CSA STAR

CSA STAR Attestation overview

The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It's dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when transitioning their IT operations to the cloud. In 2013, the CSA and the British Standards Institution launched the Security, Trust, Assurance, and Risk (STAR) registry, a free, publicly accessible registry in which cloud service providers (CSPs) can publish their CSA-related assessments.

For security assessments, CSPs use the Cloud Controls Matrix (CCM) to evaluate and document their security controls. CCM is a controls framework composed of 197 control objectives covering fundamental security principles across 17 domains to help cloud customers assess the overall security risk of a CSP.

STAR provides two levels of assurance:

• Level 1: Self-Assessment based on the Consensus Assessments Initiative Questionnaire (CAIQ). Level 1 is an introductory offering, which is free and open to all CSPs. The CAIQ contains more than 250 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.

• Level 2: Independent third-party assessments such as CSA STAR Attestation and CSA STAR Certification. These assessments combine established industry standards with criteria specified in the CCM.