In my last post, I taught you a new way to think about ‘twinkling stars’. This time, I want to talk about a new kind of star - the CSA S.T.A.R. or Cloud Security Alliance Security Trust & Assurance Registry.
First, a short introduction to the Cloud Security Alliance or CSA. CSA was founded in December 2008 by a group of security professionals. They observed that cloud services were growing very quickly, and that there was very little in the way of recognized industry standards when it came to security. The CSA was founded to promote the use of best practices for providing security assurance within Cloud Computing. Since 2008, the CSA has become a recognized leader in the cloud security space, working closely with recognized organizations such as ISACA, ISO, RSA and ENISA.
Accordingly, inContact joined the CSA family this year, where I have been participating in the CSA as a co-chair for the Subject Matter Expert Working Group and in speaker selections for this year’s CSA Congress.
The CSA has produced a great deal of material that can be used by both Cloud providers and customers. Two such documents are the Cloud Controls Matrix (CCM) and the Consensus Assessments Initiative Questionnaire (CAIQ). Briefly, these two documents can be downloaded and provide categories and lists of controls that the CSA recommends as best practices for cloud service providers and their customers. The CCM even identifies how the CSA controls align to other standards such as Cobit, HIPAA, ISO 27001, PCI, NIST and others. For our part, inContact has been studying these CSA best practices and using them to align our controls with CSA recommendations.
With S.T.A.R., CSA will develop a list or registry of cloud providers that are aligning themselves with CSA best practices. This registry, in turn, will be a tool for current and prospective cloud customers to help them assess cloud providers they are using or considering. S.T.A.R. will be launched in Q4 of 2011. inContact will be participating. One of the missions of the Trust Office has always been to promote transparency in our operations and practices. S.T.A.R. will be a valuable tool to assist in that mission as it will provide an excellent structure around which to discuss inContact controls and provide the transparency our customers need.