Grounded in the Cloud
Showing results for 
Search instead for 
Do you mean 

Make sure your cloud provider is STAR registered

RyanKo ‎10-10-2011 04:15 PM - edited ‎10-10-2011 05:52 PM

In a previous technical report, I mentioned about the urgent need for industry-wide, policy-based approaches to uphold trust in Cloud service providers (CSPs). The Cloud Security Alliance (CSA)’s latest project – the Security, Trust and Assurance Registry (STAR) may prove to be that one policy-based approach that will impact the cloud service provider industry.


CSA STAR is a publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of CSPs they currently use or are considering. Cloud providers will submit self assessment reports that document compliance to CSA published best practices and then make these assessments available to anyone  contracting with.


In other words, the STAR will gradually act as a community-regulated, transparent white-list/ black-list of cloud service providers.


The rationale behind this is simple. By encouraging positive competition with transparency of available security controls among cloud providers, security becomes a market differentiator and vendors will work hard towards making their cloud more STAR-compliant. This also acts as a responsible self-regulation by the industry, before the eventual (and sometimes rather slow) adoption of international and government regulations on cross-border cloud computing environments.


How is the list derived? Cloud providers volunteer to submit a completed Consensus Assessment Initiative Questionnaire (CAIQ) or CCM whitepaper through CSA. CSA will then verify submission authenticity and will perform a basic check of content accuracy. After which, CSA will digitally sign the entry and add it to the public registry.




CAIQ provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. As shown in the diagram above, the questions also align with several IT Security standards such as COBIT, HIPAA, ISO 27001, PCI DSS, FedRAMP, GAPP, etc.


Finally, the CSA encourages the public to challenge inappropriate uses and objectivity of entries in the STAR. The CSA STAR will be online and available for provider submissions early in Q4 2011. Read more about it at:

I would like to hear from you.  Do you think the CSA Star program will help garner trust with cloud providers?


Related links:


About the Author


Dr. Ryan K L Ko is a researcher with the Cloud and Security Lab, HP Labs Singapore. He currently leads HP Labs' TrustCloud project and Cloud Security Alliance's Cloud Data Governance Working Group.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
1-3 December 2015
Discover 2015 London
Discover 2015 in London, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
November 2015
Software Online Expert Days
Join us online to talk directly with our Software experts.
Read more
View all