OneLogin has been proactive in working with the Cloud Security Alliance whose mission is to promote best practice in the provision of security assurance within Cloud Computing. The CSA Security, Trust & Assurance Registry (CSA STAR) is a free, publicly accessible registry documenting security controls published by various cloud service providers, thereby helping users assess the security of Cloud services they currently use or are considering contracting with.
What’s the primary purpose of this initiative?
The CSA STAR program consists of three levels of assurance, which currently cover four unique offerings all based upon a succinct yet comprehensive list of cloud-centric control objectives in the CSA’s Cloud Controls Matrix (CCM). CCM is the only meta-framework of cloud-specific security controls, mapped to leading standards, best practices and regulations. CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to cloud computing.
What’s the scope?
CSA STAR Level One is a self-assessment that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering using. OneLogin provides a completed Consensus Assessments Initiative Questionnaire (CAIQ). The CAIQ is organized using 16 governing & operating domains divided into “control areas” within CSA’s Controls Matrix structure, including:
- Application & Interface Security,
- Audit Assurance & Compliance,
- Business Continuity Management & Operational Resilience,
- Change Control & Configuration Management,
- Data Security & Information Lifecycle Management,
- Datacenter Security,
- Encryption & Key Management,
- Governance and Risk Management,
- Human Resources,
- Identity & Access Management,
- Infrastructure & Virtualization Security,
- Interoperability & Portability,
- Mobile Security,
- Security Incident Management, E-Discovery & Cloud Forensics,
- Supply Chain Management, Transparency and Accountability,
- Threat and Vulnerability Management.
How often are you evaluated/audited?
Self-assessments are performed annually or when significant changes to the control environment occur.
Who performs the evaluation/audit?
Who is the primary audience?
Customers and relevant third parties with a business need.
Where can I get a copy of the report/certificate?
The registry is public and accessible from the CSA website.