Make sure your cloud provider is STAR registered

In a previous technical report, I mentioned about the urgent need for industry-wide, policy-based approaches to uphold trust in Cloud service providers (CSPs). The Cloud Security Alliance (CSA)’s latest project – the Security, Trust and Assurance Registry (STAR) may prove to be that one policy-based approach that will impact the cloud service provider industry.


CSA STAR is a publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of CSPs they currently use or are considering. Cloud providers will submit self assessment reports that document compliance to CSA published best practices and then make these assessments available to anyone  contracting with.


In other words, the STAR will gradually act as a community-regulated, transparent white-list/ black-list of cloud service providers.


The rationale behind this is simple. By encouraging positive competition with transparency of available security controls among cloud providers, security becomes a market differentiator and vendors will work hard towards making their cloud more STAR-compliant. This also acts as a responsible self-regulation by the industry, before the eventual (and sometimes rather slow) adoption of international and government regulations on cross-border cloud computing environments.


How is the list derived? Cloud providers volunteer to submit a completed Consensus Assessment Initiative Questionnaire (CAIQ) or CCM whitepaper through CSA. CSA will then verify submission authenticity and will perform a basic check of content accuracy. After which, CSA will digitally sign the entry and add it to the public registry.




CAIQ provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. As shown in the diagram above, the questions also align with several IT Security standards such as COBIT, HIPAA, ISO 27001, PCI DSS, FedRAMP, GAPP, etc.


Finally, the CSA encourages the public to challenge inappropriate uses and objectivity of entries in the STAR. The CSA STAR will be online and available for provider submissions early in Q4 2011. Read more about it at:

I would like to hear from you.  Do you think the CSA Star program will help garner trust with cloud providers?


Related links:


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author
Dr. Ryan K L Ko is a researcher with the Cloud and Security Lab, HP Labs Singapore. He currently leads HP Labs' TrustCloud project and Cloud...

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.