The Cloud Security Alliance Security, Trust, Assurance, and Risk (CSA STAR) program was established in 2012 as a way to verify and document the security and privacy controls implemented by cloud service providers (CSPs). CSA has seen mounting interest in their STAR certifications and attestations as adoption of cloud technologies continues to rise. Gartner predicts that nearly two-thirds (65.9%) of spending on application software will be directed toward cloud technologies by 2025.

Here’s everything you need to know about CSA STAR, how their certification program works, and why a growing number of CSPs are working toward certification.

What is CSA STAR?

The CSA, the governing body of the STAR program, is a nonprofit organization that is considered a worldwide authority in the area of cloud security research and the advocacy of best practices that support secure cloud computing. CSA designed the STAR program to help CSPs enhance their security assurance in the cloud through “the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM).”

CSA STAR leverages the CSA’s CCM, a framework used to test security and privacy controls (CSPs must adhere to the newest version, CCM v4). Once CSA STAR has been implemented, CSPs can apply to be listed on the official registry, allowing prospects and customers to confirm the security and compliance posture they adhere to.

Achieving a certification through the CSA STAR program effectively helps CSPs reduce the security risks inherent to cloud computing solutions and services, like Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). As CSA Founder and Chairman Dave Cullinane said, “If you have an application exposed to the Internet that will allow people to make money, it will be probed.”

CSPs have two options to choose from when pursuing CSA STAR, each which has its own specific set of requirements.

What is CSA STAR Level 1?

CSA STAR Level 1 is a self-assessment intended for CSPs that operate in a low-risk environment and want to offer greater visibility into the security controls they have in place. Level 1 is a free assessment conducted internally and does not require a third-party firm to complete.

There are two variations of the Level 1 assessment:

• Security Self-Assessment: The CSP submits a completed Consensus Assessment Initiative Questionnaire (CAIQ) to document compliance with the CCM. The security self-assessment only covers security-related controls and must be updated annually.
• GDPR Self-Assessment: The CSP submits a completed Code of Conduct Statement of Adherence and Code of Practice to document compliance with GDPR. The GDPR self-assessment only covers privacy-related controls and must be updated annually.

Both of these self-assessments must also be updated any time there is a change to the CSP’s policies or practices related to the service being assessed. Depending on the CSP’s desire to highlight security and/or privacy controls, they may choose to complete one self-assessment or both.

What is CSA STAR Level 2?

CSA STAR Level 2 is a third-party audit intended for CSPs that operate in a medium- to high-risk environment and want to enhance the controls of another standard or certification the business already follows. Completing both the self-assessment and CAIQ mentioned above are prerequisites for Level 2.

Additionally, Level 2 is not a standalone assessment and there are costs associated. For the third-party audit, the organization must use a certified STAR auditor, such as A-LIGN, to perform one of the following assessments depending on the standard they have already adopted:

• AICPA SOC 2 + CSA STAR Attestation (Most Common) — This attestation includes the SOC 2 Trust Services Criteria and the CCM framework, and must be renewed annually. Type 1 SOC 2 is acceptable for companies undergoing the CSA STAR for the first time, but subsequent submissions must have a review period of no less than six months (12 months for Type 2).
• ISO 27001:2013 + CSA STAR Certification — This certification includes the ISO 27001:2013 requirements and the CCM framework. It must be conducted on an annual basis and submitted to CSA Star to update the registry upon recertification every three years.
• GB/T 22080-2008 + CSA C-STAR Assessment — Intended for CSPs that do business in China, this assessment includes the CCM framework and the Chinese national requirements of GB/T 22080-2008, plus additional controls from GB/T 22239-2008 and GB/Z 28828-2012. It must be completed every three years to maintain compliance.

If you are a CSP interested in pursuing CSA STAR Level 2, consider reading the CSA’s official Code of Practice to gain a better understanding of the steps required to earn a certification or attestation.

What are the benefits of certification?

Described as “the world’s largest and most consequential cloud provider security program,” CSA STAR allows CSPs to show that they take information security very seriously and are willing to take comprehensive measures to reduce the risk of a data breach. At its core, a CSA STAR certification or attestation (Level 2) demonstrates that companies needing to host their data within a cloud computing environment can do so knowing that it is protected using a world-class security framework specifically designed for cloud computing. The certification also:

• Reduces security risk for everyone involved with a CSP: the business, its customers, and other data owners.
• Allows CSPs and their customers to become better aligned on security practices. The transparency inherent to CSA STAR makes it easier for both parties to work together to keep data safe.
• Helps CSPs establish themselves as trusted cloud vendors. The certification is a valuable marketing tool and being listed in the CSA STAR Registry can bring in new business.
• Accelerates the sales cycle in some cases by reducing the work security teams might need to perform to sign new clients or establish new partnerships.

Navigating the Cloud Security Spotlight 

With the adoption of cloud-based technologies only becoming more prevalent, there will undoubtedly be a spotlight on cloud security for years to come. CSA STAR certification offers a tried-and-tested way for CSPs to take their security posture to the next level and reduce the risk of a breach for both themselves and their customers. It is a highly valuable addition to any CSP’s compliance arsenal; for example, we helped PROS achieve CSA STAR certification in addition to SOC 1, SOC 2, SOC 3, ISO 27001, and PCI DSS.

If you are a CSP interested in SOC 2 + CSA STAR Attestation or ISO 27001:2013 + CSA STAR Certification, A-LIGN is a certified CSA STAR auditor that can help your organization take the most efficient path to earning a spot on the official registry.