The Cloud Security Alliance announced the launch of a new initiative to encourage transparency of security practices within cloud providers.
The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.
CSA STAR is open to all cloud providers, and allows them to submit self assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences.
Cloud providers can submit two different types of reports to indicate their compliance with CSA best practices:
- The Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings. The questionnaire (CAIQ) provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. Providers may opt to submit a completed Consensus Assessments Initiative Questionnaire.
- The Cloud Controls Matrix (CCM), which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. Providers may choose to submit a report documenting compliance with Cloud Controls Matrix.
In preparation for the public launch of the CSA STAR, providers are encouraged to select their compliance option and prepare a report for submission. CSA volunteers will be available to answer questions about report content.
In addition to cloud provider self assessments, CSA STAR will also provide listings to solution providers who have integrated CAIQ, CCM and other GRC Stack components into their compliance management tools. This will help customers extend their GRC monitoring and reporting across their enterprise and in concert with multiple cloud provider relationships.
CSA STAR will be online in Q4 of 2011.