Saturday, March 5, 2022

Understanding CSA STAR

CSA- Security Trust Assurance and Risk (STAR) Program

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA connects the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events, and products.

A cloud service provider (CSP) is a third-party company that provides scalable computing resources that businesses can access over any network, including cloud-based compute, storage, platform, and application services. We know there are many leading organizations in this sector across the globe such as Microsoft, Amazon, Google, Oracle, Alibaba, Rack space etc. as well there are many small firms growing their business in this area gradually.

CSA STAR Certification demonstrates that a cloud service provider conforms to the applicable requirements of ISO 27001, has addressed issues critical to cloud security as outlined in the Cloud Control Matrix (CCM). Through the implementation of CSA STAR Certification, in addition to a compliant ISO/IEC 27001 information security management system, organizations can ensure that they have a full understanding of the risks involved and the business impacts. This allows organizations to put controls in place to protect business critical information.

STAR provides two levels of assurance

Level 1: Self-Assessment based on the Consensus Assessments Initiative Questionnaire (CAIQ). Level 1 is an introductory offering, which is free and open to all CSPs. The CAIQ contains more than 250 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.

Level 2: Independent third-party assessments such as CSA STAR Attestation and CSA STAR Certification. These assessments combine established industry standards with criteria specified in the CCM.

Cloud Control Matrix (CCM)

For security assessments, CSPs use the Cloud Controls Matrix (CCM) to evaluate and document their security controls. CCM is a cyber security controls framework for cloud computing aligned to the CSA best practices, that is considered the de-facto standard for cloud security and privacy. Earlier CCM version 3 was there where it has 133 control objectives and now it is revised with version 4.0.7 (released in 2021) which is composed of 197 control objectives covering fundamental security principles across 17 domains to help cloud customers assess the overall security risk of a CSP.

  • It provides fundamental security principles to guide cloud vendors and to assist cloud customers in assessing the overall security risk of a cloud provider.
  • Provides a control framework in 17 domains that are cross-walked to other industry-accepted security standards, regulations and controls frameworks to reduce audit complexity.

The CCM v4 scope is mapped with standards of ISO/IEC 27001/02, ISO/IEC 2017/18, NIST SP 800-53, AICPA TSC (2017), PCI DSS v3.2.1, and CIS v8 (Centre for Internet Security).

The key 17 domains and the number of controls covered in each domain in the CCM V4 are mentioned as below:

  • Audit and Assurance (A&A):6
  • Application and Interface Security (AIS):6
  • Business Continuity Management and Operational Resilience (BCR): 10
  • Change Control and Configuration Management (CCC):9
  • Cryptography, encryption and Key Management (CEK):20
  • Data Centre Security (DCS):15
  • Data Security and Privacy lifecycle Management (DSP): 18
  • Governance, Risk and Compliance (GRC):8
  • Human Resource (HRS):13
  • Identity and Access Management (IAM):15
  • Interoperability and Portability (IPY): 4
  • Infrastructure and Virtualization Security (IVS): 9
  • Logging and Monitoring (LOG): 13
  • Security Incident Management, E-Discovery, & Cloud Forensic (SEF):8
  • Supply Chain Management, Transparency and Accountability (STA):14
  • Threat and Vulnerability Management (TVM): 10
  • Universal Endpoint Management (UEM): 14

To become a Certified STAR auditor, individuals need to take training and pass exams from the respective training providers. To become a Cloud Security expert, individual professionals need to earn Certificate of Cloud Security Knowledge (CCSK). In CCSK you will learn to establish a baseline of security best practices when dealing with a broad array of responsibilities, from cloud governance to configuring technical security controls.


No comments:

Post a Comment

Network Scanning Tools

Network Scanning through Nmap and Nessus Network scanning is a process used to troubleshoot active devices on a network for vulnerabilities....