April 11, 2022

Last Updated on January 12, 2024

Even before the pandemic, the majority of businesses were already moving to the cloud.

Now, it seems you can’t do business without it.

This means cloud security and compliance are more important than ever.

That’s why I’m speaking to one of the authorities on cloud security, John DiMaria, Assurance Investigatory Fellow at Cloud Security Alliance, in today’s episode — to demystify cloud security.

Join us as we discuss:

  • The biggest vulnerabilities organizations face when operating in the cloud
  • How CSA’s STAR program can help you strengthen your cloud security
  • How gaining a slot in CSA’s CCM registry can give your organization more visibility while also helping to providing assurance that you can keep sensitive data secure in the cloud

The Cloud Security Alliance

Cloud Security Alliance (CSA) is a not-for-profit, vendor-neutral cloud security association — the largest in the world. CSA has over 120,000 followers and single members and more than 400 corporate members. The association produces extensive research, which is free to everyone.

Every cloud service provider needs to look at some level of CSA STAR, even if it’s just a self-assessment, which is free.” — John DiMaria

How the CSA STAR program helps strengthen cloud security

CSA does extensive research to help the industry at large as well as its member organizations learn more about cloud security.

To help fulfill its mission, CSA created the STAR program. The acronym stands for security, trust, assurance, and risk. CSA STAR is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.

STAR currently offers two assurance levels: a self-attestation (Level 1) and a third-party audit (Level 2). Level 3, which includes real-time monitoring of key cybersecurity metrics, has been under development and is nearing the proof of concept (PoC) stage, to be followed by a pilot program.

“SaaS companies lead the pack in terms of service providers, but they also lead the pack in terms of risk because they’re outsourcing a lot of their services to third parties.” — John DiMaria

What Causes All These Security Challenges?

During COVID, everybody rushed to the cloud. As a result, CSA saw an increase in inquiries, downloads of information, and requests for technical assistance.

Companies simply didn’t see the pandemic coming, so they weren’t prepared to move their entire workforce off-site. This created a crisis, and malicious hackers love a good crisis.

Knowing that people had poor — if any — security in their homes, hackers started targeting remote users to get company data. In addition, home-based workers began having issues with connection, speed, and data transfers, a scenario that creates confusion hackers can hide within. Moreover, the Internet of Things is now a bigger target than ever since so many more of these vulnerable connected devices are now exposed across the broader work-at-home attack surface.

Thus, we now have a recipe for security malfunctions on a grand scale.

Companies don’t think about contingency plans for big hacks, though. They seem unlikely. But a global pandemic or the events of 9/11 also seemed unlikely. They happened anyway.

Mind the Shared Responsibility Gap

Cloud security providers have created plenty of other challenges for themselves besides the ones hackers create for them.

One of those is simply failing to understand the shared responsibility model as it applies to them and their customers. More importantly, many users don’t understand what their responsibilities are, either. When CSA released its Cloud Controls Matrix (CCM) version 4, they incorporated the shared responsibility model into the framework in a direct effort to address this often problematic gap in who is handling what security controls.

“If you don’t have a huge marketing budget, being on the registry and working with CSA provides you with a huge amount of visibility that you wouldn’t have had.” — John DiMaria

Getting CSA STAR Visibility

Participation in the CSA STAR program can help vendors establish trust in their security measures, but it can do much more. The program also serves as a marketing tool.

SaaS vendors’ information goes in the CSA STAR registry. If you’re in the registry, it’s easier for prospects seeking services like yours to know you exist. John DiMaria likens the STAR registry to “the shopping mall for cloud service providers.”

Everyone recognizes the big players — Microsoft Azure, Amazon Web Services (AWS), and others. But the largest number of cloud service providers aren’t well known. The STAR registry can help put SMB SaaS vendors on the radar, with the added bonus of demonstrating they care about security.

The registry has become one major reason organizations join CSA as members. When you look at marketing and marketing budgets, CSA membership is a drop in the bucket. It’s a compelling way to show you’re secure and compliant in the cloud, which is what clients, regulators and other stakeholders most want to see.

Plus, registered orgs get technical support and an account manager that sticks with you through your whole journey to make sure you get maximum value from the CSA STAR program.

CSA offers a wealth of information along with valuable certifications and training at a compelling price point. It’s a simple, effective, and affordable resource to help both SaaS vendors and their customers improve cloud security.

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player

Need answers regarding ISO 27001 certification requirements?

Learn about the audits you will face to achieve and maintain certification, what's involved, and the cost you can expect to pay to achieve and maintain certification.
Download our NEW ISO Certification and Cost Guide now!