The Cloud Security Alliance's Security, Trust and Assurance Registry (STAR) reached a major milestone this week...
as cloud collaboration platform maker Ribose became the first company to achieve STAR Attestation.
Launched in 2011, the CSA STAR is an online registry of cloud provider security controls, the goal of which is to provide additional transparency to enterprises and cloud consumers through publicly available security assessments. The STAR Attestation process involves a detailed independent third-party assessment, in this case, conducted by professional services firm Ernst & Young.
"We have a heavy focus on security due to the type of clients that use our platform, which are very protective of their IP," Ribose Founder Ronald Tse said. "The real reason we did this is for transparency. It can potentially give customers more confidence in our security."
Currently, the Hong Kong-based Ribose is the only cloud provider worldwide that has successfully completed both the STAR Attestation and STAR Certification process.
The STAR Attestation, however, is different than the STAR Certification program; while the certification process is based on the ISO 27001 specification for security management systems, the STAR Attestation is based on the more detailed and rigorous Service Organization Control (SOC) 2 assessment using criteria from the American Institute of Certified Public Accountants (AICPA) Trust Service Principles. Both the STAR Attestation and STAR Certification processes include criteria from the CSA's own Cloud Controls Matrix.
"STAR Attestation has a higher barrier than STAR certification," Tse said. "It's a deeper process, and [AICPA SOC] has a different set of rules that validate the effectiveness of every single cloud security control, not just some."
The STAR Attestation process results in a publicly available report, known as a SOC 3 report, which anyone from prospective clients to competitors can review.
Ribose's SOC 3 report, prepared by Ernst & Young, shows the assessment was conducted from November 2013 to April 2014 and covered all security aspects, from communication and data protection to security monitoring and risk assessments. The report also states that Ribose "has maintained effective controls over the security and availability of its Ribose Collaboration Platform," to provide reasonable assurance that the platform "was protected against unauthorized access (both physical and logical), use or modification" and "was available for operation and use, as committed and agreed."
The STAR Attestation process was also lengthy for Ribose. "It took us about 10 business days to go through STAR certification and the ISO 2700 process, while Attestation took 100 days, so it was about 10 times the effort," Tse said.
For its part, Ribose had to prepare all 219 cloud security controls to be tested under the STAR Attestation process. While STAR Attestation was more rigorous and time consuming than STAR certification, Tse said it was worth the effort. "It gives clients more than just a certificate to view," he said. "With Attestation, there's a detailed report about our cloud security. And because we're a startup, we need that validation to satisfy client requests about how we're going to protect them and their data."
To that end, data encryption was a security control area that Ribose paid special attention to during the attestation process. Tse, who is also a member of the CSA's International Standardization Council, said he's seen more companies inquire about data encryption in the last year. "A lot of folks have become concerned about their data in the cloud, and that's put a focus on encryption," he said.
The CSA said the STAR registry currently has more than 90 entries from cloud providers across the globe, including Amazon Web Services, Microsoft and HP. The registry is open to any cloud provider, and STAR Attestation is available to any company that has achieved the STAR Certification.
Learn more about the CSA STAR Certification and Attestation processes