CSA Security Trust & Assurance Registry (STAR)

    Standards and Frameworks

    CSA Security Trust & Assurance Registry (STAR)

    Cloud Security Alliance (STAR)

    STAR is a cloud security certification program powered by the Cloud Security Alliance (CSA). STAR consists of a three-tier assurance system: self-assessment; 3rd party certification; and, continuous monitoring.

    Last Updated: July 30, 2019


  • General

    Increasingly, organisations of all types and sizes have incentives to outsource data storage, applications and business processes to cloud providers. This is enticing for organisations because of the financial and technical benefits that come with joining the cloud environment. For example, on-demand availability and pay-per-use pricing schemes are important incentives when considering to outsource data, processes, and applications to cloud providers. In this sense, cloud computing is cost-effective because (e.g.) it enables IT services to function in a more scalable and dynamic fashion than they used to, and offers shared resources like computing power and storage.

    However, the business-related advantages of using a cloud environment come with their pitfalls. In particular, public perception is that it is complicated to assess the trustworthiness of cloud providers. Academic research shows that reluctance in using cloud service providers can be pinned down to security and privacy concerns arising from the non-transparent nature of cloud computing. In particular, (potential) customers of cloud service providers seem to worry about the location of data, third-party access to their data (i.e. who has access to data stored in the cloud), and unwanted data movement. Therefore, customers need support in reliably identifying trustworthy providers. In doing this, customers need to understand different aspects of the service provider (such as) compliance, data governance and information security.

    CSA is the leading organisation raising awareness of best practices to foster trustworthiness in cloud environments. In this context, CSA’S STAR was created for the assurance of a high level of security and compliance in the cloud. CSA’s STAR enables customers in assessing the trustworthiness of cloud providers and it also enables cloud providers in achieving more transparency in the way they present their services, capabilities, as well as levels of security and compliance with relevant laws (such as data protection legislation).

    To achieve this, STAR embeds three key principles into its tiered structure: transparency, rigorous auditing, and harmonisation of standards. In this context, one of the essential features of the STAR program is a publicly available registry designed for customers to assess their providers. This registry is designed to recognise assurance requirements and maturity levels of cloud providers by documenting security and privacy controls offered by cloud computing services.

    CSA STAR is based upon two key research components (a Cloud Controls Matrix, and a Consensus Assessments Initiative Questionnaire) and a Code of Conduct for GDPR compliance). These three elements are embedded in the tiered-structure of STAR.

    Level one: CSA STAR Self-Assessment. This level is an offering that documents the security controls provided by cloud computing services. This first level is sub-divided into two stages that comprise (a) a CSA STAR self-assessment based on the two key research components mentioned above; and, (b) a self-assessment based on the Code of Conduct for GDPR compliance. At this initial level, cloud providers can either submit:

    1. Cloud Controls Matrix (CCM): this de facto standard for cloud security and compliance. This tool is designed as a meta-framework of cloud-specific security controls that provides organisations with structure, detail and clarity concerning the information they issue to customers; or,
    2. Consensus Assessments Initiative Questionnaire (CAIQ): this questionnaire provides a set of Yes/No questions designed to reflect questions that cloud consumers or auditors may want to ask of cloud providers.The aim is to assess cloud providers’ compliance with the CCM.

    In addition, service providers can voluntarily publish two documents on the STAR Registry:

    1. Code of Conduct Statement of Adherence measuring compliance of its services against the GDPR;
    2. the results of a self-assessment based on the Privacy Level Agreement Code of Practice (PLA CoP).

    After having published these self-assessment documents, cloud providers are issued with a Compliance Mark that is valid for 1 year. However, if there are any changes to the company policies or practises, the self-assessment would have to be revised accordingly.

    Level two: 3rd Party assessment-based certification. This tier provides for rigorous third party independent assessments of cloud service providers. This level encompasses,

    1. a CSA STAR Attestation: at this level, CSA in collaboration with the AICPA provides guidelines to cloud service providers that are necessary to conduct SOC 2 engagements (i.e. business reporting controls relating to security, availability, processing integrity, confidentiality, and privacy).
    2. CSA STAR Certification: which is a rigorous third-party technology-neutral independent assessment of the security capabilities of a cloud service provider. This certification leverages the requirements of the ISO/IEC 27001:2013 management system standard, and the CSA CCM.
    3. CSA C-STAR Assessment: this third-party independent assessment is focused on the Chinese market and it harmonises CSA best practices with Chinese national standards. This assessment leverages (a) the requirements of the GB/T 22080-2008 management system standard; (b) the CSA CCM; and, (c) 29 related controls selected from GB/T 22239-2008 and GB/Z 28828-2012.

    Level three: CSA STAR Continuous Monitoring. This tier, which currently is under development, enables automation of the current security practices of cloud providers based on the information that they publish. This information is based on CSA formatting and specifications and can be retrieved and presented by customers and vendors in a variety of contexts.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.