CSA STAR Attestation focuses on cloud security


Most businesses these days need to maintain the safety and confidentiality of its electronic data as a basic operations function — and that often means demonstrating this commitment with a System and Organization Controls (SOC) 2 examination for your company.


But as more businesses discover both the need for and the advantages of using cloud computing, the complexities of the interactions involved can also generate a need for extra scrutiny on the safety, accuracy and confidentiality of the data being stored and used — something more than a SOC 2 can reasonably assure.


The AICPA’s SOC 2 examination is a common standard that qualified auditors can perform for companies to report on their control framework and determine if their systems reach an acceptable level of technological security compliance. With online and electronic business transactions being ubiquitous in the United States, the AICPA’s SOC 2 examination is almost a necessity for a company to signify it is ensuring that the data of its customers, clients and employees is safeguarded from tampering or theft to an acceptable level. Significantly, the reputation of the auditor performing the SOC 2 is at stake as well.


“But the level of assurance provided by a SOC 2 report may not be enough for some companies,” said Brad Barrett, a Grant Thornton partner specializing in risk management. Using cloud computing involves some risks that may not be addressed in a traditional SOC 2 examination. For those reasons, companies that provide cloud computing for clients, or even companies that use cloud computing for processing critical transactions, should consider building on the Trust Services Criteria (TSC) addressed within a SOC 2 by attaining a Security, Trust, Assurance and Risk (STAR) Attestation from the Cloud Security Alliance (CSA). CSA STAR addresses standards outlined in the CSA’s Cloud Control Matrix (CCM), covering 17 domains and focusing on cloud technology. The end result of this examination is an independent opinion covering both the TSC and the CCM, a SOC 2 + CSA STAR report and inclusion on the CSA’s STAR registry.


Security domains covered by the CCM
  • Audit and assurance
  • Application and interface security
  • Business continuity management and operational resilience
  • Change control and configuration management
  • Cryptography, encryption and key management
  • Datacenter security
  • Data security and privacy
  • Governance, risk management and compliance
  • Human resources security
  • Identity and access management
  • Interoperability and portability
  • Infrastructure and virtualization security
  • Logging and monitoring
  • Security incident management, E-disc and cloud forensics
  • Supply chain management, transparency and accountability
  • Threat and vulnerability management
  • Universal EndPoint management

Companies using cloud computing services do so for many reasons. For instance, common uses of cloud computing include cloud storage or data backups. This allows a company to save on the expense of using its own data servers, which can significantly lower a company’s IT costs. Many companies are now performing a significant portion of their data analytics in the cloud or using cloud-based technology.


Barrett added that a CSA STAR Attestation is not only good for cloud service providers but is also beneficial to companies that use cloud services at a high volume or for critical or complex business functions.


“Classic cloud service providers as well as smaller service providers can use this attestation, but if you are a company using those cloud services to maintain or process client data, you may also benefit from the additional focus on cloud-specific risks,” Barrett noted. He also clarified that while there is some similar or overlapping criteria, the domains listed in the CCM are intended to complement the TSC addressed through a SOC 2 examination, not replace them. The STAR Attestation can act as a value-add for a company, Barrett said, showing that the business acknowledges that its work in cloud computing requires an extra level of security and thoughtfulness and the company has considered this with the STAR Attestation.


So, what is the difference? A SOC 2 examination can address up to five overall categories — security, availability, confidentiality, processing integrity and privacy. The CCM addresses 17 security domains and their specific uses in cloud computing.


For instance, the TSC requires that an “entity restrict the transmission, movement, and removal of information.” This is often where management will map their encryption controls, but a SOC 2 examination does not necessarily require specifics in this area. However, the CCM used for the CSA STAR Attestation has an entire domain with 21 control specifications related to the encryption and key management, and will test such specificities like at-rest and in-transit data, managing data encryption keys provisioned for a unique purpose, and making sure procedures for key management meet legal and regulatory requirements. In other words, a CSA STAR audit will help the company identify any gaps associated with encryption key management that might otherwise be overlooked using only the SOC 2.


In another example related to data protection, the SOC 2 will address in a general way how to properly classify, protect and dispose of data. But the CCM lays out very specific steps that need to be followed, such as limiting production data use, creating and using a data flow document, and following the entire data security life cycle, added Barrett. He also identified the differentiator between the two frameworks — the CSA STAR specifically addresses cloud risks in individual steps rather than in a more general way as found in the SOC 2. Control specifications in the CCM also give direction on whether each control should apply to a cloud service provider, consider, of as a shared responsibility.


As mentioned above, obtaining a CSA STAR Attestation also means being part of a public registry of companies, so clients and customers can easily confirm this certification. All these certifications normally require outside auditors licensed to perform these evaluations. With hacking, fraud and data breaches being ever-increasing threats, businesses taking advantage of the benefits of cloud computing should strongly consider a CSA STAR Attestation to provide internal and external assurances of data security compliance.





Our featured strategic assurance and SOC insights