CSA STAR: The Future of Cloud Trust and Assurance
CSA STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, and harmonization of standards. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.
STAR consists of three levels of assurance, which currently cover four unique offerings all based upon a succinct yet comprehensive list of cloud-centric control objectives in the CSA’s Cloud Controls Matrix (CCM). CCM is the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing.
The STAR program includes a complimentary registry that documents the security controls provided by popular cloud computing offerings. This publicly accessible registry is designed for users of cloud services to assess their cloud providers, security providers and advisory and assessment services firms in order to make the best procurement decisions.
CSA STAR is based upon two key research components of the CSA GRC Stack:
Cloud Controls Matrix (CCM) - As a controls framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing.
The Consensus Assessments Initiative Questionnaire (CAIQ) - Based upon the CCM , the CAIQ provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix and CSA best practices.
CSA STAR PROGRAM ASSESSMENT AND CERTIFICATIONS
LEVEL ONE: CSA STAR Self-Assessment
CSA STAR Self-Assessment is a complimentary offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. Cloud providers either submit a completed The Consensus Assessments Initiative Questionnaire (CAIQ), or to submit a report documenting compliance with Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices.
LEVEL TWO: CSA STAR Attestation
CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers.
LEVEL TWO: CSA STAR Certification
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Controls Matrix.
LEVEL TWO: CSA C-STAR Assessment
The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012.
LEVEL THREE: CSA STAR Continuous Monitoring
Currently under development, CSA STAR Continuous Monitoring enables automation of the current security practices of cloud providers. Providers publish their security practices according to CSA formatting and specifications, and customers and tool vendors can retrieve and present this information in a variety of contexts.
Key Links & Resources
For More Information
General Inquiries: [email protected]
CSA STAR Certification Auditors: https://cloudsecurityalliance.org/star/certification/#_auditors
CSA STAR Attestation Auditors: https://cloudsecurityalliance.org/star/attestation/#_auditors
Add your Service to the CSA STAR Registry
CSA STAR is open to all Cloud Providers
Eligibility for listing on the STAR Registry requires an official and authorized submission of one or more documents asserting compliance to CSA-published best practices. The registry is intended to allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences.
The CSA STAR Information Center provides an FAQ, Support Forum and more.
Cloud providers can submit two different types of reports to indicate their compliance with CSA best practices:
Submitting Reports to CSA is Simple
Fill out the form below and attach any supporting security control documents. Please request the STAR Entry Template from CSA at [email protected]. When you are finished, click the “Submit my Entry” button. We will review your submission for accuracy and follow up via email to verify. If you have questions about your submission, please contact [email protected].
CSA STAR Registry Terms and Conditions
Your submission is subject to the CSA STAR Terms and Conditions. We encourage you to review these Terms and Conditions, which govern your use of the CSA STAR Registry.