Slated to be online in the fourth quarter of this year, the Security, Trust and Assurance Registry (STAR), will be a free, publicly accessible and searchable repository designed to help cloud customers review the security practices of participating cloud providers. STAR also will provide listings of technology providers that have integrated components of the CSA’s GRC Stack.
As a start, the nonprofit CSA has asked providers for a self-assessment using either the CSA Cloud Controls Matrix (CMM) or Consensus Assessments Initiative Questionnaire (CAIQ), said Phil Agcaoili, CSA founding member and STAR co-founder and committee co-chair. CMM and CAIQ are components of the CSA’s GRC Stack.
“Several of the most well-known cloud service providers have been doing this proactively as part
of their market differentiation strategy, and want to provide a central registry for customers and
providers to simplify their assurance processes,” he said.
“We believe a free service like this promotes industry transparency and self-regulation is what's needed as this market matures,” Agcaoili added. “Frankly, with all of the existing regulatory compliance obligations, the CSA is leery of creating and managing a certification of providers at this time, and we think this level of self-attestation is appropriate and will actually reduce the number of unique audit requests CSPs must respond to, and reduce the compliance burden over time.”
Jim Reavis, CSA co-founder and executive director, recently wrote about the complications of security certification for cloud providers.
With cloud computing being so dynamic, the CSA wants to let cloud service providers choose the appropriate level of security controls for their business, Agcaoili said. “If enough organizations submit registry entries, it will be a powerful statement that CSA can use in our regular discussions with governments around the world who have an appetite for regulating business,” he said.
The CSA is also involved in several third-party assessment, standardization and certification projects, including the Common Assurance Maturity Model (CAMM). “We think this provides a simple interim step the industry can take until those projects are ready,” Agcaoili said.