C-STAR

CSA (Cloud Security Alliance) officially released its Open Certification Framework (OCF) at the SecureCloud 2012 conference, to help cloud service providers enhance the transparency of their cloud security practices, improve the market credibility of cloud services, and users’ confidence in the security of cloud services, so that organization and individual users can accept and use the cloud services provided. OCF includes three aspects, Security, Trust and Assurance Registry (STAR), which can be divided into three levels. Each level will provide incremental level of trust and transparency for cloud service providers, and also provide higher level of security for cloud users. The OCF structure is shown in Figure 1.

Figure 1. CSA Open Certification Framework

(1) The first level is self-assessment. Cloud service providers can register on the CSA website and submit a self-assessment report to prove that the security controls they implement meet the requirements of CSA.

(2) The second level is independent third-party certification. Certification by a third-party organization ensures that the supplier can meet the requirements of the CSA Cloud Controls Matrix (CCM) [30], where CCM can be regarded as a supplement and enhancement to the traditional ISO 27001 security control requirements.

(3) The third level is continuous monitoring. Cloud service providers publish security monitoring results based on the Cloud Trust Protocol (CTP) of CSA, and conduct continuous audit and assessment based on security requirements related to cloud services.

In order to help cloud service providers demonstrate their cloud service security level and security management maturity, CEPREI Certification Body (hereinafter referred to as CEPREI) formally began to cooperate with CSA in 2014 to carry out third-party assessment certification for OCF Level 2, namely C-STAR cloud security assessments. Cloud security assessment certification adopts the latest cloud control matrix (CCM) published by CSA, the industry gold standard of cloud computing information security, and combines relevant domestic laws and regulations (such as classified protection and personal information security specifications) and GB/T 22080 standard requirements to effectively assess the security status of cloud services. The best practices of cloud computing information security management are used to guide organizations to improve the information security level of their cloud services, thus greatly reducing the information security concerns for cloud services. The structure of C-STAR is shown in Figure 2.

 Figure 2. C-STAR structure

C-STAR assessment is based on the latest cloud security control matrix, CCM V4, published by CSA, combined with the requirements of relevant domestic laws, regulations and standards, to form a C-STAR cloud security control matrix. The matrix systematically evaluates the security control status of cloud services from 17 cloud security control areas, including audit & assurance, application and interface security, business continuity management and operational resilience, change control and configuration management, data security and privacy lifecycle management. At the same time, in order to help organizations evaluate and continuously improve the maturity of their cloud security management, the maturity rating of cloud security management is introduced (the maturity scores will be given in the evaluation report), and the security controls in the C-STAR cloud security control matrix are rated at five levels. The different levels represent the level of management maturity of the cloud service provider's security controls.

If an organization passes the C-star assessment, it would receive the C-STAR cloud security certificate issued jointly by CEPREI and CSA, the CSA official website certificate registration and international recognition, and the cloud security management maturity report. Through the cloud security assessment, it can improve the level of cloud security management, reduce potential risks, and ensure business continuity. It will meet customers' cloud security requirements better. The certification also proves that the organization’s cloud security level is ahead of other cloud service providers, meets the cloud security requirements of customers, ensures the secure and effective development of cloud service business, and gains the competitive advantage in cloud service industry.

1.C-STAR assessment method

C-STAR assesses 17 control areas (as shown in Figure 3), and classifies the information security management status of cloud services into five levels according to the evaluation results, and finally forms the maturity level of each control area.

 Figure 3: CCM

For a certain control area of CCM, analyze the management, measurement and institutionalization of each control and its associated management process, and determine whether its characteristics meet the requirements of a certain capability level. If so, it can be determined that the control achieves the corresponding capability level. The auditor needs to make a reasonable assessment of all controls in a control area to ensure that the organization has implemented the appropriate security controls for the risks based on the risk assessment. If a security control in the CCM is not actually implemented, the service provider needs to demonstrate why the control is not included in their risk assessment/statement of applicability or why the compensating control is not implemented.

The C-STAR certification covers the assessment 17 control area, and the information security management status of cloud services is rated at five levels according to the evaluation scores from the assessment:

2.Certification procedure

During the C-STAR cloud security assessment, the organization shall provide CEPREI with sufficient information required for the assessment. For multiple sites, the certification scope, address and personnel distribution of each site shall be stated. CEPREI will conduct the assessment on a sampling basis. If required, the organization may submit an application for pre-audit to CEPREI. The stage 1 mainly includes the review the documents and confirming the readiness for the stage 2. The stage 2 is mainly to evaluate the conformity and effectiveness of the system and make the recommended conclusion of the on-site assessment. The C-STAR cloud security assessment process is shown in Figure 4 below.

Figure 4: C-STAR Cloud Security Assessment Process

Before implementing C-STAR, the organization should carefully plan the above implementation steps according to the actual situation of the organization, and provide a specific schedule of time and activities to ensure the achievement of more effective implementation results. Usually, there must be at least three months’ data of effective operation. After several internal audits and gradual corrections, the organization can apply for external certification if they believe that the established cloud security management system has met the requirements of C-STAR (more specifically, when fewer non-conformities are being found in the internal audit).

Based on its decades of experience in the field of information security management and CSA's research results, CEPREI has developed the C-STAR assessment program. As the first highly recognized cloud security assessment certification in China, C-STAR has been well recognized by famous enterprises in the industry such as Sugon, Kingsoft, Inspur, Ping An, UFIDA and Beisen, and has received wide attention throughout the country.

C-STAR adopts the cloud control matrix (CCM) released by CSA, the industry gold standard of cloud computing information security. The evaluation process adopts the international advanced maturity level evaluation model, and combines with the requirements of relevant domestic laws, regulations and standards to conduct a comprehensive security evaluation of cloud computing services. It will effectively improve the security level and management strategy of cloud computing services, improve organizational security objectives and preventive measures, thus greatly reducing the information security concerns with cloud computing services.

(1) Adopt the industry's best cloud security practices (CCM) to improve security control level

(2) Prove that the security level is ahead of the ranks of cloud service providers

(3) Maintain the sustainable development and competitive advantage of cloud service business

(4) Better meet the cloud security requirements of clients

(5) Reduce security risks, losses and costs

(6) Maintain the reputation, brand and customer trust of the enterprise

Before implementing C-STAR, the organization should carefully plan the above implementation steps according to the actual situation of the organization, and provide a specific schedule of time and activities to ensure the achievement of more effective implementation results. Usually, there must be at least three months’ data of effective operation. After several internal audits and gradual corrections, the organization can apply for external certification if they believe that the established cloud security management system has met the requirements of C-STAR (more specifically, when fewer non-conformities are being found in the internal audit).