The Cloud Security Alliance announced the launch of a new initiative to encourage transparency of security practices within cloud providers. The CSA Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.
CSA STAR is open to all cloud providers, and allows them to submit self-assessment reports that document compliance to CSA published best practices. The searchable registry will allow potential cloud customers to review the security practices of providers, accelerating their due diligence and leading to higher quality procurement experiences. "CSA STAR represents a major leap forward in industry transparency, encouraging providers to make security capabilities a market differentiator," the organization said in a statement.
The STAR initiative will be online in Q4 of 2011, and cloud providers can submit two different types of reports to indicate their compliance with CSA best practices. The Consensus Assessments Initiative Questionnaire (CAIQ) provides industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings. The questionnaire (CAIQ) provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. Providers may opt to submit a completed Consensus Assessments Initiative Questionnaire.
The Cloud Controls Matrix (CCM) provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. Providers may choose to submit a report documenting compliance with Cloud Controls Matrix.
In preparation for the public launch of the CSA STAR, providers are encouraged to select their compliance option and prepare a report for submission. CSA volunteers will be available to answer questions about report content. CSA strongly encourages all IaaS, SaaS, and PaaS providers, large and small, to complete a self-assessment for publication. In doing so, they will address some of the most urgent and important security questions buyers are asking, and can dramatically speed up the purchasing process for their services.
In addition to cloud provider self-assessments, CSA STAR will also provide listings to solution providers who have integrated CAIQ, CCM and other GRC Stack components into their compliance management tools. This will help customers extend their GRC monitoring and reporting across their enterprise and in concert with multiple cloud provider relationships.