The CSA STAR (Security, Trust & Assurance Registry) accreditation was established by the Cloud Security Alliance (CSA) with the aim of enhancing transparency, trust, and security in cloud computing. With a strong focus on increased transparency to mitigate risk and standardise security practises in cloud security, it aims to enhance trust between the Cloud Security Provider (CSP) and the customer.
It has been long anticipated that the CSA STAR would initiate at Level 3 which is designed to establish a more advanced level of assurance for cloud service providers (CSPs) beyond the basic certifications of Level 1 (self-assessment) and Level 2 (third-party audits).
Level 3 is focused on continuous monitoring to ensure that CSPs are consistently meeting security, privacy and compliance requirements over time, removing manual processes and thus the opportunity for error. This has been a reoccurring theme that has been evolving with more and more regulations including the prerequisite to ensure there is continual monitoring in place. However, whilst anticipated in 2023, Level 3 of Continuous Monitoring has yet to be introduced.
Why has Level 3 Continuous Monitoring not yet been released: The perception over reality
Whilst there is little detail as to why the delay has occurred, there could be a number of reasons why CSA has delayed the release of Level 3 Continuous Monitoring.
- The Perception: Complexity of Continuous Monitoring
The CSA may feel that organisations may be challenged in implementing continuous monitoring for CSP’s. The perception may be that to implement the right technology to track in real time, automate the process and continually report, could be technically and financially challenging.
The Reality: Automation and Scalability Transform Operational Resilience
Automation in continuous controls monitoring significantly reduces manual work, making it far less complex and labour-intensive than traditional monitoring approaches. By automating critical tasks – such as compliance monitoring, controls degradation, and reporting – CSPs can achieve continuous oversight without the need for extensive human resources.
The scalability of CCM platforms allows them to grow with a CSP’s environment, seamlessly handling infrastructure changes, increased data volumes and more sophisticated threats. Automation and scalability combined can provide robust monitoring capabilities while keeping costs manageable.
- The Perception: Lack of Standardised Metrics
Organisations will think that for continuous monitoring to be wholly effective, there will need to be standardised metrics and a lack of universally accepted benchmarks or framework; it will be difficult to ensure consistency and reliability.
The Reality:
A Continuous Controls Monitoring Platform vendor will be able to offer centralised dashboards and cross-environment integrations connecting to any part of your ecosystem across cloud and on premise, thus unifying disparate tools and data sources and using real-time analytics to reduce the complexity of monitoring various environments. This provides a single source of truth – a cohesive view of all security metrics.
- The Perception: CCM is a Cost and Resource Drain
There will be an element of concern that implementing a CCM platform is costly and that maintaining the platform is a huge resource constraint.
The Reality:
Think of it this way – how much would it cost your organisation if you suffered a breach as a result of not continually monitoring?
That aside, most CCM providers would evolve the platform as your organisation does. It’s fully customisable to your organisations needs so you can focus on high risk areas first and then build the platform out.
If you had a set number of controls you wanted to monitor then you could do just that, adding in the capabilities you need such as asset visibility and regulatory frameworks as and when you needed. And not only that, if you chose a vendor that offered continual support by scoping, onboarding and post implementation functions, your organisation would not only benefit from complete visibility of your entire ecosystem, but would not have the burden of implementing the whole platform.
- The Perception: The Evolving Threat Landscape
Businesses have a lot to contend with, and it’s not getting easier; in fact with artificial intelligence, the threat landscape is constantly evolving and CSP’s have to constantly update their monitoring capabilities. This dynamic nature could mean that Level 3 standards need constant revisions, further delaying its finalisation and implementation.
The Reality:
CCM solutions can align to any compliance controls and framework mapping with standards like the CSA Cloud Controls Matrix (CCM), ISO 27001, and others. These controls are continuously updated, so CSPs don’t have to worry about keeping up with regulatory changes. This reduces both the operational and financial burden of compliance by eliminating the need for CSPs to develop and maintain these controls in-house.
- The Perception: Not Ready for Compliance Readiness
Many CSPs may not yet be fully prepared for continuous monitoring, either due to gaps in their security practices or because they haven’t yet adopted the necessary tools for automation and real-time reporting. There may also be concerns about the impact of continuous audits on day-to-day operations or the risks of being penalised for technical issues that arise during audits.
The Reality:
Organisations needn’t be concerned with a CCM platform highlighting any issues with compliance! With CCM, CSPs gain real-time insights into risk and security posture, allowing them to proactively address issues before they escalate. This reduces the burden of firefighting after incidents, which can be costly and resource-draining. Instead, CSPs can focus on high-impact areas, thanks to continuous oversight that prioritises emerging risks. This also means that you are always in a state of compliance readiness. Continuous controls monitoring helps CSPs maintain “audit readiness” at all times by ensuring they’re always aligned with security and compliance requirements. The CCM solution can automatically generate reports and maintain evidence logs, drastically simplifying the audit process and reducing associated costs and disruptions.
While there may be upfront investments, CCM delivers a compelling long-term ROI by reducing time and resources spent on compliance, enhancing operational efficiency and mitigating the risks and potential costs of security incidents. Over time, CSPs save significantly on compliance and operational costs, turning continuous monitoring into a strategic, value-driven investment. And not only that, but typically for our customers, their insight into their organisations has significantly increased by over 75%!
For more information on CCM, click here.