Security domains covered by the CCM
- Audit and assurance
- Application and interface security
- Business continuity management and operational resilience
- Change control and configuration management
- Cryptography, encryption and key management
- Datacenter security
- Data security and privacy
- Governance, risk management and compliance
- Human resources security
- Identity and access management
- Interoperability and portability
- Infrastructure and virtualization security
- Logging and monitoring
- Security incident management, E-disc and cloud forensics
- Supply chain management, transparency and accountability
- Threat and vulnerability management
- Universal EndPoint management
Companies using cloud computing services do so for many reasons. For instance, common uses of cloud computing include cloud storage or data backups. This allows a company to save on the expense of using its own data servers, which can significantly lower a company’s IT costs. Many companies are now performing a significant portion of their data analytics in the cloud or using cloud-based technology.
Barrett added that a CSA STAR Attestation is not only good for cloud service providers but is also beneficial to companies that use cloud services at a high volume or for critical or complex business functions.
“Classic cloud service providers as well as smaller service providers can use this attestation, but if you are a company using those cloud services to maintain or process client data, you may also benefit from the additional focus on cloud-specific risks,” Barrett noted. He also clarified that while there is some similar or overlapping criteria, the domains listed in the CCM are intended to complement the TSC addressed through a SOC 2 examination, not replace them. The STAR Attestation can act as a value-add for a company, Barrett said, showing that the business acknowledges that its work in cloud computing requires an extra level of security and thoughtfulness and the company has considered this with the STAR Attestation.
So, what is the difference? A SOC 2 examination can address up to five overall categories — security, availability, confidentiality, processing integrity and privacy. The CCM addresses 17 security domains and their specific uses in cloud computing.
For instance, the TSC requires that an “entity restrict the transmission, movement, and removal of information.” This is often where management will map their encryption controls, but a SOC 2 examination does not necessarily require specifics in this area. However, the CCM used for the CSA STAR Attestation has an entire domain with 21 control specifications related to the encryption and key management, and will test such specificities like at-rest and in-transit data, managing data encryption keys provisioned for a unique purpose, and making sure procedures for key management meet legal and regulatory requirements. In other words, a CSA STAR audit will help the company identify any gaps associated with encryption key management that might otherwise be overlooked using only the SOC 2.
In another example related to data protection, the SOC 2 will address in a general way how to properly classify, protect and dispose of data. But the CCM lays out very specific steps that need to be followed, such as limiting production data use, creating and using a data flow document, and following the entire data security life cycle, added Barrett. He also identified the differentiator between the two frameworks — the CSA STAR specifically addresses cloud risks in individual steps rather than in a more general way as found in the SOC 2. Control specifications in the CCM also give direction on whether each control should apply to a cloud service provider, consider, of as a shared responsibility.
As mentioned above, obtaining a CSA STAR Attestation also means being part of a public registry of companies, so clients and customers can easily confirm this certification. All these certifications normally require outside auditors licensed to perform these evaluations. With hacking, fraud and data breaches being ever-increasing threats, businesses taking advantage of the benefits of cloud computing should strongly consider a CSA STAR Attestation to provide internal and external assurances of data security compliance.