CSA STAR Cloud Security Framework

What is CSA STAR?

 

The Cloud Security Alliance (CSA) is an organization committed to securing cloud computing environments by sharing best practices and raising awareness of the risks involved. CSA draws on the subject matter of industry experts to provide cloud security-specific research, products and education.

 

The Security Trust Assurance and Risk (STAR) Program incorporates core concepts of rigorous auditing, transparency and harmonization of standards. Cloud service providers (CSPs) who use STAR demonstrate compliance with best practices and validate the security posture of their cloud services. The STAR registry documents the security and privacy controls provided by popular CSPs. This publicly accessible registry grants cloud customers the opportunity to evaluate potential cloud providers in order to make an informed decision when purchasing.

 

Within CSA STAR, there are many resources. These include CAIQ, Cloud Controls Matrix, GDPR Code of Conduct (CoC), CAIQ-Lite and CSA-OneTrust VRM Tool.

 

The resources we will be discussing are as follows:

  • CAIQ: The Consensus Assessments Initiative Questionnaire (CAIQ) is an industry-accepted method to document which security controls are implemented in cloud services (e.g., IaaS, PaaS, and SaaS), providing security control transparency. It is a set of Yes/No questions that a cloud provider may have to complete at a cloud customer’s and/or cloud auditor’s request to establish the provider’s compliance to the Cloud Controls Matrix (CCM). As a result, CAIQ assists cloud customers in determining the security posture of prospective CSPs and assessing if their cloud services are suitably secure. The CAIQ has a total of 295 questions.

  • Cloud Controls Matrix: The CSA Cloud Controls Matrix (CCM) was created specifically to provide fundamental security controls to assist cloud providers and to guide prospective cloud customers in assessing the overall security risk of a CSP. It is a meta-framework of cloud-specific security principles, mapped to leading standards, regulations and best practices. CCM offers organizations with much needed structure, detail and clarity relating to cloud computing and its risks. CCM is currently universally accepted as a de-facto standard for cloud security, privacy and compliance. It consists of 197 control objectives across 17 domains covering all key aspects of cloud computing. It can be used to determine which security controls are fully implemented and which are missing, giving an objective perspective of a cloud service.

  • CAIQ-Lite: To better accommodate the transition to cloud procurement models, CSA developed a streamlined assessment questionnaire for cybersecurity professionals to effectively engage their cloud vendors. CAIQ-Lite was specifically designed to match the rapid pace inherent within the cybersecurity environment, emphasizing the importance of vendor security questionnaire adoption. CAIQ-Lite contains only 73 questions, while maintaining representation of 100% of the original control domains present in the CCM. Whistic, one of CSA’s industry partners collaborated with CSA to create the CAIQ-Lite, allowing you to access the assessment through them as well.

  • CCM Lite: In the Fall of 2021, the CCM Lite will be released. The CCM Lite is intended to be a lightweight version of CCM with only the essential controls that any CSP, regardless of their delivery model size, approach or complexity of operations, must fully implement.

 

The CAIQ and CCM are the documents used by cloud service providers (CSP) when submitting a self-assessment to the CSA STAR Registry.

 

CCM’s control framework details security concepts across 17 domains:

  1. Audit & Assurance (A&A)

  2. Application & Interface Security (AIS)

  3. Business Continuity Management & Operational Resilience (BCR)

  4. Change Control & Configuration Management (CCC)

  5. Cryptography, Encryption & Key Management (CEK)

  6. Datacenter Security (DCS)

  7. Data Security and Privacy (DSP)

  8. Governance, Risk Management and Compliance (GRC)

  9. Human Resources Security (HRS)

  10. Identity & Access Management (IAM)

  11. Interoperability & Portability (IPY)

  12. Infrastructure & Virtualization (IVS)

  13. Logging and Monitoring (LOG)

  14. Security Incident Management, E-Discovery, & Cloud Forensics (SEF)

  15. Supply Chain Management, Transparency, and Accountability (STA)

  16. Threat & Vulnerability Management (TVM)

  17. Universal EndPoint Management (UEP)

 

The latest versions of the CCM and the CAIQ are V4 and V3.1, respectively. 

CCM V4 was released in January 2021 and CAIQ V4 has a projected release in May 2021. Until October 2021, CSA will accept both versions of the CAIQ and CCM. After that date, any new submissions (i.e., those services that are joining the STAR Registry for the first time) will require V4. The companies/services that were in the registry prior to October 2021, have a two-year transition period to switch to the new version. 

 

What are the requirements for CSA STAR compliance?

 

CSA offers a number of different assessments, tools and frameworks. The first step for any organization is to determine which CSA resources they will benefit most from using.

CSA STAR provides several options for CSPs and cloud customers to choose from. The STAR program includes:

  • For Cloud Service Providers: STAR enables solution providers to validate their cloud security and provide evidence of the controls in place to current and future customers. You can achieve this by completing and then submitting your self-assessment to the STAR registry. The self-assessment usually includes answering the CAIQ, along with implementing the CCM controls.

  • For Cloud Customers: STAR allows cloud customers to determine which CSPs meet the level of assurance they require and gain insights as to which controls are implemented to protect their data. The STAR registry has entries from 1000+ providers. If your provider is not listed on the registry, you can request a submission. Additionally, you can utilize the CCM and CAIQ for your own improvement.

 

Compliance requires a comprehensive review of services and processes related to cloud infrastructure and how it is managed during a data lifecycle.

 

Why should you be CSA STAR compliant? 

 

Cloud computing has rapidly joined the market as a proven and globally accepted enterprise delivery and operational technology model. Over the same time span, there have been increasing concerns regarding the privacy, security, and compliance challenges associated with this growing market segment. Most recently, there have been several breaches, data privacy, and compliance events associated with various cloud computing service providers that are threatening the goodwill and positive perceptions of the industry.

 

Compliance with CSA STAR programs accelerates your compliance with numerous related frameworks, as the controls in the CCM are mapped against industry-accepted security standards, regulations, and control frameworks including: NIST SP 800-53, PCI DSS, NERC CIP, ISO 27001/27002/27017/27018, CIS, AICPA TSC, German BSI C5, ISACA COBIT, FedRamp and many more. 

 

STAR resources are applicable to and strongly suggested for CSPs and for organizations that utilize cloud services.

 

Compliance benefits CSPs by:

  • Accelerating the sales process

  • Solidifying reputation as a reliable and trustworthy provider of cloud services

  • Developing, establishing and maintaining a robust security program

  • Increasing revenue by assisting customers with implementing a secure cloud model

  • Being part of a global database for CSPs

 

Advantages for cloud customers are:

  • The ability to use the STAR registry as a trustworthy source on the security and privacy posture of service providers. It ensures accountability and allows you to create a robust GRC program

  • The STAR compliance program which enables you to determine the level of transparency and assurance you require from CSPs

  • The STAR Foundation tools (CCM, CAIQ, GDPR CoC) which can contribute to your own GRC approach and ensure compatibility between you and your CSP

 

When it comes to cloud computing, risk management is critical in ensuring that all of an organization's data is secure. It is crucial to its overall business improvement strategy. Although the risk management approach is similar whether in the cloud or on-prem, there are significant differences in tactics and implementation that must be considered. An effective risk management program greatly benefits from implementing the STAR program.

Consequences of noncompliance with CSA STAR may include lack of cloud security, legal liabilities, brand impact and even data breaches. 

 

How to achieve CSA STAR compliance?

 

An organization pursuing CSA STAR compliance must decide which of the resources they will be working with. There are many options, and it can be an arduous process to choose the right CSA tools, attempt to understand how to make the most of those tools and ensure continued compliance. 

 

It is at this point that Centraleyes steps in and takes over. With this streamlined, automated, user friendly platform, Centraleyes covers your needs from start to finish, utilizing smart questionnaires from the CAIQ and CCM, prioritized remediation guidance and real-time customized scoring to meet the CSA STAR requirements.

 

Cloud service providers can depend on the Centraleyes platform to upload their completed self-assessments directly to the STAR registry, saving valuable time.

Organizations can onboard vendors to the platform at scale, and  use automated workflows, smart questionnaires and remediation planning, which are all tied back to the CSA STAR requirements. In addition, you can categorize and compare vendors against their completed STAR self-assessments. This ensures that your CSPs are compliant with the applicable STAR programs. 

The Centraleyes platform is the most comprehensive solution for all your CSA STAR requirements.