CSA launches compliance assessment program for cloud service providers

The Cloud Security Alliance (CSA) announced STAR Continuous Self Assessment, the first release of an evolving continuous-compliance assessment program for cloud services that gives cloud service providers (CSPs) the opportunity to align their security validation capabilities with cloud security compliance and certification on an ongoing basis.

CSA STAR Continuous is an integral part of the CSA STAR program, the industry’s leading cloud governance and compliance program that enables organizations to increase their levels of assurance and transparency for security and privacy.

STAR consists of three levels of assurance (Self-Assessment, Third-Party Certification and Continuous Auditing), based upon the CSA Cloud Controls Matrix (CCM), the Consensus Assessments Initiative Questionnaire (CAIQ), and the CSA Code of Conduct for GDPR Compliance. Future releases will be Level 2 Extended Certification with Continuous Self-Assessment and Level 3 Continuous Certification.

“In attempting to reduce the complexity and costs of traditional IT, more organizations are evaluating cloud options first before making any new IT investments. However, many CIOs remain apprehensive about transferring services into the cloud—cyber security, ownership of data, and privacy are key concerns. Simultaneously, security controls, compliance, and the call for increased transparency are rapidly becoming baseline expectations of users – especially enterprise customers. STAR Continuous, which offers increased reliability of results, transparency and ease of use of the CSP’s assurance reports will give enterprises a competitive advantage in today’s environment,” said Daniele Catteddu, CTO, Cloud Security Alliance.

Among its benefits, STAR Continuous gives CSPs the opportunity to:

• update a STAR Self-Assessment on a monthly basis (STAR Continuous Self-Assessment);
• support a third-party based certification (e.g. STAR Certification) with additional and updated information on the CSP security posture (STAR Certification/Attestation + STAR Continuous Self- Assessment); and
• establish a process to continuously audit a CSP security program or ISMS and offer proof of an ISMS that goes beyond the basic compliance certification model and for proof that there is a process in place that continually monitors critical aspects of the system (STAR Continuous Auditing).

In addition, it can help cloud service providers:

• provide top management with greater visibility so they can evaluate the effectiveness of their management system in real-time in relation to expectations of internal, regulatory and the cloud security industry standards;
• implement an audit that is designed to reflect how their organization’s objectives are aimed at optimizing the cloud services;
• demonstrate progress and performance levels that go beyond the traditional “point in time” scenario; and
• provide their customers with a greater understanding of the level of controls that are in place, along with their effectiveness.

CSA is committed to helping customers have a deeper understanding of their security postures and to that end developed the CSA STAR Program in 2011. Since that time, the organization has continued to invest heavily in its success. Among the milestones:

• CSA STAR Attestation, which combines the CSA’s best practices with SOC 2 attestation reporting developed by the American Institute of CPAs (AICPA).
• Governments and enterprises around the world referenced CSA STAR in 2014 as a requirement for their RFPs.
• CSA, in conjunction with Chinese certification body CEPREI, developed a version of CSA STAR for the Chinese market based on the CSA CCM and Chinese national standard GB/T 22080.
• Enhancements to the CSA STAR web page to provide site visitors with an improved user experience.
• Hiring of John DiMaria, formerly of the British Standards Institution (BSI). DiMaria was a key innovator and co-author of the CSA STAR Certification for cloud providers, in addition to designing and developing the CSA STAR webinars. Prior to joining CSA, DiMaria was an active volunteer where he was co-chair of the Open Certification Framework (OCF) and Cloud Trust Protocol (CTP) Working Groups.