Modern Day Vendor Security Compliance Begins with the STAR Registry

1 week ago 3
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Written by Troy Leach, Chief Strategy Officer (CSO), CSA.

We require a modern approach to accurately assess our use of current technology.

This month marks 25 years since I managed my first cybersecurity attack.

At the time, I was CTO for an internet service provider that suffered the compromise, which in those days was mostly script kiddies defacing webpages to show they had circumvented what limited ACL protections we had in place.

It was then that I was first introduced to audit principles, derived from the financial industry, as a means to demonstrate assurance that the same type of attacks would be prevented in the future. The challenge, however, was that the framework I was shown was not designed to address emerging threats. It was something that had been refined by decades of mainframe and other unrelated technology.

I recall the frustration of listening to “old men,” probably younger than I am now, telling me to apply frameworks conjured in the 1970s. They said these frameworks were adequate for distributed computing, with no consideration for the extensive external network interactions, use of third-party open-source code, and other new dependencies.

Now we have seen history repeat itself in the modern enterprise that has embraced cloud services. There has been an attempt to assess cloud technology by the same means as what has been used for on-prem operations.

Cloud frameworks, like the Cloud Controls Matrix (CCM), have since been introduced as a mechanism to address this challenge. These frameworks leverage existing controls that have been refined over the years, along with an approach that has relevant requirements for the growing use of cloud environments.

2025 Regulation and the Growing Burden of Assessments

With more than 90% of organizations now relying on cloud services and the vast majority of software being designed as cloud-native, the challenge of managing third-party risk has grown exponentially. Additionally, for certain industry sectors, 2025 will introduce many new requirements for third-party governance.

Examples of new requirements include the Digital Operational Resiliency Act (DORA) and APRA CPS 230, which will look for independent validation of service providers supporting financial institutions. For anyone processing credit or debit card payments, PCI DSS v4.0.1, with a new appendix for “multi-tenant service providers,” will become required in March 2025. There are many more examples too, like NIS2.

The traditional approach of each organization individually assessing every one of the hundreds or thousands of cloud service providers they are interested in is likely unattainable for both individual companies and the vendors.

Let’s think about it for a moment. A typical vendor security assessment requires 40-60 hours of internal resources, costing approximately $5,000-$7,500 per vendor when accounting for personnel time, documentation review, and follow-up activities. For an enterprise with 2,000 CSPs, this translates to roughly 100,000 person-hours and $12-15 million annually – an unsustainable investment that diverts critical resources from other security initiatives. The vendor will also be challenged to accomplish the same tasks over and over again for hundreds of clients or more.

One Approach to Efficiency: The CSA STAR Program and CCM Framework

CSA created the CCM as a baseline for cloud-unique controls that should be assessed as part of good security governance. It maps to dozens of global frameworks to identify commonalities and differences between it and more traditional assessments.

The STAR Registry is a free, public repository of cloud services assessed against the CCM by self-attestation or independent Certifying Bodies (as part of a SOC2 or ISO27001) and serves as a transparent declaration of the current security maturity of a vendor offering cloud services.

CCM and the STAR Registry enable enterprises to better evaluate CSPs against multiple frameworks simultaneously, assuring consistent compliance and reducing duplication of effort for all parties.

There will always likely be additional validation required, but CCM and STAR may help to demonstrate appropriate due diligence and reduce assessment time by an estimated 60-70% through pre-validated controls and standardized reporting.

Efficiency Gains: Streamlined Onboarding and Pre-Mapped Compliance

Several studies have concluded that pre-assessment and regular internal audits reduce overall compliance cost by a significant margin.

For example, a STAR Level 2-certified SaaS provider with ISO 27001 certification already demonstrates adherence to several DORA and PCI DSS controls, cutting internal manual review time for onboarding by more than half.

Additionally, this leads to shorter time-to-completion for vendor evaluations, allowing staff to use services they need more quickly and improving internal resource utilization by having IT and Security concentrate on other critical responsibilities.

The reality is also that internal security professionals will not have expertise in all the various specialized technologies, architectures, and cloud controls that organizations use. Leveraging external security professionals to evaluate these should elevate the confidence in corporate use.

For cloud providers, this could lead to a lower cost of certification, minimizing the duplication of assessments to meet customer requests and demonstrating incremental maturity as they progress from a self-attestation questionnaire in STAR Level 1 to an independent assessment in STAR Level 2.

Strategy for Using STAR and CCM for Procurement

If you are considering integrating STAR attestations into your onboarding or ongoing security governance of CSPs, keep these practices in mind:

  • Policy Integration: Update procurement and vendor risk management policies to prioritize STAR-listed CSPs, requiring at least STAR Level 1 for low-risk vendors and Level 2 for high-risk vendors.
  • Know Your Share: The CCM includes the shared security responsibilities for each of the 197 controls. Use the transparency of STAR attestation to discuss those assumed responsibilities with the CSP and determine if they align with your internal expectations.
  • Mind the Gap: Develop gap assessment procedures for vendors that are not yet STAR-certified or additional requirements that are needed to assess against other frameworks that are mapped to STAR.
  • Vendor Communication: Discuss with your CSPs what services are included within their STAR certification(s) to assure they address what your organization consumes.
  • Continuous Monitoring and Improvement: Build automation and establish continuous monitoring of CSP security for ongoing compliance. More to come on this next year in “Part II” of this blog, as we introduce our Compliance Revolution initiative.

One quick plug: While the STAR database is free to anyone to access, if you are a member of CSA, you can request access to an API that provides the entirety of the Registry and all ongoing updates.

Looking Forward

As regulatory requirements evolve and cloud adoption accelerates, the daunting task of managing thousands of cloud vendors may become unmanageable without standardized assessment frameworks. STAR could be a cornerstone of efficient third-party risk management that reduces manual auditing from stretched internal resources and allows staff to focus on more high-value security responsibilities.

The framework's ability to reduce duplicative efforts while maintaining robust security validation makes it an invaluable tool in the modern third-party risk management space.

As we move toward 2025's regulatory deadlines, the question isn't whether to standardize vendor assessment processes, but how quickly organizations can implement efficient frameworks like STAR to meet the growing demands of cloud security governance.

And this is not the end. We are in the midst of yet another cycle of change of assessing risk associated with Generative AI technology such as LLMs, agentic technology, and orchestration.

In Part II of this blog, we’ll address how assurance will need to evolve once again and how the STAR program and the upcoming AI Controls Framework can help manage future risk.

To conclude Part I however, I’ll say that security leaders must embrace current tools not only as a means of compliance, but as strategic enablers of trust and efficiency in a rapidly evolving cloud landscape.


For additional reading, consider the following sources:

Read Entire Article