CSA STAR is open to all cloud providers, and allows them to submit self assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator.
CSA STAR will be online in Q4 of 2011. Cloud providers can submit two different types of reports to indicate their compliance with CSA best practices:
The Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings. The questionnaire (CAIQ) provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. Providers may opt to submit a completed Consensus Assessments Initiative Questionnaire. The Cloud Controls Matrix (CCM), which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. Providers may choose to submit a report documenting compliance with Cloud Controls Matrix.
In preparation for the public launch of the CSA STAR, providers are encouraged to select their compliance option and prepare a report for submission. CSA volunteers will be available to answer questions about report content. CSA strongly encourages all IaaS, SaaS, and PaaS providers, large and small, to complete a self-assessment for publication. In doing so, they will address some of the most urgent and important security questions buyers are asking, and can dramatically speed up the purchasing process for their services.
In addition to cloud provider self assessments, CSA STAR will also provide listings to solution providers who have integrated CAIQ, CCM and other GRC Stack components into their compliance management tools. This will help customers extend their GRC monitoring and reporting across their enterprise and in concert with multiple cloud provider relationships.
Providers interested in submitting should monitor https://www.cloudsecurityalliance.org/star/ for more details and updates.
About the Cloud Security Alliance The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.