As previously reported, the CSA is a not-for-profit organisation that seeks to promote the use of best practices for providing security assurance within the cloud. The alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders.
The gameplan for STAR - which should be fully operational by Q4 and which is free to register with and use - is to allow cloud providers to provide documentation of their compliance with CSA best practices.
The CSA also plans to use the registry to list technology solutions that have integrated CSA practices.
Announcing the STAR initiative at the Black Hat security event in Las Vegas, the alliance said that the program is open to all cloud providers, and will allow them to submit self-assessment reports that document compliance to CSA published best practices.
The searchable registry, says the CSA, will allow potential cloud customers to review the security practices of providers, speeding up their due diligence and leading to higher quality procurement experiences.
STAR, adds the alliance, represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.
Cloud providers are able to submit two different types of reports to STAR and so indicate their compliance with CSA best practices:
The Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings. The questionnaire (CAIQ) is billed as providing a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider.
The Cloud Controls Matrix (CCM), which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the CSA guidance in 13 domains. As a framework, the CSA CCM is said provide organisations with the needed structure, detail and clarity relating to information security tailored to the cloud industry.
In preparation for the public launch of STAR in Q4 of this year, cloud providers are being encouraged to select their compliance option and prepare a report for submission.
In addition to cloud provider self-assessments, CSA STAR will also provide listings to solution providers who have integrated CAIQ, CCM and other GRC Stack components into their compliance management tools.
This will, says the alliance, help customers extend their GRC monitoring and reporting across their enterprise and in concert with multiple cloud provider relationships.