As practitioners in the enterprise already know quite well, ensuring the security and compliance of third parties such as service providers, vendors and business partners is a difficult exercise.
Not only are there potentially dozens if not hundreds of service providers that may need to be evaluated, but each one may require its own questionnaire, its own audit evaluation and potentially its own technical testing depending on an organization's needs. The process itself can also become contentious. Specifically, service providers may be uncomfortable sharing intimate security-related details with external parties -- particularly before a formal business relationship exists. This can not only slow down things, but also -- in extreme cases -- make objective evaluation impossible.
It's critical to keep in mind that it's a challenge for both sides. Those in the channel (i.e., those providing services to customers) have problems as well. For them, it's responding to numerous uniquely formatted questionnaires covering a potentially nonoverlapping set of technical, administrative and physical security topics. Service providers also face the challenge of on-site audits and corresponding evidence-gathering and personnel interviewing activities. This is particularly challenging as these steps are often a prerequisite to doing business: A customer may decide not to proceed with the relationship or discontinue use if security measures prove insufficient. This means providers and customers alike experience the economic hit of responding to an inquiry before any potential return is achieved.
As a result of this conundrum, the Cloud Security Alliance's (CSA) Security Trust and Assurance Registry (STAR) certification program has emerged. The basic premise of STAR is that a service provider can voluntarily undertake an objective assessment of its own environment, publish it to a registry and allow the results to be viewed by existing, new, and potential customers.
The basic premise of STAR is that a service provider can undertake an assessment of its own environment, publish it to the registry and allow the results to be viewed by existing, new and potential customers.
The program has several goals: reduce effort and cost on both sides of the fence (for example, by minimizing administration of the assessment and response process), reduce or eliminate the front-loaded per-relationship cost for the provider and customer, and increase the consistency of evaluations from assessor to assessor.
CSA STAR uses a tiered certification framework drawing on elements of other CSA work, primarily the Governance, Risk Management and Compliance (GRC) efforts (i.e., the "GRC stack"). STAR's level 1, Self-Assessment, consists of an entry self-evaluation via the Consensus Assessments Initiative (CAI) questionnaire or the Cloud Controls Matrix (CCM). At level 2 -- the 3rd-Party Assessment-based Certification Level -- external validation is introduced via either certification (which currently uses ISO/IEC 27001:2005 and the CCM-- note, the CSA is currently in the process of moving to ISO/IEC 27001-2013, this should be complete by March 2014) or attestation (which uses SOC2 and the CCM). Level 3, Continuous Monitoring-based Certification, consists of continuous validation which will be implemented through the CloudTrust Protocol (CTP). The CTP provides a structured mechanism for transparency in the cloud. Through it, customers can make requests to a cloud provider (for example, requesting security-relevant information about the cloud components in their scope) and it provides a mechanism for cloud providers to respond to that request.
Benefits and challenges
The STAR concept isn't entirely new. For example, the Shared Assessments program (which historically targeted financial services) and the HITRUST Common Security Framework (CSF) (which targets the healthcare industry) are both driven by similar needs and result from a comparable set of business challenges. That said, cloud has a few unique considerations that make the STAR concept particularly useful in the cloud arena.
First, many times security and compliance practitioners don't learn about cloud usage until after it is already deployed in the enterprise. This greatly inhibits the information security team's ability to perform a pre-deployment review and signoff. Secondly, pay-per-use pricing allows usage to expand organically within enterprises (i.e., land and expand), meaning that a given service (DropBox, for example) can be used for a low-risk purpose today (perhaps only for public data) and expand tomorrow into high-risk scenarios (maybe to store sensitive financial or customer data). Having a standard set of objective responses means that should business needs change after a provider is brought in, the details of the assessment can be revisited quickly in light of the new usage without (in many cases) the expense and time of a re-review.
Note though that STAR is not a panacea. The data provided by the program doesn't absolve organizations of the need to evaluate the level of risk associated with a service provider since organizations have different risk tolerances and will be using cloud services for different purposes. Someone must review the STAR data, evaluate the proposed or current usage in the organization in light of the controls listed, and determine what residual risk there might be and what they need to do on their side to mitigate it. Organizations may also have specific requirements outside the scope of STAR that they wish to evaluate, for example, addressing risks such as the financial viability of the service provider.
More CSA information
BSI certifies first two CSA STAR cloud providers
CSA partners with BSI on cloud security certification program
Guide: Examining cloud computing security standards, guidelines
Updated CSA guidance offers advice on cloud-based security
Simply put, additional work will still be required. For example, organizations handling cardholder data must still adhere to Payment Card Industry Data Security Standard (PCI DSS) mandates such as maintaining "information about which PCI DSS requirements are managed by each service provider and which are managed by the entity" (PCI 3.0, Requirement 12.8.5) and maintaining "a program to monitor service providers' PCI DSS compliance status at least annually" (PCI 3.0, Requirement 12.8.4). These and other compliance-specific mandates must be addressed by the customer -- and negotiated with the service provider -- the same way that they always have been.
Using the STAR program
So how can you use STAR program data in your enterprise? The most expedient way -- at least right now -- is to start folding STAR data into your cloud provider review processes. Recall that while STAR level 1 (Self-Assessment) has been around since 2011, the STAR certification program is relatively new (it officially launched in September 2013, at the CSA EMEA Congress). Level 2 (Attestation) and level 3 (Continuous) are not yet available.
As a result, as of right now the data in the registry is limited to completed CAIQ/CCM content. Organizations can start leveraging this data immediately -- at least to the extent that it's willing to rely on structured self-assessment and the extent to which its reviews overlap with information in the artifacts.
A useful first step, if you haven't done it already, is to evaluate the CAIQ and CCM material against your current service provider review process; evaluate whether the content they cover is sufficient for your analysis or equivalent to what you're already asking. If so, maybe you can use the material already published for the providers listed in the registry. If not, determine what additional information you want to collect that isn't covered. Remember that the CAIQ and CCM are mapped to other compliance requirements and governance frameworks (e.g., HIPAA, NIST SP800-53, ISO 27001, COBIT, etc.). So if your artifacts (e.g., questionnaires or review artifacts) are mapped to those frameworks, you could very well keep your current processes in place and use STAR data as a supplement to them when items address the same underlying requirement.
Looking forward, organizations may wish to start evaluating the extent to which they can leverage level 2 assessments in the enterprise as they start to become available. There are many economic benefits to consuming an assessment that you don't have to perform yourself, so now might be a good time to start encouraging your vendors to embrace the STAR effort.
About the author:
Ed Moyle is currently director of emerging business and technology for ISACA. He previously worked as senior security strategist for Savvis Inc. and as senior manager with CTG Inc. Prior to that, he served as vice president and information security officer at Merrill Lynch Investment Managers.