Cloud Star Certification for Cloud Services Providers

1.What is CSA STAR Certification?
CSA STAR Certification is a unique new scheme developed to address specific issues relating to cloud security as an enhancement to ISO/IEC 27001. Whilst ISO/IEC 27001 standard is widely recognized and respected, its requirements are more generic and therefore there can be a perception that it does not focus on certain areas of security that are critical to particular sectors such as the cloud computing sector. We can help with CSA STAR Certification.

3.Is cloud star beneficial if company is small scale?
Cloud Star Certification is beneficial to the companies of all sizes. Confidence, reputation and more business can come with Cloud Star Certification as more customers ask for proof of these measures. Other benefits are:
Implement an audit that is desgined to reflect how your organization’s objectives are aimed at optimizing the cloud services
Demonstrate progress and performance levels via an independently validated award from an external certified body
Benchmark your performance against your peers
Additionally for customer of cloud service providers, CSA STAR Certification will provide a greater understanding of the level of controls that are in place.
Provide top management with visibility, so that they can evaluate the effectiveness of their management system in relation to expectations of the cloud security industry and ISO/IEC 27001

4. Are enterprises really ready to move into the cloud ?
Cloud based services such as Saas, Paas and Iaas, are supposed to bring in customer the benefits including economies of scale, on-demand and cost savings . The pay-peruse model is really attractive, because it means companies can plan for the future without huge initial investment on the infrastructure.

5.What is the Certificate of Cloud Security Knowledge (CCSK)?
The CCSK is a web-based examination of individual competency in key cloud security issues.

6.Why should my company certify CSA?
Whether you use cloud services, provide cloud services, audit/certify cloud services, or secure cloud services, you have a vested interest in knowing more about cloud security from an objective, third-party source. You need the right tools to ensure that you are playing your part in securing the cloud ecosystem while supporting industry standards

7.From where can we get complete framework for CSA?
The Cloud Controls Matrix (CCM), which provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.

8.How to get CSA STAR Certification?
Gap analysis 
This is an optional pre-assessment service where we take a closer look at your existing system and compare it with the CSA STAR Certification requirements. This helps identify areas that need more work before we carry out a formal assessment, saving you time and money
Formal assessment 
BSI will assess your cloud controls in a formal assessment usually as part of your ISO/IEC 27001 assessment. At this stage you will be awarded a Gold, Silver or Bronze rating depending on the level of maturity of your system.
Certification and beyond 
When you have passed the formal assessment you will receive a STAR certificate, which is valid for three years. And your company will also appear on the STAR registry held by the CSA although for confidentiality purposes the level awarded will not be divulged. You may share that upon request. Your client manager will stay in touch during this time, paying you regular visits to make sure your system doesn’t just remain compliant, but that it continually improves. 

Cloud Star Benefits

Cloud Star Certification Process

1.
Take permission and support from senior management
Engage the whole business with a sound communications strategy
Establish a competent and knowledgeable implementation team.
Download the Cloud Control Matrix (CCM) from the CSA
Compare existing processes and procedures with relevant CCM requirements and ISO/IEC 27001
Make sure your scope is aligned with customer critical processes and implement all relevant controls within the CCM
Benchmark your current capability against the maturity model and see where there are opportunities to improve

2.
Gap analysis 
Formal assessment 
Certification and beyond

3.
Clearly lay out a well-communicated plan of activities and timescales. Make sure everyone understands them and their role
Share CSA STAR Certification knowledge and encourage staff to train as internal auditors
Regularly review your system and controls to make sure you are continually improving it

CSA STAR is based upon two key research components of the CSA GRC Stack:
Cloud Controls Matrix (CCM) – As a controls framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing.
CCM is composed of 133 controls, structured in 16 domains and covers the following areas:
Application & Interface Security
Audit Assurance & Compliance
Business Continuity Management & Operational Resilience
Change Control & Configuration Management
Data Security & Information Lifecycle Management
Datacenter Security
Encryption & Key Management
Governance and Risk Management
Human Resources
Identity & Access Management
Infrastructure & Virtualization Security
Interoperability & Portability
Mobile Security
Security Incident Management, E-Discovery & Cloud Forensics
Supply Chain Management, Transparency and Accountability
Threat and Vulnerability Management

CSA CCM IT Cloud Domains
Application and interface security Audit assurance and compliance
Business continuity management and operational resilience Change control and configuration management
Datacenter security Data security and information lifecycle management
Encryption and key management Governance and risk management
Human resources Identity and access management
Infrastructure and virtualization security Interoperability and portability
Mobile security Security incident management, e-discovery, and cloud forensics
Supply chain management, transparency and accountability Threat and vulnerability management

The Consensus Assessments Initiative Questionnaire (CAIQ) – Based upon the CCM , the CAIQ provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix and CSA best practices.

Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR) Self-Assessment is free and open to all cloud service providers and allows them to submit self-assessment reports that document compliance to Cloud Security Alliance-published best practices.  Cloud service providers can submit two different types of reports to indicate their compliance with Cloud Security Alliance best practices:
 
The Consensus Assessments Initiative Questionnaire, which is a set of over 140 questions a cloud service consumer and cloud auditor may wish to ask a cloud service provider;
 
The Cloud Controls Matrix, which gives a controls framework that includes the security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains.

Benefits
Indications of best practices
Validation of security posture of cloud offerings
Continuous monitoring
Keeps confidential information secure
Market Entering Mechanism
Integrity and Availability
Safeguard your valuable data and intellectual property
Provides customers and stakeholders with confidence in how you manage risk
Provide you with a competitive advantage
Readiness towards new and upcoming compliances
Enhanced customer satisfaction that improves client retention
Consistency in the delivery of your service or product
Manages and minimizes the risk exposure
Trust in Sharing

Links:
http://www.cloudwatchhub.eu/cloud-security-alliance-open-certification-framework
https://www.microsoft.com/en-us/TrustCenter/Compliance/CSA