In the last 12 months, the Cloud Security Alliance (CSA) has made great strides in enhancing their CSA Security, Trust and Assurance Registry (STAR) Program. In brief, the STAR Program is a publicly available registry designed to recognize assurance requirements and maturity levels of cloud service providers (CSPs). Prior to issuing the guidance for STAR Certification and STAR Attestation, a CSP could only perform a self-assessment, which meant completing the Consensus Assessments Initiative questionnaire (CAIQ) and making the responses publicly available on the CSA Register. The CAIQ was completed in several different ways and the content varied from short answers to full-page responses. It was relevant information but not independently validated. This created a path for the STAR Certification and STAR Attestation Programs.
CSA STAR Certification
The CSA STAR Certification is a third party independent assessment of the security of a CSP that leverages the requirements of the ISO/IEC 27001:2013 (ISO 27001) management system standard together with the CSA Cloud Controls Matrix (CCM) version 3.0.1. In order to achieve the STAR Certification, a CSP must already have an active ISO 27001 certification or have the STAR Certification assessment performed in tandem with and ISO 27001 certification review. The independent assessment must be performed by an accredited CSA certification body.
The assessment includes an evaluation of the CSP’s maturity level across each CCM security domain and each domain is scored on a specific maturity against five management principles, which include:
- Communication and Stakeholder Engagement
- Policies, Plans and Procedures, and a Systematic Approach
- Skills and Expertise
- Ownership, Leadership, and Management
- Monitoring and Measuring.
The maturity level for each CCM security domain, which can be 1 to 15, is then averaged and results in an overall maturity score. Based on the overall maturity score, a CSP can achieve either no award, a bronze award, a silver award, or a gold award. The award is communicated in the CSA STAR certification report but it is not included on the CSA STAR certificate. The CSP can then register on the CSA STAR Registry as successfully achieving CSA STAR certification.
CSA STAR Certification complements the ISO 27001 certificate for CSPs. The ISO 27001 certificate is used to externally communicate that the CSP has an active security program in place, which helps to identify, mitigate and monitor information security risk to the scope of their management system. The CSA STAR certificate provides further reassurance to customers and business partners that their organization has established a base maturity level in managing the internal operations relevant to the 16 different security domains in the CCM.
Additionally, once certified, the CSP, through the assessment, can identify further opportunities to enhance their management system and approach to the CCM security domains to increase their overall maturity level.
The CSA STAR Certification program is not for all CSPs. ISO 27001 certification is required and must already be in place or in the process of attaining certification in tandem with the CSA STAR Certification. For CSPs that may not have the time or budget for this type of assessment, the CSA STAR Program may be ruled out. Second, for CSPs that want to be assessed against the controls within the CCM, the CSA STAR Certification focus is on the management principles and maturity thereof relevant to the CCM. In addition, formal control testing is not required for the CSA STAR Certification. To mimic a criticism related to ISO 27001, the external deliverable is the certificate and only the certificate. There is no formal report produced that can be provided to a customer that communicates the relevant testing and its results.
For organizations that are looking for another option, the STAR Program also has the CSA STAR Attestation.
CSA STAR Attestation
The CSA STAR Attestation is a third party independent assessment of the security of a CSP. CSA STAR Attestation is a collaboration between the CSA and the American Institute of CPAs (AICPA) to provide guidance for CPA firms (or service auditors) to conduct STAR Attestations using criteria from the AICPA Trust Services Principles (TSP) and the Cloud Control Matrix (CCM). This assessment utilizes the SOC 2 framework to report on the suitability of the design and operating effectiveness of a CSP’s controls relevant to the applicable TSPs (which include Security, Availability, Confidentiality, Processing Integrity, and Privacy) and the suitability of the design and operating effectiveness of its controls in meeting the criteria in the CSA CCM (which includes 16 security domains listed below).
The examination requires a review period, typically no less than six months, and results in a detailed report which includes a narrative of the CSPs system, the applicable criteria, control activities, and the service auditor tests applied and test results.
|Application and Interface Security||Human Resources|
|Audit Assurance and Compliance||Identity and Access Management|
|Business Continuity Management and Operational Resilience||Infrastructure and Virtualization|
|Change Control and Configuration Management||Interoperability and Portability|
|Data Security and Information Lifecycle Management||Mobile Security|
|Datacenter Security||Security Incident Management, e-Discovery, and Cloud Forensics|
|Encryption and Key Management||Supply Chain Management, Transparency, and Accountability|
|Governance and Risk Management||Threat and Vulnerability Management|
The CSA STAR Attestation report can be provided to customers or potential customers as a means of communicating the details of the CSP’s system, the controls in place and the results of the testing applied to those controls. It is a stand-alone report which can highlight the granularity of the CSP’s controls and can provide reliance on those controls that were operating effectively during the CSP defined review period. Also, there are no prerequisites for a CSP to undergo the CSA STAR Attestation assessment.
It is recommended that a pre-assessment be performed to help identify gaps in the controls that are required to meet the applicable criteria prior to the start of the defined review period. The pre-assessment allows the CSP to better understand the criteria, identify risks that the criteria will not be met and devise controls to mitigate the risk. The pre-assessment will also help the CSP to identify the commitments and system requirements as objectives of the applicable criteria.. Lastly, as the TSPs and CCM include prescriptive criteria, customers of CSPs can evaluate one CSA STAR Attestation report to another and have a common comparison between the two as both were assessed against the same criteria.
There are very few drawbacks to the CSA STAR Attestation. One drawback of the detailed report results is that any exceptions identified during the assessment are disclosed in the full report. If a control was not operating effectively during the review period, the results of that testing must be disclosed. Also, as opposed to the CSA STAR Certification, which demonstrates an active management system that is in place to address, mitigate, and monitor information security risk, the CSA STAR Attestation report is a regressive looking report that provides the operational results of controls that already occurred. The report is meant to be relied upon but is not actively relevant after the review period has ended.
The CSA produced the CCM as a comprehensive control set that includes the baseline of necessary controls, as well as best practices, for CSPs in today’s ever-changing information environment. CSPs have traditionally pointed to the CCM as an authoritative source. However, now organizations have the opportunity to undergo third party assessments, through the STAR Certification or STAR Attestation programs. The program will now help validate maturity level or control activities, respectively, to the CCM and provide an additional assessment to the overall compliance program.
About RYAN MACKIE
Ryan Mackie is a Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.