In the rapidly evolving landscape of digital operations, security is crucial. With so much sensitive information now being stored in the cloud, protecting it is a priority for both cloud providers and customers. We are pleased to announce that we are the FIRST cybersecurity software company from Singapore and likely Southeast Asia to achieve CSA (Cloud Security Alliance) STAR Level 2 certification. This certification demonstrates our commitment to cloud security, privacy controls, data protection, and quality. It also shows our dedication to fortifying our overall security measures through maintaining robust security systems and reliable processes.
What is CSA STAR?
The Cloud Security Alliance (CSA) is a nonprofit organization dedicated to establishing best practices for secure cloud computing. CSA Security Trust, Assurance, and Risk (STAR) program is a robust security assurance initiative for the cloud. STAR represents transparency, rigorous auditing standardisation of guidelines in the Cloud Controls Matrix (CCM).
CCM comprises 197 control objectives spread across 17 domains, forming a detailed control framework. It helps cloud customers in evaluating the overall security risk of a cloud service solution provider (CSP), ensuring a thorough assessment of fundamental security principles.
By being CSA STAR level 2 certified, organizations demonstrate their commitment to best practices and validate the security of their cloud services. This not only benefits customers seeking secure cloud solutions but also assures solution providers to prove robust controls to both current and future clients.
CSA STAR Level 1
The entry-level certification validates a CSP’s commitment to foundational security requirements and aligns with the CSA’s Cloud Controls Matrix (CCM). It is a starting point, indicating the provider’s acknowledgment of essential security protocols. Level 1 is a free self-assessment conducted internally and does not require third-party approval.
To attain CSA STAR level 1, the cloud service provider only needs to complete and submit the CAIQ (Consensus Assessments Initiative Questionnaire).
CSA STAR Level 2
CSA STAR Level 2 certification indicates a high level of maturity in the implementation of strict security protocols and practices within an organization’s cloud infrastructure. It involves a complete assessment of security controls, processes, and compliance with industry standards, performed by independent auditors. This level emphasizes not only the presence of security measures but also their effectiveness and alignment with industry best practices.
For more information into InsiderSecurity’s CAIQ and Level 2 certification, please visit the official registry at Insider Security Pte Ltd on CSA STAR.
CSA STAR and ISO 27001: What’s the connection?
CSA STAR and ISO 27001 aims to ensure that companies protect their information. Certifications from CSA STAR can be used to enhance existing information security certification and audit programs. This simplifies the assessment process and allows companies to assess their compliance with information security standards and cloud security standards simultaneously. Now, let’s explore how STAR differs from ISO/IEC 27001.
CSA STAR Certification incorporates the fundamental requirements of the ISO/IEC 27001:2013 management system standard, integrating them with cloud-specific criteria from the CSA Cloud Controls Matrix (CCM). Moreover, the STAR Certification path involves a comprehensive maturity model assessment, evaluating the organization’s maturity against CSA’s proprietary criteria. This evaluation highlights the strengths and weaknesses of processes by utilizing CCM domains as measurable indicators. Crucially, this assessment serves as an internal report for the client, fostering a culture of continual improvement within the organization.
The significant distinction between CSA STAR and ISO 27001 lies in the concept of the Shared Security Responsibility Model (SSRM). The 197 controls necessitate a clear delineation of specific responsibilities for each control, clarifying InsiderSecurity’s accountability. The table below illustrates ownership of SSRM controls and their implications:
SSRM Control Ownership | Description |
CSP-owned | When the CSP (Cloud Service Provider) is InsiderSecurity, CSP-owned signifies that InsiderSecurity is solely responsible for the control. This category encompasses the majority of controls outlined in InsiderSecurity’s CAIQ |
Shared CSP and CSC | When both the CSP (InsiderSecurity) and CSC (Cloud Service Customer) share responsibility for the control |
Shared CSP and 3rd-party | When the CSP (InsiderSecurity) and a 3rd-party cloud service provider (eg. AWS or Azure where our services are hosted) share responsibility for the control. |
In addition to SSRM, the inquiry delves deeper into controls specifically tailored for the cloud-native environment. For instance, the subsequent table outlines inquiries for controls frequently encountered in cloud-native settings:
Domain | Question ID | Question | Rational |
CEK – Cryptography, Encryption and Key management | CEK-08.1 | Are CSPs providing CSCs with the capacity to manage their own data encryption keys? | Many cloud service providers host data and services within a multitenant environment. In such cases, customers may desire a distinct encryption key for their data, particularly when it is stored alongside another customer’s data in the same database. |
IPY – Interoperability & Portability | IPY-02.1 | Are CSCs able to programmatically retrieve their data via an API to enable interoperability and portability? | A cloud service customer faces reduced risk of vendor lock-in when the data supplied by the provider is portable. Integration of multiple cloud services becomes more feasible for the customer if the provider offers API support. |
Why is CSA STAR Level 2 important for our customers, partners and stakeholders?
InsiderSecurity’s attainment of CSA STAR Level 2 bears multifaceted advantages for its customers, partners, and the broader ecosystem:
- Commitment to Security: The CSA STAR Level 2 certification shows InsiderSecurity’s commitment to robust security measures. It showcases the capability to safeguard sensitive information.
- Support for Customers and Partners: The certification aids customers and partners in meeting their security requirements and compliance standards.
- Enhanced Transparency: Transparency across all involved parties fosters better alignment of security practices and posture.This creates a more trustworthy environment and facilitates streamlined collaboration.
- Efficiency in Onboarding: The certification streamlines security protocols when vetting or onboarding new business relationships. This efficiency expedites partnerships, making processes smoother and more secure.
The CSA STAR Level 2 certification process
The journey towards attaining CSA Level 2 of STAR was a challenging yet rewarding one. It involved meticulous examination of our existing security protocols, processes, and infrastructure. The process began with a comprehensive assessment of our security controls against the CSA STAR Level 2 requirements. This involved thorough documentation, evidence collection, and implementation of additional measures where necessary.
Independent auditors conducted rigorous evaluations, scrutinizing every aspect of our security framework. Their assessments gauged not only the presence but also the effectiveness of our security measures. The process involved collaboration across various teams within InsiderSecurity, ensuring that every department aligned its practices with the stringent security standards.
Throughout this journey, we fostered a culture of continuous improvement, leveraging insights from the assessment to refine and strengthen our security posture further. The dedication and collaboration of our teams were instrumental in achieving this certification, reflecting our commitment to prioritize security and safeguard data above all else.
We had the pleasure of hosting the certification body @BSI (British Standards Institution) for the presentation of CSA STAR Level 2