Among cloud service categories, Software as a Service (SaaS) offerings are not only the most numerous—up to a million providers worldwide—but also arguably the weakest on security. While infrastructure and platform providers are more likely to be larger organizations with mature processes, SaaS firms with thousands of customers often have just a few employees. SaaS providers also tend to outsource a wider wedge of their services pie to third parties. This makes their shared responsibility picture with end customers more complex and leaves more room for security and privacy gaps.
These trends have big implications if you’re shopping for SaaS or other cloud services. How can you be assured about critical security and privacy requirements when comparing vendors?
Provable security and compliance is a major driver behind the Cloud Security Alliance (CSA) STAR assessment and certification program. John DiMaria, Assurance Investigatory Fellow and Research Fellow at Cloud Security Alliance (CSA), talks about CSA’s impact on trust and transparency in the market on a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, is the host.
STAR is for all CSPs
Especially because it’s free to participate in a self-assessment and submit your score to the public registry, CSA STAR is a no-brainer for CSPs. The program gives you an industry trusted way to demonstrate a robust security and compliance posture—and gives prospects a trusted way to evaluate vendors.
“Any CSP needs to look at some level of STAR, even if it’s just the self-assessment,” emphasizes John D. “Or just use the self-assessment as a benchmark internally. Even if you don’t upload it to the STAR registry you can still see where you need to strengthen your systems.”
“An organization that’s invested the time, energy effort into a full CSA STAR certification or even a self-assessment is one that is serious about security and is likely a better choice,” advises John V. “Use STAR as a gating criterion as you’re going to market to look for a particular type of CSP. If you can, pick one that is both ISO 27001 and CSA STAR compliant.”
Using the CSA STAR self-assessment as a vendor due diligence questionnaire
Organizations buying cloud services are increasingly using the CSA STAR self-assessment framework as a due diligence questionnaire for vendors. This approach benefits both parties.
John D explains: “I talk to enterprise organizations every day that are downloading it and mandating that their suppliers fill it out and send it back. In some cases, they are mandating third-party certification. But at the very minimum, they’re looking for that self-assessment because it really allows them to get a snapshot of where you are.”
How good is the integrity of the CSA STAR self-assessment? The key is to make the results public.
“When you think about it, you’re putting out something that is available to everyone in the world—it’s all publicly available,” John D states. “It’d be ridiculous to think that you could lie and get away with it because anybody can call you out on it. Anybody could ask for evidence. So, it has a pretty high level of integrity.”
Posting self-assessment results to the CSA STAR public registry also takes considerable overhead out of the questionnaire process for CSPs. Then they can just point stakeholders to the registry for the latest information rather than contending with numerous questionnaires.
Promoting transparency and trust
Participating in the CSA STAR program helps build transparency and trust in the CSP marketplace. Plus, it’s great marketing for CSPs.
“There are so many cloud service providers out here. If you’re not on the registry, people may not know that you exist in some cases,” John D notes. “The organizations I work with join CSA as a member for a lot of reasons. One of those reasons is when you look at marketing and marketing budgets, our membership cost is not even a fraction of what most people spend on marketing.”
For short money, CSA STAR provides a huge amount of positive visibility.
“It’s really becoming the ‘shopping mall’ for CSPs,” adds John D.
To hear the whole episode featuring John DiMaria from Cloud Security Alliance, click here.
Here’s another post on how CSA and its Cloud Controls Matrix (CCM) can benefit CSP: Who is the Cloud Security Alliance (CSA) and How They Can It Help Your Company’s Security and Security People?