The pandemic accelerated the adoption of cloud-based technology and brought a sharp increase in cloud-based cyberattacks with it — 630% between January and April of 2020 alone, according to a report by McAfee. And since cloud usage is expected to continue to increase well beyond the pandemic, taking additional steps to reduce security risks will be essential to protect the data you process in the future.
Earning a certification from the Cloud Security Alliance (CSA) STAR Program is an effective way for cloud service providers to reduce the security risks that cloud computing often introduces because few organizations offer more relevant or powerful controls than the CSA.
As a cloud service provider, Auth0 has been through the STAR certification process and earned a certification. Below is what you need to know about the STAR Program and how to earn a certification.
What Is a CSA STAR Certification?
A CSA Security, Trust, Assurance, and Risk (STAR) certification is a powerful third-party attestation of a cloud service provider’s security practices. A cloud service provider that earns a STAR certification can assure their customers that they’re using industry-leading best practices to secure data in cloud applications.
The CSA’s STAR Program combines the controls and best practices laid out in other information security standards (ISO/IEC 27001:2013, for example) with the CSA’s own Cloud Controls Matrix (or CCM, their proprietary cybersecurity control framework that covers all aspects of cloud technology) to create one of the most comprehensive cloud security control sets in the industry.
Being STAR-certified is not as important as being GDPR-compliant, for instance (or being compliant with other data privacy regulations like GDPR). However, since its controls map back to global information security standards and regulations, being STAR-certified does help reduce audit complexity for many organizations, in addition to helping them better secure their data.
The Benefits of a CSA STAR Certification
A CSA STAR Certification means the data you process is protected using a security framework designed specifically for cloud computing. Simply put, this reduces security risks for everyone involved — cloud service providers (CSPs), their customers, and the owners of the data.
Below are specific benefits that both CSPs and their customers will also gain through certification (or working with a STAR-certified provider).
Benefits For Cloud Service Providers
For cloud service providers, earning a STAR certification demonstrates to your customers that your business is a mature security organization. This is a competitive advantage for you within your market and helps you grow your business in two main ways:
- It helps accelerate your sales cycle. A rigorous third-party assessment of your security practices by the CSA or certified third-party auditors helps reduce the work corporate security teams need to do in order to sign off on a new partnership.
- It helps you find new business faster. Once your business is certified, it is included in the STAR Registry, where potential customers can quickly find cloud service providers that adhere to the STAR Program’s controls (more on the registry here).
Benefits For Cloud Service Customers
Since the STAR Program increases transparency into the security practices of any business that has earned certification, it helps would-be CSP customers quickly find a provider that offers the level of security assurance their business needs.
It also helps existing CSP customers ensure better alignment on security practices between them and their CSPs, simplifying the process of building an effective Governance, Risk, and Compliance (GRC) program.
CSA STAR Certification Levels
The CSA STAR certification is divided into three levels, each providing CSPs with the ability to offer a greater degree of transparency and assurance than the level before it.
Levels 1 and 2 also offer a continuous certification that organizations can obtain, as well (Level 3 is a continuous certification), in order to provide additional transparency to their customers through periodic self-assessment.
CSA STAR Level 1
A Level 1 certification is a freeway for any CSP to provide their customers with the security assurances that a STAR certification offers. To earn a Level 1 certification, cloud service providers must self-assess their security practices and controls against the CSA’s best practices (using either the Consensus Assessments Initiative Questionnaire [CAIQ] or the Cloud Controls Matrix) and send their assessment to the CSA for verification.
According to the CSA, a Level 1 STAR certification is best for CSPs that are “operating in a low-risk environment” and need a cost-effective way to document their security controls for their customers.
Certification is an annual process. However, businesses that update their self-assessment every 30 days are eligible for a STAR Continuous Level 1 Certification, which helps them assure their customers that CSA controls are always being followed (not just when it’s time for certification).
CSA STAR Level 2
CSA STAR Level 2 helps cloud service providers offer more transparency and assurance than Level 1 in two ways. First, it requires an assessment of a CSP’s security controls to be completed by a CSA-certified third party (a list of which they maintain on their website).
Second, it’s designed to enhance the security controls of other standards and certifications that a CSP might follow (ones that are industry or geographically specific to their business) for the cloud. This means there are a number of ways a cloud service provider could earn a “certification” for Level 2, depending on the other standards they already follow:
- AICPA SOC 2 → CSA STAR Attestation. Adding the CSA’s Cloud Controls Matrix to those you’ve implemented for the American Institute of Certified Public Accountants’ (AICPA) SOC 2 Report helps you make SOC 2 controls more robust and earns your business a CSA STAR Attestation.
- ISO/IEC 27001 → CSA STAR Certification. If you follow the controls laid out in ISO 27001, adding the controls from the CSA’s Cloud Controls Matrix helps you make your information security management system cloud-specific and earns your business a CSA STAR Certification.
- GB/T 22080-2008 → CSA C-STAR Assessment. For businesses that operate in China, adding the controls from the CSA’s Cloud Controls Matrix to the controls laid out in the GB/T 22080-2008 management system, as well as 29 additional controls from both GB/T 22239-2008 and GB/Z 28828-2012 standards earn your business a CSA C-STAR Certification.
- GDPR → GDPR Code of Conduct Certification. If you’re complying with GDPR, adding the controls from the CSA’s Cloud Controls Matrix helps you offer cloud-specific security assurance in addition to those required by the GDPR and earns your business the GDPR Code of Conduct Certification.
A CSA Level 2 Continuous Certification is also available for businesses that have earned either an Attestation or Certification and complete a self-assessment every 30 days in the same way that is required for a Level 1 Certification.
CSA Level 2 is best for organizations that are already following one of the standards or regulations listed above or operate in a risk environment where the independent assurance that a third-party assessment offers would be beneficial.
CSA STAR Level 3
Where STAR Levels 1 and 2 offer a continuous option to increase transparency and assurance through periodic self-assessment, CSA STAR Level 3 takes “continuous” one step further by automating the process of validating security control effectiveness in real-time.
According to the CSA’s website, STAR Level 3 is listed as “Coming Soon,” which indicates that it’s not officially available for certification at the moment. However, the CSA explains that continuous assessment will be achieved through real-time data collection from “monitoring tools like log analytics, network statistics, and monitoring, process statistics or resource utilization.”
Given the complexity of continuous monitoring, STAR Level 3 certification will be best for businesses that operate in high-risk environments.
The CSA STAR Registry
The STAR Registry is a public record of cloud service providers that use the STAR Program’s controls and have earned certification. The registry is located on the CSA’s website and allows anyone to download a copy of a certification that a cloud service provider has achieved:
From a business perspective, the STAR Registry helps cloud service providers market themselves directly to customers that need the type of assurance and transparency that the STAR Program offers. The registry also provides CSP customers with the ability to submit a request for the CSA to verify a specific provider’s certification if they do not see them on the registry.
How Much Is Data Security Worth to Your Business?
The average data breach costs $3.86M, and the damage to your brand often lasts for years to come. So the more you can do to reduce the security risks associated with cloud computing, the better off your business will be.
Following the CSA’s STAR Program (or working with a STAR-certified service provider) is an effective way to reduce the risk of a data breach for both cloud service providers and their customers. And the transparency a STAR certification offers makes it easier for CSPs and their customers to keep data safe together.
Auth0’s IDaaS platform is STAR Level 2 certified and can help you simplify the controls you need to implement to improve both the security and user experience of the authentication process. Learn more about Auth0 here.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.