Code of Practice (CoP) Template - Annex 1
The Code Self-Assessment covers the compliance to GDPR of the service(s) offered by a CSP. A submission fee of €1495 euros is required to facilitate the publication. A company after the publication of the relevant document on the Registry will receive a Compliance Mark valid for 1 year. The Self-Assessment shall be revised every time there’s a change to the company policies or practices related to the service under assessment.
LEVEL TWO: CSA STAR Attestation
CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers.
LEVEL TWO: CSA STAR Certification
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Controls Matrix.
LEVEL TWO: CSA C-STAR Assessment
The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012.
LEVEL THREE: CSA STAR Continuous Monitoring
Currently under development, CSA STAR Continuous Monitoring enables automation of the current security practices of cloud providers. Providers publish their security practices according to CSA formatting and specifications, and customers and tool vendors can retrieve and present this information in a variety of contexts.
Key Links & Resources
Description: The CSA STAR Certification is a rigorous third party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix, a specified set of criteria that measures the capability levels of the cloud service.
Release Date: June 07, 2018
Description: The STAR Attestation is positioned as STAR Certification at Level 2 of the Open Certification Framework and STAR Certification is a rigorous third party independent assessment of the security of a cloud service provider.
Release Date: June 07, 2018
The CSA STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is used by customers, providers, industries and governments around the world.
Release Date: April 20, 2015
For More Information
General Inquiries: [email protected]
CSA STAR Certification Auditors: https://cloudsecurityalliance.org/star/certification/#_auditors
CSA STAR Attestation Auditors: https://cloudsecurityalliance.org/star/attestation/#_auditors
If you have not been redirected after 3 seconds, please click here.
Add your Service to the CSA STAR Registry
CSA STAR is open to all Cloud Providers
Eligibility for listing on the STAR Registry requires an official and authorized submission of one or more documents asserting compliance to CSA-published best practices. The registry is intended to allow potential cloud customers to review the security and privacy practices of providers, accelerating their due diligence and leading to higher quality procurement experiences.
Companies can be listed on the STAR Registry by submitting their STAR Self-Assessment or Code of Conduct for GDPR Compliance Self Assessment (Level 1) and/or their Third Party based certification (Level 2).
For more information about the CSA STAR Program please see: https://cloudsecurityalliance.org/star/#_overview.
For more information about the Code of Conduct for GDPR Compliance please see: https://gdpr.cloudsecurityalliance.org.
The STAR Level 1 (Self-Assessment) is based on a report showing the adherence of a service and/or provider to one of the following CSA best practices:
- Consensus Assessments Initiative Questionnaire (CAIQ) Download here
- Cloud Controls Matrix (CCM) Download here
- CSA Code of Conduct for GDPR Compliance (new service as of June 2018) Download here
In order to streamline the process of performing and maintaining their CSA STAR Self-Assessment, companies are recommended to use CSA STARWatch. CSA STARWatch.
The STAR Level 2 (third-party-based certification) instead offers companies with the possibility to comply with CSA best practices according to three different auditing procedures:
Submitting Reports to CSA is Simple
For STAR Certification the following intake form shall be completed and submitted by a STAR Certification Auditor: https://cloudsecurityalliance.org/download/csa-star-certification/
For STAR Attestation the following intake form shall be completed and submitted by a STAR Attestation Auditee: https://cloudsecurityalliance.org/download/csa-star-attestation/
For assistance with Level 2 requests, please contact us at [email protected].
CSA STAR Registry Terms and Conditions
Your submission is subject to the CSA STAR Terms and Conditions. We encourage you to review these Terms and Conditions, which govern your use of the CSA STAR Registry.
If you have difficulty using this form, please contact: [email protected]