Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

CSA STAR analysis: Processes for cloud provider security evaluation

Security expert Ed Moyle explains the CSA STAR certification program and how enterprises can use it to improve cloud provider security evaluations.

As practitioners in the enterprise already know quite well, ensuring the security and compliance of third parties such as service providers, vendors and business partners is a difficult exercise.

Not only are there potentially dozens if not hundreds of service providers that may need to be evaluated, but each one may require its own questionnaire, its own audit evaluation and potentially its own technical testing depending on an organization's needs. The process itself can also become contentious. Specifically, service providers may be uncomfortable sharing intimate security-related details with external parties -- particularly before a formal business relationship exists. This can not only slow down things, but also -- in extreme cases -- make objective evaluation impossible.

It's critical to keep in mind that it's a challenge for both sides. Those in the channel (i.e., those providing services to customers) have problems as well. For them, it's responding to numerous uniquely formatted questionnaires covering a potentially nonoverlapping set of technical, administrative and physical security topics. Service providers also face the challenge of on-site audits and corresponding evidence-gathering and personnel interviewing activities. This is particularly challenging as these steps are often a prerequisite to doing business: A customer may decide not to proceed with the relationship or discontinue use if security measures prove insufficient. This means providers and customers alike experience the economic hit of responding to an inquiry before any potential return is achieved.

As a result of this conundrum, the Cloud Security Alliance's (CSA) Security Trust and Assurance Registry (STAR) certification program has emerged. The basic premise of STAR is that a service provider can voluntarily undertake an objective assessment of its own environment, publish it to a registry and allow the results to be viewed by existing, new, and potential customers.

The basic premise of STAR is that a service provider can undertake an assessment of its own environment, publish it to the registry and allow the results to be viewed by existing, new and potential customers.

The program has several goals: reduce effort and cost on both sides of the fence (for example, by minimizing administration of the assessment and response process), reduce or eliminate the front-loaded per-relationship cost for the provider and customer, and increase the consistency of evaluations from assessor to assessor.

CSA STAR uses a tiered certification framework drawing on elements of other CSA work, primarily the Governance, Risk Management and Compliance (GRC) efforts (i.e., the "GRC stack"). STAR's level 1, Self-Assessment, consists of an entry self-evaluation via the Consensus Assessments Initiative (CAI) questionnaire or the Cloud Controls Matrix (CCM). At level 2 -- the 3rd-Party Assessment-based Certification Level -- external validation is introduced via either certification (which currently uses ISO/IEC 27001:2005 and the CCM-- note, the CSA is currently in the process of moving to ISO/IEC 27001-2013, this should be complete by March 2014) or attestation (which uses SOC2 and the CCM). Level 3, Continuous Monitoring-based Certification, consists of continuous validation which will be implemented through the CloudTrust Protocol (CTP). The CTP provides a structured mechanism for transparency in the cloud. Through it, customers can make requests to a cloud provider (for example, requesting security-relevant information about the cloud components in their scope) and it provides a mechanism for cloud providers to respond to that request. 

Benefits and challenges

The STAR concept isn't entirely new. For example, the Shared Assessments program (which historically targeted financial services) and the HITRUST Common Security Framework (CSF) (which targets the healthcare industry) are both driven by similar needs and result from a comparable set of business challenges. That said, cloud has a few unique considerations that make the STAR concept particularly useful in the cloud arena.

First, many times security and compliance practitioners don't learn about cloud usage until after it is already deployed in the enterprise. This greatly inhibits the information security team's ability to perform a pre-deployment review and signoff. Secondly, pay-per-use pricing allows usage to expand organically within enterprises (i.e., land and expand), meaning that a given service (DropBox, for example) can be used for a low-risk purpose today (perhaps only for public data) and expand tomorrow into high-risk scenarios (maybe to store sensitive financial or customer data). Having a standard set of objective responses means that should business needs change after a provider is brought in, the details of the assessment can be revisited quickly in light of the new usage without (in many cases) the expense and time of a re-review.

Note though that STAR is not a panacea. The data provided by the program doesn't absolve organizations of the need to evaluate the level of risk associated with a service provider since organizations have different risk tolerances and will be using cloud services for different purposes. Someone must review the STAR data, evaluate the proposed or current usage in the organization in light of the controls listed, and determine what residual risk there might be and what they need to do on their side to mitigate it. Organizations may also have specific requirements outside the scope of STAR that they wish to evaluate, for example, addressing risks such as the financial viability of the service provider.

More CSA information

BSI certifies first two CSA STAR cloud providers

CSA partners with BSI on cloud security certification program

Guide: Examining cloud computing security standards, guidelines

Updated CSA guidance offers advice on cloud-based security

Simply put, additional work will still be required. For example, organizations handling cardholder data must still adhere to Payment Card Industry Data Security Standard (PCI DSS) mandates such as maintaining "information about which PCI DSS requirements are managed by each service provider and which are managed by the entity" (PCI 3.0, Requirement 12.8.5) and maintaining "a program to monitor service providers' PCI DSS compliance status at least annually" (PCI 3.0, Requirement 12.8.4). These and other compliance-specific mandates must be addressed by the customer -- and negotiated with the service provider -- the same way that they always have been.

Using the STAR program

So how can you use STAR program data in your enterprise? The most expedient way -- at least right now -- is to start folding STAR data into your cloud provider review processes. Recall that while STAR level 1 (Self-Assessment) has been around since 2011, the STAR certification program is relatively new (it officially launched in September 2013, at the CSA EMEA Congress). Level 2 (Attestation) and level 3 (Continuous) are not yet available.

As a result, as of right now the data in the registry is limited to completed CAIQ/CCM content. Organizations can start leveraging this data immediately -- at least to the extent that it's willing to rely on structured self-assessment and the extent to which its reviews overlap with information in the artifacts.

A useful first step, if you haven't done it already, is to evaluate the CAIQ and CCM material against your current service provider review process; evaluate whether the content they cover is sufficient for your analysis or equivalent to what you're already asking. If so, maybe you can use the material already published for the providers listed in the registry. If not, determine what additional information you want to collect that isn't covered. Remember that the CAIQ and CCM are mapped to other compliance requirements and governance frameworks (e.g., HIPAA, NIST SP800-53, ISO 27001, COBIT, etc.). So if your artifacts (e.g., questionnaires or review artifacts) are mapped to those frameworks, you could very well keep your current processes in place and use STAR data as a supplement to them when items address the same underlying requirement.

Looking forward, organizations may wish to start evaluating the extent to which they can leverage level 2 assessments in the enterprise as they start to become available. There are many economic benefits to consuming an assessment that you don't have to perform yourself, so now might be a good time to start encouraging your vendors to embrace the STAR effort.

About the author:
Ed Moyle is currently director of emerging business and technology for ISACA. He previously worked as senior security strategist for Savvis Inc. and as senior manager with CTG Inc. Prior to that, he served as vice president and information security officer at Merrill Lynch Investment Managers.

Article 3 of 3

Dig Deeper on Cloud Computing Frameworks and Standards

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What is your opinion of the CSA STAR program as a mechanism to evaluate cloud provider security?
You are correct Ed in that those using STAR still have to address other regulatory requirements such as PCI, SOX and others. But that is the beauty of ISO 27001. It is allows for "implement once comply many". That is why the financial industry (Shared Assessment) and HITRUST use ISO 27001 as a base. I still serve as a working group member and co-chair for Shared Assessments and was one of the original contributors to HITRUST. The big differentiator is the STAR ensure the scope is "fit-for-purpose" and SLA driven. The maturity assessment validates how well the system is managed.
I am the co-chair for the CSA OCF (Open Certification Framework) and CTP (continuous monitoring) working groups and be happy to have a deeper discussion.
CSA STAR is unlike others created in that STAR is not a new standard re-hashed from ISO 27001 like some others. It IS in fact ISO 27001 as companies are just extending their scope to include the cloud specific requirements. Same process as if you have to be PCI or HIPAA compliant and are 27001 certified, you would add controls specific to PCI and/or HIPAA to your overall ISMS... "Implement once comply many". In addition, the maturity model focuses on how well the processes and controls are managed, pointing out areas for improvement and supporting the preventive action process, reducing risk. Once the continuous monitoring stage is launched, it will complete the circle of true transparency.
The aim of the STAR certification is to give existing cloud consumers or potential users an idea of the security capabilities of cloud vendors. And while the article is certainly correct in stating that it is not the cure for all ills it does provide cloud users with a starting point to evaluate cloud providers. The true value of the certification is that it builds on the existing CSA self-assessment matrix with an independent audit (two companies have been awarded silver tier status as part of the pilot programme) and that applicants must already hold or be in the process of completing ISO27001 compliance.

Fergus Kennedy, head of compliance and information systems, Pulsant

Get More Information Security

Access to all of our back issues View All