CSA STAR: The Cloud’s Most Powerful Security Assurance Program

As you’re probably well aware, cloud adoption is prevalent and increasing by the day as enterprises look to become more agile and efficient. Businesses are moving to the cloud at an astounding rate: 94% of enterprises already use some type of cloud service, and in 2021 public cloud infrastructure will grow by 35%. 

With so much sensitive information now being stored in the cloud, keeping it safe weighs heavily on the minds of both cloud service providers (CSP) and cloud customers. There are a number of inherent risks businesses take when securing data in the cloud. Cloud services introduce multiple changes to traditional identity and access management (IAM), starting with a lack of visibility and control over your data and more potentially insecure access points, increasing the likelihood of breaches. Trusting a vendor with your sensitive data makes you reliant on their security practices, removing a significant amount of organizational control. With a plethora of added risks, security in the cloud is both challenging and essential today–those storing critical data in the cloud demand the highest security and privacy protection while cloud providers want to prove they meet all the security and compliance requirements of their customers. 

So how can today’s cloud service providers prove they are worthy of being entrusted with a business’s most valuable commodity stored in the cloud?

By meeting the requirements for what many consider the gold standard in cloud security assurance—Cloud Security Alliance’s Security Trust Assurance and Risk (STAR) program. This article will provide an overview of the CSA STAR program and how it’s beneficial for cloud service providers looking to demonstrate the highest level of security assurance in the cloud.

What is CSA STAR?

CSA Security Trust, Assurance and Risk (CSA STAR) is the most powerful security assurance program for the cloud. STAR encompasses the key principles of transparency, rigorous auditing, and the harmonization of standards. The STAR program provides many benefits, including indications of best practices and validation of cloud offerings’ security posture.

This program is based on three foundational tools which bring instant credibility in security circles. The first, CSA’s Cloud Control Matrix (CCM), is considered the de facto standard for cloud security and compliance and outlines all cloud-specific security controls. The second, the Consensus Assessments Initiative Questionnaire (CAIQ), provides a list of 295 questions for cloud customers to ask their providers to gauge CCM compliance. The third, CSA’s Code of Conduct for GDPR Compliance, is a robust guide created to assist organizations in GDPR adherence. 

Key benefits of CSA STAR for CSPs

Cloud service providers obtaining a CSA STAR certification can expect to better build, establish, and maintain robust security programs while solidifying their position as trusted cloud vendors. They can expect to see accelerated sales cycles and to grow their business helping new customers navigate secure cloud adoption. STAR-certified CSPs can also enjoy being part of a global database that’s viewed as a trusted marketplace by cloud customers.

Equally important to keep in mind is that the CSA STAR program can be leveraged as an organization’s integrated security system–demonstrating an advanced level of cloud governance and compliance. CSA STAR maps to multiple standards and regulations, effortlessly blending multiple frameworks for an integrated security system that helps eliminate compliance gaps and avoid unmitigated risks. If your organization already holds other compliance initiatives such as ISO 27001, SOC 2, or GB/T22080-2008n, you can add STAR certification to make any of these specific to cloud environments.

Overview of the framework

The Registry is a fundamental feature of the STAR program—CSPs can demonstrate security and privacy best practices by listing on the Registry, which provides an effective means of evaluation for consumers. 

The STAR program’s open certification framework contains three levels: self-assessment (Level 1), third-party audit (Level 2), and continuous auditing (Level 3). 

Level 1: Self-Assessment

This level is the first step to certification and open to all cloud providers, allowing the submission of self-assessment reports documenting compliance to CSA best practices. The goal is complete transparency and security assurance of cloud services to end-users via the publicly available Registry.

During Self-Assessment, cloud providers submit a completed CAIQ to document compliance with the CCM. STAR Self-Assessments are updated annually, and a Continuous Self-Assessment option is available, requiring 30-day updates for a STAR Continuous Level 1 rating.

The GDPR Code of Conduct Self-Assessment covers the compliance to GDPR of the service(s) provided by a CSP and requires two documents:

• Code of Conduct Statement of Adherence
• PLA Code of Practice (CoP) Template–Annex 1

After publishing the necessary documents on the Registry, CSPs will receive a Compliance Mark that’s valid for one year. Self-Assessments must be revised if companies change any of their policies or related services.

Level 2: Third-Party Auditing

This level includes both an attestation and certification phase. CSA STAR Attestation is a collaboration between CSA and the AICPA to provide guidelines for CPAs to conduct SOC 2 engagements using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA Cloud Controls Matrix. STAR Attestation provides for rigorous third-party independent assessments of cloud providers. Attestation listings will expire after one year unless updated.

CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix. Certification certificates follow standard ISO/IEC 27001 protocol and expire after three years unless updated. Organizations holding this certification can list on the Registry as “STAR certified.” CSPs holding third-party certification or attestation can also achieve STAR Level 2 Continuous by adding a Continuous Self-Assessment just like STAR Level 1. 

Level 2 also includes CSA C-STAR Assessments, which are robust third-party independent assessments of cloud service providers’ security for the Greater China market that harmonizes CSA best practices with Chinese national standards. 

For organizations looking to prove GDPR compliance, the GDPR CoC Certification is a third-party certification that proves compliance of a CSP’s services to GDPR based on the CSA Code of Conduct for GDPR. After publishing the necessary documents, CSPs will receive a Compliance Mark that’s valid for one year. Revisions are required if companies change any of their policies or related services.

Level 3: Continuous Auditing

Level 3 includes the STAR Continuous compliance assessment program, which allows cloud service providers to align their security validation capabilities with cloud security compliance and certification on an ongoing basis. STAR Continuous specifies the necessary activities and conditions for the cloud service’s continuous auditing over a defined set of security requirements. It also requires the cloud provider to define the essential processes that will be executed during the validation of controls during an assessment. 

STAR Continuous elevates the level of both transparency and consumer trust over traditional single point-in-time assessments. Cloud service providers displaying STAR Continuous program credentials can proudly claim an up-to-date compliance status.

Determining which STAR level is right for your business

The benefits of the STAR security assurance program for cloud service providers are numerous, but which level is suitable for your organization’s specific needs? The level your organization pursues should depend on how much transparency and security assurance you desire. Let’s examine each level:

Level 1 (Self-Assessment)

• Best for organizations operating in lower-risk environments
• Fits the needs of organizations looking for a cost-effective method to demonstrate the transparency of the security controls in place and boost trust

Level 2 (Third-party auditing)

• Best for organizations operating in medium to high-risk environments
• Fits the needs of organizations that already have ISO 27001, SOC 2, or GB/T22080-2008n and are seeking a cost-effective method to increase security assurance and privacy in the cloud

Level 3 (Continuous auditing)

• Best for full-service CSP enterprises operating in high-risk environments
• Fits the needs of organizations wanting to exhibit the highest level of transparency and security assurance in cloud environments

Related content: Cloud Compliance Frameworks: What You Need to Know

How to get started on the road to CSA STAR certification

1. Download and read the CCM to fully understand the content and requirements.
2. Visit the CSA website for further information on CCM, CAIQ, and the Open Certification Framework.
3. Engage the CAIQ self-assessment tool to analyze where your organization is relative to STAR requirements.
4. Contact the CSA to discuss the steps involved in obtaining the benefits for CSA and the STAR Registry
5. Submit your documents to the STAR Registry

How Hyperproof supports CSA STAR

Hyperproof’s compliance operations platform can provide an excellent starting point for organizations looking to obtain their CSA STAR certification, as it contains all CCM requirements in addition to all the requirements outlined in the CSA Code of Conduct for GDPR Compliance. 

Hyperproof makes it easy to scale up and harmonize multiple requirements across multiple information security standards, expediting the timeline to getting listed in the Registry and becoming CSA STAR certified for all size organizations.

Conclusion

Today’s cloud consumers demand a high level of security assurance and privacy compliance from cloud providers. The CSA STAR security assurance program is the gold standard for protecting customer’s data and privacy based on superior transparency, rigorous auditing, and the seamless harmonization of multiple standxards to create highly effective integrated security systems.

The CSA STAR program’s three levels of security assurance deliver point-in-time and continuous validation of an organization’s ability to protect data and comply with privacy regulations. Cloud consumers can shop the Registry database with confidence knowing all listed providers meet the highest security and compliance standards. For cloud service providers, the investment required for CSA STAR certification is well worth the effort; nothing says “your data is safe with us” louder and more clearly than earning a spot in the Registry as a CSA STAR certified provider.