It’s been discussed elsewhere what the Cloud Security Alliance is and what their CSA Security Trust Assurance and Risk (STAR) program entails. To summarize, the CSA STAR program provides a Cloud-focused alternative to the more traditional audits. It’s based on the CSA Cloud Controls Matrix (CCM) and offers multiple levels of certification/attestation and a flexible path to those achievements. Let’s take a more in-depth look at the framework itself and the path to certification.
The CSA STAR Framework
The CSA CCM is a security framework consisting of 197 controls broken into 17 domains, each designed to assess the application of a portion of the CSA Security Guidance for Critical Areas of Focus in Cloud Computing. It provides a focused set of criteria to assess a cloud-based environment based on mappings to other popular frameworks including ISO/IEC 27001:2022 and SOC 2, and provides a path to self-attestation, or 3rd party certification or attestation. These 17 domains each represent a significant piece of the requirements for cloud-based information security, including procedural, physical, and logical security goals.
Levels of Certification for the CSA STAR
The Cloud Security Alliance offers 2 (or sort of 3) levels of certification. While the controls and domains are the same between the two, the fundamental difference is whether or not a 3rd party assessor is required. The level 1 certification is self-assessment and does not require an external assessor. The level 2 attestation or certification (the difference will be discussed below), however, requires engaging a 3rd party-assessor, similar to the ISO/IEC 27001:2022, SOC 2, or HITRUST assessment process
CSA STAR Level One
CSA STAR level one is a free offering from the Cloud Security Alliance, it allows an organization to self-assess using a Consensus Assessment Initiative Questionnaire (CAIQ) that can then be registered with CSA and becomes available to the public. It’s ideal for low-risk environments and provides a low-cost way to increase transparency and trust. It is, however, given its nature as a self-assessment, an ‘unvalidated’ report, which should be kept in mind by any organization relying on the level one status to validate security controls of an IaaS, PaaS, or SaaS offering.
Additionally, the CSA STAR level one is a mandatory starting point for organizations wishing to work towards level two.
CSA STAR Level Two
CSA STAR level two provides a third-party assessed certification or attestation of compliance with the controls as established in the CCM. Since it is conducted by an independent third party registered with the Cloud Security Alliance, it provides a potentially more trustworthy assertion of the organization’s implementation of the controls and its ability to demonstrate compliance with the framework as a whole.
The CSA STAR level two assessment also requires the organization to have at least one member one staff who is certified by the CSA with a Certificate of Cloud Security Knowledge (CCSK).
Additionally, the level 2 assessment must be conducted by an organization that meets the following requirements.
- They must be registered with the CSA as an external audit firm.
- They must have CCSK-certified assessor(s).
- They must be qualified/certified to perform either SOC assessments by the AICPA or to perform ISO/IEC 27001:2022 assessments by an appropriate ISO certification body.
CSA STAR Level Three
CSA STAR level three is a bit of a nebulous offering at the moment. It’s intended for highly secure environments that are certified in a “continuous auditing” methodology. At the time of writing, the Cloud Security Alliance is revising this offering, incorporating feedback from public and industry expert commentary through iterative cycles.
Certification vs. Attestation of CSA STAR Level 2
CSA has chosen to separate “certification” and “attestation” based on the method of evaluation rather than any differences in the framework or implementation levels of the control sets. Functionally, both the certification and the attestation represent the results of an independent third party’s audit of the design, implementation, and effectiveness of the CSA STAR control set. Let’s look at the different methods to attain this third-party approval.
CSA STAR Level 2 Attestation
The CSA STAR Level 2 Attestation is performed by a CPA in accordance with the AICPA Statements on Standards for Attestation Engagements (SSAEs). It’s conducted similarly to a SOC 2 audit utilizing a portion of the SOC 2 controls and the CSA-defined CSM. It’s frequently conducted and reported alongside a SOC 2 assessment using the organization’s SOC 2 Trust Services Criteria, and a similar report is issued.
At the conclusion of this successful audit, an organization will have an “attestation” and a report from the audit firm that demonstrates their compliance with the CSA CCM across a given period of time.
CSA STAR Level 2 Certification
The CSA Star Level 2 Certification is performed by an audit firm that is ISO/IEC 17021-1 accredited by an IAF member Accreditation Body for issuing ISO/IEC 27001 certification. It’s handled much more like an ISO/IEC 27001:2022 assessment. In fact, the assessed organization must already have or currently be undergoing an ISO/IEC 27001:2022 assessment. Additional controls to represent the CSA CCM will be added to the assessment.
At the conclusion of this successful audit, an organization will have a “certification” and an internal-only report from the audit firm which demonstrates their compliance with the CSA CCM. They will also be given documentation of certification by their audit firm.
Summary
Regardless of whether your organization is looking to attain an attestation or a certification, CSA STAR represents a strong trust and transparency component for any IaaS, PaaS, or SaaS organization and can be a part of a robust security and compliance program. It can also be a great tool for your sales, marketing, and customer engagement teams.
A strong assessor firm that offers both the attestation and the certification is an essential partner in this goal. Please contact us with any CSA STAR-related questions. Our team of audit professionals will be happy to consult with your organization on a CSA STAR assessment.
Want to Know More About CSA STAR?
- The Cloud Security Alliance
- CSA CCM: Cloud Security Alliance Cloud Controls Matrix – Overview & CSA Offerings
- The Cloud Security Alliance (CSA) and the AICPA
Brian has over 2 decades of experience in System Administration and Information Security, having worked at all levels of Government (City, County, State, and Federal) and with companies ranging from startup to Fortune-20. He transitioned to auditing in 2018 and has delivered audits and attestations as varied as SOC 1 and 2, HITRUST, FISMA, FERPA, PCI, CSA-star and HIPAA. With Linford and Co, he focuses primarily on HITRUST and SOC 2.