CSA Security, Trust and Assurance Registry (STAR) Overview
The CSA Security, Trust and Assurance Registry (STAR) Program is a comprehensive set of offerings for cloud provider trust and assurance. The CSA STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers and consumers, and is used by customers, providers, industries and governments around the world. STAR consists of 3 levels of assurance, which currently cover 4 unique offerings. All offerings are based upon our succinct yet comprehensive list of cloud-centric control objectives in our Cloud Controls Matrix (CCM). CCM is the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. Below is an overview of the STAR offerings.
CSA STAR PROGRAM OFFERINGS
CSA STAR is based upon two key research components of the CSA GRC Stack:
Cloud Controls Matrix (CCM) - As a controls framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing. https://cloudsecurityalliance.org/research/ccm/
The Consensus Assessments Initiative Questionnaire (CAIQ) - Based upon the CCM , the CAIQ provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix and CSA best practices. https://cloudsecurityalliance.org/group/consensus-assessments/
LEVEL ONE: CSA STAR Self-Assessment
CSA STAR Self-Assessment is a free offering that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. Cloud providers either submit a completed The Consensus Assessments Initiative Questionnaire (CAIQ), or to submit a report documenting compliance with Cloud Controls Matrix (CCM). This information then becomes publicly available, promoting industry transparency and providing customer visibility into specific provider security practices. www.cloudsecurityalliance.org/star/self-assessment/
LEVEL TWO: CSA STAR Attestation
CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third party independent assessments of cloud providers. www.cloudsecurityalliance.org/star/attestation/
LEVEL TWO: CSA STAR Certification
The CSA STAR Certification is a rigorous third party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Controls Matrix. www.cloudsecurityalliance.org/star/certification/
LEVEL TWO: CSA C-STAR Assessment
The CSA C-STAR Assessment is a robust third party independent assessment of the security of a cloud service provider for the Greater China market that harmonizes CSA best practices with Chinese national standards. C-STAR leverages the requirements of the GB/T 22080-2008 management system standard together with the CSA Cloud Controls Matrix, plus 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012. https://cloudsecurityalliance.org/star/c-star/
LEVEL THREE: CSA STAR Continuous Monitoring
Currently under development and scheduled for 2015 release, CSA STAR Continuous Monitoring enables automation of the current security practices of cloud providers. Providers publish their security practices according to CSA formatting and specifications, and customers and tool vendors can retrieve and present this information in a variety of contexts. www.cloudsecurityalliance.org/star/continuous/
GETTING INVOLVED WITH CSA STAR
Users of Cloud Services
Users of cloud services should engage with their providers and insist that they participate in CSA STAR. This is very often done during the procurement of cloud services and during RFPs (Requests for Proposals). Having published security practices in STAR simplifies and accelerates your vetting of vendors, while assuring a more consistent level of security practices on the part of cloud providers on a global basis.
If your cloud providers refuse to participate in CSA STAR, you have the option of asking them to privately complete and return a copy of the Consensus Assessments Initiative Questionnaire (CAIQ) or Cloud Controls Matrix (CCM). However, we greatly encourage you to insist that the provider participate in STAR. One private CAIQ form helps you, but provider transparency helps the entire community of cloud users.
Cloud Service Providers
Cloud Service Providers receive many benefits by participating in CSA STAR. Ultimately, the most important product feature you are selling is Trust, and CSA STAR provides the most comprehensive assurance that your cloud services can be trusted.
- Exposure within the global STAR registry
- Use of the CSA STAR logos and brand
- Out of the box compliance with customer requirements
- Economies of scale in responding to customer due diligence and security vetting
IT Auditors and Certification bodies
If you are currently in the business of providing audit, attestation or certification services, we would encourage you to consider participating in CSA STAR Level Two. As large portions of our IT systems are migrated to cloud computing, your business of providing IT assurance will grow by offering the leading global standard for cloud-specific security assurance. Depending upon your specific business, location and focus, you may want to offer either CSA STAR Attestation or CSA STAR Certification or both.
Security Solution Providers and Consultants
If you provide professional services, CSA is encouraging the development of practices based upon CSA STAR to assist both providers and customers in secure cloud adoption – it is a shared responsibility. If you develop security products and security-as-a-service solutions, you may want to consider how you can integrate CSA STAR related data and best practices directly into your solution. Much of our intellectual property can be leveraged royalty free.
CSA STAR: The Future of Cloud Trust and Assurance
CSA STAR is the industry’s most powerful program for assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, harmonization of standards and eventually continuous monitoring. The best practices and initial level can be achieved at no cost, and we encourage providers and consumers to adopt STAR to enable trust in cloud computing.
For More Information
General Inquiries: [email protected]
CSA STAR Certification Auditors: https://cloudsecurityalliance.org/star/certification/#_auditors
CSA STAR Attestation Auditors: https://cloudsecurityalliance.org/star/attestation/#_auditors
1) Q. What is the CSA STAR?
A. The CSA Security, Trust & Assurance Registry (STAR) is a publicly accessible registry that documents the security controls provided by various cloud computing services, thereby helping users assess the security of cloud providers that they currently use or with whom they are considering contracting. It is a simple but powerful idea, cloud providers post self assessments of their cloud services, CSA makes these assessments publicly available and cloud consumers can use this data to make informed purchasing decisions.
The CSA STAR service is based upon the CSA Governance, Risk and Compliance (GRC) Stack, a collection of four integrated research projects that provide a framework for cloud-specific security controls, assessment, greater automation, and real time GRC management. In addition to registry entries for cloud providers, we will also include special entries for technology solutions and services that integrate CSA GRC Stack components.
2) Q. When will the CSA STAR be publicly available?
A. The CSA STAR has been available for provider submissions since early in Q4 2011, and is located at https://cloudsecurityalliance.org/star/.
3) Q. Are there any costs for CSA STAR listings or usage?
A. The CSA STAR Self Assessment is free for both providers to submit registry entries and for consumers to use the registry for research.
The only cost for STAR is associated with the CSA STAR Certification CERTIFICATE. For more information please see “STAR Certification, Policy & Price” at https://cloudsecurityalliance.org/star/certification/#_price
4) Q. What are the Consensus Assessments Initiative Questionnaire and Cloud Controls Matrix, and how do I use them for my own self assessment?
A. The Cloud Controls Matrix (CCM), provides a controls framework that gives detailed descriptions of security concepts and principles in 13 domains that are aligned with Cloud Security Alliance guidance. As a framework, the CSA CCM provides organizations with necessary structure, detail, and clarity regarding information security in the cloud industry. Providers may choose to submit a report documenting compliance with Cloud Controls Matrix.
The Consensus Assessments Initiative Questionnaire (CAIQ, pronounced “cake”) is based upon CCM and provides industry-accepted ways to document which CCM security controls exist in IaaS, PaaS, and SaaS offerings. CAIQ provides a set of over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider. Providers may opt to submit a completed CAIQ, which will likely be the easiest option for those provider that have not already developed a CCM report.
A special LinkedIn forum (http://www.linkedin.com/groups?home=&gid=4066598) dedicated to CSA STAR support questions is available and moderated by volunteer experts from the community.
5) Q. Why did the CSA feel it was necessary to launch CSA STAR?
A. CSA believes that encouraging transparency and positive competition among cloud providers, with security as a market differentiator, is the right way to think about security in our computer systems. In these early days of cloud adoption, voluntary self-regulation of cloud providers is preferable to heavy-handed governmental regulation.
6) Q. How does the process work for getting listed on CSA STAR?
A. Cloud providers submit a completed CAIQ or CCM whitepaper through our website. CSA will verify submission authenticity and will perform a basic check of content accuracy. CSA will then digitally sign the entry and add it to the public registry.
As for September 2013, companies can also submit their entry as STAR Certification, third party assessment.
7) Q. What are the benefits to cloud providers of being listed on CSA STAR?
A. Cloud providers have the benefit of being recognized as a security conscious organization. They will gain exposure to information security, assurance and risk management professionals, who are a key part of the cloud service procurement process. Providers will also be able to streamline their responses to customer due diligence inquiries and “one off” audits.
8) Q. What are the consumer benefits for CSA STAR?
A. Consumers have the benefit of accessing greater information about the security protections cloud providers are promoting. Informed consumers make better decisions.
9) Q. Won’t a public registry of security self assessments create new threat vectors for hackers to exploit?
A. No. The CAIQ is intended to allow a provider to document its security practices without going into a level of detail that would expose sensitive information. For example, a provider will likely document whether or not they regularly perform application layer penetration testing, but would not likely publish detailed results of web scanning tools.
10) Q. Can I get private help with my self-assessment questions?
A. Yes, a special mailbox, [email protected] has been setup for questions you do not wish to post in the LinkedIn group, and is managed by our volunteer experts. Be aware that the amount of support you are able to get may not be sufficient depending upon your questions, and you may need to engage with a professional services firm to assist you.
11) Q. As a consumer, how do I use the CSA STAR?
A. How a consumer uses CSA STAR will depend upon their business requirements, the type of cloud service they intend to use, and their tolerance of risk. In general it will tend to reduce the scope of their provider due diligence and provide information to assist in narrowing the focus of audits and other provider inquiries.
12) Q. Is CSA providing independent verification of the provider security controls?
A. No. The CSA does not guarantee the accuracy of CSA STAR Self-Assessment entries.
13) Q. Does the CSA STAR automatically update registry entries when the provider changes its security controls?
A. No. Providers should update their entries to reflect material changes.
14) Q. What will prevent a cloud provider from providing false and misleading information about the security of their cloud service?
A. Public scrutiny will challenge inappropriate uses of CSA STAR. Individuals concerned about objectively false information in the CSA STAR may contact us at [email protected].
15) Q. Will cloud providers be required to maintain their registry entries?
A. Yes. CSA will mark entries older than one year to be deprecated, and will remove the entries completely after an additional 6 months.
Submit a Question
Have questions you would like to see answered? Please direct them to [email protected] or through the form below:
Terms & Conditions
Effective as of November 14, 2011
These Terms and Conditions (“Terms”) constitute a binding agreement between the Cloud Security Alliance (CSA) and the entity (“Provider”) submitting a document for posting (“Security Disclosure”) on the Cloud Security Alliance Security Trust & Assurance Registry (“CSA STAR℠ Registry”).
BY SUBMITTING YOUR CSA STAR™ SECURITY DISCLOSURE FOR POSTING ON THE CSA STAR℠ REGISTRY, YOU ACKNOWLEDGE AND AGREE TO THE FOLLOWING TERMS.
1. The Cloud Security Alliance CSA STAR℠ Registry
The CSA STAR℠ Registry is a publicly accessible registry that documents the security controls provided by various cloud computing offerings. It is based upon the CSA Governance, Risk, and Compliance (GRC) Stack, a collection of four integrated research projects that provide a framework for cloud-specific security controls, assessment, and greater automation and real-time GRC management.
2. Submission of Security Disclosure
Provider may submit a description of its security controls to the CSA for display on the CSA STAR℠ Registry by doing the following:
- Provider must prepare a Security Disclosure, which is a written document that contains its response to the CSA Consensus Assessments Initiative Questionnaire (CAIQ) or that describes its compliance with the controls that are set forth in the CSA Cloud Controls Matrix (CCM);
- Provider must upload the Security Disclosure and the completed STAR Application Form on the CSA STAR℠ website as explained in the CSA STAR℠ FAQs;
After Provider has uploaded its Security Disclosure, CSA will verify the authenticity of the submission, perform a basic check to ensure that the application is complete, and upload the Security Disclosure on the CSA STAR℠ Registry.
CSA may refuse to post, or may delete, any Security Disclosure that in its sole judgment violates these Terms.
3. Ongoing Use and Maintenance
Provider should update its Security Disclosure from time to time, ideally not less than once in any twelve (12) month period, in order to take into account the changes in its internal security controls and procedures.
CSA may mark any Security Disclosure that is older than 365 days to be deprecated, and may remove from the CSA STAR℠ Registry any such obsolete Security Disclosure within six months if the Security Disclosure has not been updated.
When the Security Disclosure has been accepted for posting on the CSA STAR℠, Provider may indicate on its website and in its promotional material that:
“[Company]’s Security Disclosure is posted on the Cloud Security Alliance STAR Registry, www.cloudsecurityalliance.org/STAR.”
If a Security Disclosure has not been updated in the prior 365 days, Provider must promptly remove any such notice from its website and promotional materials.
Provider is allowed to link from its website to the page of the CSA STAR℠ Registry where its Security Disclosure is posted.
4. Rules of the CSA STAR℠ Registry
Provider will not do any of the following:
- Post any content or material that infringes any copyright, trademark, patent, trade secret or other intellectual property right of a third party or that is unlawful, harmful, tortious, defamatory, libelous, objectionable or inappropriate as determined by CSA, or could constitute or encourage conduct that would be considered a criminal offense, give rise to civil liability, or violate any law or regulation;
- Post any content or material that it is under a contractual obligation to keep private or confidential;
- Impersonate any person or organization, or misrepresent an affiliation with another person or organization;
- Upload to the Registry any file or link that do not comply with these Terms or that contains viruses, corrupted files, or any other similar software or programs that may adversely affect the operation of the CSA STAR℠ Registry or the CSA website, or any feature of the CSA website;
- Share or transfer password or other access information that allows for making modifications to the Security Disclosures with any other party, temporarily or permanently.
5. Termination; Suspension
CSA may delete or block any or all Security Disclosures associated with Provider at any time and without notice, if CSA determines in its sole discretion that Provider has violated these Terms, the law, or for any other reason.
CSA assumes no liability for any such deletion or blocking, and reserves the right to permanently prohibit Provider from posting Security Disclosures on the CSA STAR℠ Registry.
The CSA STAR℠ Registry is free to Providers to submit Security Disclosures for posting on the STAR Registry, and for consumers to use the Registry for research. In the future, CSA may elect to charge a fee for posting to the STAR Registry, or to limit the number of postings that a single entity may post on the CSA STAR℠ Registry at no cost.
7. Representations and Warranties of Provider
Provider represents and warrants that:
- It has the right and authority to post the Security Disclosure without any restriction;
- Its Security Disclosure is and will remain at all times true, accurate, correct, complete and up-to-date;
- The information provided in the Security Disclosure is not confidential or trade secret information of Provider or any third party, and may be published on the CSA STAR℠ Registry without restriction;
- It owns the content submitted, displayed, published or posted on the Security Disclosure and the display of the Security Disclosure on the CSA STAR℠ Registry will not violate the copyrights, trademark rights, trade secrets, or any other intellectual property rights, contract rights or other rights of any person or entity.
8. Representations and Warranties of CSA
CSA has no obligation to ensure that a Security Disclosure is true, accurate, correct, complete, or up-to-date.
CSA DOES NOT MAKE ANY REPRESENTATION OR WARRANTY WITH RESPECT TO THE CSA STAR℠ REGISTRY. THE CSA STAR℠ REGISTRY IS PROVIDED “AS IS” WITHOUT ANY WARRANTY OF ANY KIND, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.
9. Limitation of Liability
Provider will be solely responsible for any direct, indirect, incidental, consequential, or punitive damages, or any other losses, costs, or expenses of any kind (including legal fees, expert fees, or other disbursements) that may arise, directly or indirectly, from the Security Disclosure submitted by Provider, including but not limited to any harm caused by any misrepresentation, inaccuracy, errors, in the Security Disclosure.
CSA does not endorse any provider or any posting. CSA is not responsible for the information or other material that may appear in any Security Disclosure posted by Provider or any third party on the CSA STAR℠ Registry. CSA assumes no responsibility or liability that may arise from or be related to the content of the CSA STAR℠ Registry, including but not limited to claims for negligence, misrepresentation, unfair or deceptive practices, defamation, libel, or slander.
UNDER NO CIRCUMSTANCES, INCLUDING NEGLIGENCE, SHALL CSA BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT RESULT FROM THE USE OR INABILITY TO USE THE CSA REGISTRY OR THE DECISIONS MADE OR ACTIONS TAKEN BY CUSTOMERS OR POTENTIAL CUSTOMERS OR PROVIDER BASED ON THE INFORMATION POSTED ON A SECURITY DISCLOSURE; OR FROM PROVIDER’S USE OF, OR INABILITY TO USE, THE CSA STAR℠ REGISTRY; OR FROM MISTAKES, OMISSIONS, INTERRUPTIONS, DELETION OF FILES, ERRORS, DEFECTS, OR DELAYS IN OPERATION OR TRANSMISSION; OR FROM LOSS OF PROFITS, USE, DATA, GOODWILL, OR OTHER INTANGIBLES; OR FROM THE COST OF PROCUREMENT OF SUBSTITUTE PRODUCTS OR SERVICES; OR FROM THE LOSS OF SECURITY OF INFORMATION THAT PROVIDER SUBMITTED IN CONNECTION WITH THE POSTING OF THE SECURITY DISCLOSURES ON THE CSA STAR℠ REGISTRY, OR THE UNAUTHORIZED INTERCEPTION OF ANY SUCH INFORMATION BY THIRD PARTIES, OR FROM ANY FAILURE OF PERFORMANCE WHETHER OR NOT CAUSED BY EVENTS BEYOND CSA’S REASONABLE CONTROL, INCLUDING BUT NOT LIMITED TO ACTS OF GOD, COMMUNICATIONS LINE FAILURE, THEFT, DESTRUCTION, OR UNAUTHORIZED ACCESS TO THIS SITE’S RECORDS, PROGRAMS, OR SERVICES.
IN NO EVENT SHALL CSA’S TOTAL LIABILITY FOR ALL DAMAGES, LOSSES, AND CAUSES OF ACTION RELATED TO, OR CONNECTED WITH ANY SECURITY DISCLOSURE EXCEED ONE DOLLAR (US $1.00). SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES; AS A RESULT, THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO PROVIDER.
10. Intellectual Property
CSA is the copyright owner of the CSA STAR℠ Registry. No portion of the CSA STAR℠ Registry may be used in any manner, or for any purpose, without CSA’s express written permission, except as provided for herein.
CSA or its licensors own the trademark CSA STAR℠, and all names, logos, trademarks, or service marks posted on or contained in the CSA STAR℠ Registry. None of these names, logos, or marks may be used without CSA’s prior written approval.
Provider retains all right, title, and interest, including all intellectual property rights in its Security Disclosure. Provider shall have the right to use its Security Disclosure in any way it chooses, subject to these Terms. However, except as otherwise specifically agreed in advance and in writing by CSA, any communication or material that Provider transmits to the CSA STAR℠ Registry in any manner and for any reason will not be treated as confidential or proprietary.
11. License to Display Security Disclosure
By submitting a Security Disclosure for posting on the CSA STAR℠ Registry, Provider hereby grants to CSA a limited, non-exclusive, sub-licensable, worldwide, fully-paid, royalty free license to use, modify (for formatting purposes), publicly display, reproduce, and distribute such Security Disclosure without the need to obtain any third party’s permission. This license includes the right to host, index, cache, and tag any Security Disclosure, as well as the right to post the Security Disclosure on any media or platform known or hereinafter developed.
Provider will indemnify, defend and hold harmless CSA and its officers, employees, agents from and against any and all loss, costs, expenses (including reasonable attorneys’ fees and expenses), claims, damages and liabilities resulting from, related to or associated with the Security Disclosure(s) (including all versions or drafts thereof) that Provider posts or uploads on the CSA STAR℠ Registry and any violation of these Terms by Provider, including but not limited to any action by a third party claiming that the Security Disclosure is not true, accurate, correct, complete and up-to-date, or otherwise do not meet any requirement set forth in these Terms.
Conflict – If there is any conflict between these Terms and any other terms posted on the CSA Site with respect to the operation of the CSA STAR℠ Registry, these Terms will govern and supersede any such other terms.
Entire Agreement – These Terms, together with the general Terms and Conditions of use of the CSA site, make up the entire agreement between CSA and Provider relating to the CSA STAR℠ Registry, and replace any prior understandings or agreements (whether oral or written) regarding the CSA STAR℠ Registry.
Force Majeure – CSA’s failure to comply with these Terms because of an act of God, war, fire, riot, terrorism, earthquake, actions of federal, state or local governmental authorities or for any other reason beyond the reasonable control of CSA, will not be deemed a breach of these Terms.
Governing Law – This Agreement will be governed by and construed in accordance with the laws of the State of California without regard to conflicts of law principles. All disputes regarding this the CSA STAR℠ Registry or this Agreement will be subject to the federal, state, and local courts for Santa Clara County, California.
Headings – The headings in these Terms are for Provider’s convenience and reference and do not limit or affect these Terms.
Modifications – CSA reserves the right to revise the Terms at any time and for any reason, and such revisions shall be effective immediately upon notice thereof, which may be given by any means including posting the updated version of the Terms on the site. If Provider does not request that its Security Disclosure be removed from the CSA STAR℠ Registry within ten (10) days after such notice has been given, Provider will be deemed to have accepted the revised terms.
No Partnership – The posting of Provider’s Security Disclosure on the CSA STAR℠ Registry forms no partnership. Neither Provider nor CSA has the power or the authority to obligate or bind the other.
Severability – If any provision of these Terms is found by a court of applicable jurisdiction to be unlawful, void, or unenforceable, the provision will be deemed severed from these Terms and will not affect the validity and enforceability of any remaining provisions.
Waiver – If CSA fails to act with respect to Provider’s breach of these Terms on any occasion, CSA is not waiving its right to act with respect to future or similar breaches.
14. How to Contact CSA STAR™
If you have any question about this document or about the CSA STAR℠ Registry, please contact us a [email protected].