Cloud providers are eligible to be listed in the STAR if they are able to document that their security controls are in line with security best practices developed by CSA, a nonprofit coalition of industry practitioners, corporations, and associations.
The searchable registry will enable cloud customers to review the security practices of providers. The STAR is intended to promote industry transparency, encouraging providers to make security capabilities a market differentiator, CSA explained.
Cloud providers can submit two different types of reports to indicate their compliance with CSA best practices. The first is the Consensus Assessments Initiative Questionnaire, which provides industry-accepted ways to document security controls in cloud offerings. The questionnaire provides a set of over 140 questions a cloud consumer and cloud auditor should ask of a cloud provider.
The second is the Cloud Controls Matrix, which provides a framework that allows for detailed understanding of security concepts and principles that are aligned to CSA guidance in 13 domains. As a framework, the CSA matrix provides organizations with structure, detail, and clarity relating to information security for the cloud industry.
In preparation for the public launch of the STAR, CSA encourages cloud providers to select their compliance option and prepare a report for submission. The registry is scheduled to go live in the fourth quarter of 2011.