What if we told you that you’re ready to meet the ultimate boss of security compliance? You’ve successfully passed compliance 101, and you’ve aced the need-to-knows about SOC 2 and ISO 27001. What’s next? Meet CSA STAR – the world’s most extensive and consequential cloud provider security program.
If you’re looking into obtaining a CSA STAR certification or attestation, first, let’s start with the introductions.
What is CSA STAR?
Meet The Cloud Security Alliance: Security, Trust, Assurance, and Risk, or as most (probably everyone) prefer to call it, CSA STAR. The CSA STAR program was established in 2012 to verify and document which security and privacy controls are being implemented by cloud service providers (CSPs) and how they implement them.
However, as CSPs became less of a novelty and more common in modern-day business, the CSA STAR became a global harmonized solution in the cloud security scope, renowned for their industry-leading best practices supporting a more secure cloud environment.
However, to bring everyday folk up to speed and in the loop with their expertise, the CSA designed a program (CSA STAR) that helps CSPs enhance their security posture and assurance in the cloud.
A few core principles navigate the CSA STAR program; transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM) – but we’ll get to that soon.
First, let’s look at why CSPs can benefit from CSA STAR.
The benefits of CSA STAR
We get it – just when you’ve gotten the hang of SOC 2 and ISO 27001, another acronym demands your attention. So, what are the benefits of the CSA STAR program, and is it worth it?
Cloud service providers take note.
CSA STAR is frequently described as “the world’s largest and most consequential cloud provider security program”. It enables CSPs to obtain rigorous and comprehensive security measures to reduce the risk of a data breach.
Naturally, one of the most significant benefits of CSA STAR is the bragging rights paired with knowing your cloud computing environment meets first-class security standards specifically designed for cloud computing. However, additional benefits include:
- Reduced security risks for the entire CSP, including businesses, customers and additional data owners.
- Transparency across all parties to better align security practices and posture.
- Establishes CSPs as trusted cloud vendors in a competitive marketplace.
- Become listed in the CSA STAR Registry to attract new business and full transparency.
- Streamlines security practices when vetting or onboarding new business.
What is the Cloud Controls Matrix (CCM)?
When it comes to security and compliance, there’s one component that unifies them all – their mutual love for security controls (and rightfully so). The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing created by the Cloud Security Alliance (CSA). According to the CSA, the Cloud Controls Matrix (CMM) provides the fundamental security principles to guide cloud vendors in assessing the overall risk of a cloud provider.
The control framework gives an in-depth analysis of all controls, concepts and principles that align with the Cloud Security Alliance guidance. It covers 17 domains and includes all the critical components of cloud technology. Each of the 17 domains is further broken into 197 control objectives, acting as a tool to assess cloud implementation.
The CMM controls are all mapped out against industry-accepted security standards, regulations, and control frameworks, including:
- ISO/IEC 27001/27002/27017/27018
- CCM V3.0.1
- CIS Controls V8.
- Additional mappings for AICPA TSC, PCI-DSS and NIST 8-53
How does CSA STAR work?
The most crucial aspect to remember regarding the STAR program is that it’s a publicly available registry. Once your CSP is published on the said registry, your CSP is recognized as having achieved CSA STAR and can be used as powerful proof of due diligence questions from customers.
At its core, it’s designed to recognize assurance requirements and security maturity levels of CSPs. However, there are multiple levels of assurance for CSPs who choose to submit to the STAR registry. Therefore, CSPs can choose between the following STAR levels when pursuing CSA STAR, each with specific requirements.
CSA STAR Level 1: Self-assessment overview
Level 1 is a self-Assessment based on the Consensus Assessments Initiative Questionnaire (CAIQ). It is an introductory offering, which is free and open to all CSPs. The CAIQ contains more than 250 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices. Companies can choose to complete a self-assessment for privacy, security, or both
Which organizations should pursue level 1?
Level on CSA STAR certifications is best suited for CSPs that operate in a low-risk environment. It’s optimal for providers looking to increase transparency around their security or privacy controls and looking for effective ways to increase trust within their client base regarding their security posture.
CSA STAR Level 2: Third-party audit
Level one rarely satisfies security requirements in a business environment where the risks are increasingly challenging to manage. Therefore, it’s common to find that level two STAR is the preferred standard amongst CSPs.
At Level 2, organizations can pursue either STAR certification or STAR attestation. Both of these efforts require an independent third-party audit. Attestations must be performed by a licensed CPA firm and certifications must be performed by authorized certification bodies.
Which organizations should pursue level 2?
Level two STAR attestations are best suited for CSPs that operate in a medium to high-risk environment. These assessments combine established industry standards with criteria specified in the CCM.
CSA STAR Level 3: Continuous Monitoring
Level 3 is based on the concept of continuous monitoring. Organizations must monitor and validate their controls at all times. This eliminates the gap between “point in time” audits, allowing CSPs to communicate the most up-to-date status regarding their security compliance. Level 3 results in a certificate.
Which organizations should pursue level 3?
STAR Level 3 is for high-risk environments and full-service providers. It provides the highest level of transparency into an organization’s cloud security controls.
CSA STAR, SOC 2 and ISO 27001: What’s the connection?
Attestation and certifications from CSA STAR can be used to build off of existing information security certification and audit programs. This reduces complexity and allows organizations to assess their compliance to information security standards and cloud security standards at the same time.
The CSA STAR attestation is actually a combination of SOC 2 plus additional cloud security criteria from the CSA CCM. It provides guidelines for CPAs to conduct the SOC 2 engagements using criteria from both the AICPA’s Trust Service Principles and additional cloud-specific criteria from the CSA Cloud Controls Matrix.
Similarly, the CSA STAR certification leverages the regular requirements of the ISO 27001 management system standard together with the cloud-specific requirements from the CSA Cloud Controls Matrix. In addition, the STAR certification includes a maturity model assessment that measures the maturity of an organization against CSA’s proprietary maturity model criteria pointing out the strengths and weaknesses of the processes using the CCM domains as the measurables.