Written by Megan Theimer, Content Program Specialist, CSA.
Has someone brought up the CSA STAR Program or the CSA Cloud Controls Matrix and you have no idea what that means? This blog is the place to start for all of you non-IT professionals and cloud newbies.
As defined on Wikipedia, cloud computing is a way to access computer resources on-demand, without managing them yourself. Organizations across the globe have come to find that hosting their work on the cloud is usually the way to go. It provides flexibility, efficiency, and cost savings. While this rapid adoption of cloud computing has transformed how businesses operate, it has also introduced new security challenges.
The Cloud Security Alliance (CSA) aims to help organizations confidently navigate these challenges. To do this, we developed the Security, Trust, Assurance, and Risk (STAR) program. The STAR program is all about assessing the security practices of cloud computing services. It gives both cloud service customers and providers a trusted way to manage the risks associated with cloud computing.
A core set of cloud security policies called the Cloud Controls Matrix (CCM) forms the basis of the STAR program. The other elements of the STAR program include:
- Assessments: A collection of globally recognized cloud security assessments.
- The Registry: A publicly accessible archive of over 2,000 STAR Assessments.
- Education: Training and certificate programs for individuals.
- Solutions: Products or services that utilize CCM.
- Extended: The elements of STAR delivered in a customized fashion.
In this blog, we’ll explore these various aspects of the program and their benefits.
Background
Security isn't just about implementing security protocols, it's about verifying their effectiveness. Organizations want to ensure their defenses are practical and tested. And while many organizations have always had reliable security measures in place, the cloud brought with it many unknowns.
The STAR program responds to this growing need for more transparent and trusted security measures for cloud computing. Everyone involved with the cloud can use STAR. This includes cloud service providers, cloud service customers, regulators, and auditors. Essentially, STAR serves as a universal language of trust in the cloud.
The Cloud Controls Matrix (CCM)
CSA's CCM is a spreadsheet that lists 197 individual policies that contribute to robust cloud security. These policies follow industry best practices and align with approximately 40 leading standards and regulations. However, CCM stands out as the first security framework developed specifically for the cloud.
We didn't build CCM around any one specific cloud vendor. This helps organizations that use multiple cloud platforms to build out one security program for all of them.
CCM can be used in many ways:
- Assess the cloud security of your organization.
- Compare your security to other organizations.
- Assess the cloud security of your current or potential cloud providers.
- Learn if providers follow other standards like ISO 27001.
- Clarify the security responsibilities of the cloud provider versus the customer.
STAR Assessment Portfolio
The STAR program offers several globally recognized cloud security assessments that follow the CCM. The assessments fall under two levels: STAR Level 1 (self-assessments) and STAR Level 2 (third-party assessments).
The STAR Level 1 self-assessments are free to access and allow cloud providers to document their security policies. Level 1 is great for organizations that need a cost-effective way to show customers that they’re secure.
STAR Level 2 consists of third-party independent assessments conducted by Certified STAR Auditors. You can choose between CSA STAR Attestation and CSA STAR Certification. You should definitely pursue Level 2 if your organization operates in a medium to high-risk environment.
STAR Registry
The CSA STAR Registry is a publicly accessible archive of over 2,000 STAR Level 1 and Level 2 assessments. The STAR Registry benefits both cloud customers and cloud providers by:
- Enabling customers to easily confirm the cloud security policies of their cloud provider.
- Streamlining the cloud service selection process for cloud customers by providing a list of thousands of trusted services.
- Providing a simple way for cloud providers to demonstrate their values of transparency, accountability, and security.
- Allowing cloud providers to choose the level of assessment that will work best for them.
- Increasing transparency of the expected shared security responsibilities between cloud providers and customers.
All cloud providers should submit to the STAR Registry - it’s free to participate in STAR Level 1. Any cloud customer should look at the submissions in the STAR Registry to ensure their provider is secure.
Education for Auditors
A growing knowledge gap has highlighted the need for cloud security audit education. Auditors understand high level risks well, but can lack knowledge of the cloud and how to adapt their techniques to this new domain. Cloud engineers and developers understand the technical details of the cloud well, but can lack knowledge of security standards.
CSA has created two different educational offerings to bridge this gap. These offerings help individuals understand cloud security risk management, cloud attacks, and cloud security audits.
- The CCAK: The first credential available for professionals to demonstrate their expertise in auditing cloud computing systems.
- STAR Lead Auditor Training: A self-paced course to help assessors and service providers learn how to audit against the CCM.
STAR Enabled Solutions
A STAR Enabled Solution is a product or service that utilizes CCM. To achieve the designation, it must meet the security requirements outlined by the STAR program. Depending on the specific product or service, a STAR Enabled Solution might serve to:
- Simplify alignment to CCM controls.
- Automate the validation of cloud security based on CCM.
- Streamline cloud assessment processes for cloud customers.
- Allow for the adoption of continuous auditing practices.
STAR Extended
STAR Extended delivers the various components of the STAR program in a customized fashion. This allows entities in the cloud service market to utilize STAR even if their region/industry has specific requirements. STAR Extended ensures that any type of organization can take advantage of STAR.
Next Steps
If all this information still seems a little confusing, CSA can help! You can dive deeper into each aspect of the STAR program with our FAQ series:
- CCM and CAIQ FAQ
- STAR Assessment Portfolio FAQ
- STAR Registry FAQ
- CSA Assurance Education FAQ
- STAR Enabled Solutions FAQ
- STAR Extended FAQ
Also visit the STAR home page to learn more about the program overall. For specific questions, we invite you to contact [email protected].