STARWatch Premium

During Q4/2014 CSA interviewed a set of 40 selected stakeholders with respect to the usage of the CSA GRC stack and the CSA STAR repository. Obtained results shown the usefulness of both CSA research products for compliance and consulting services, however the study also identified clear need of automation. A particular interest of interviewed stakeholders was related to the use of automated decision-making tools to facilitate Cloud procurement processes where security criteria and requirements should be carefully considered. This need was further validated through an SPECS-CSA online survey in 2015, where from approximately 80 participants 77% were willing to pay for decision tools/dashboards for selecting, comparing and ranking CSP’s based on their security requirements.

STARWatch is CSA’s response to the identified needs, by delivering—in a database/machine readable format—the content of CSA’s succinct yet comprehensive list of cloud-centric control objectives defined in the Cloud Controls Matrix (CCM) and the corresponding set of control assertion questions in the Consensus Assessments Initiative Questionnaire (CAIQ).
A Premium version of STARWatch is in development now. It will leverage SPECS’ security reasoning techniques to offer the ability to compare cloud service providers by assessing their control matrix responses, and to compare those responses against the enterprise’s security requirements.

Before SPECS After SPECS
  • One of the most well known repositories with CSP security information is STAR from the Cloud Security Alliance, although to the best of our knowledge there aren’t automated decision-making tools that use STAR information in order to help customers in selecting a CSP. One of the main reasons is in fact CSA STAR’s lack of machine readable information, due in part to the different format and semantic of the CAIQ questionnaires submitted by the CSPs.
  • For the CSA STAR end-user this results on the need to manually compare CSPs based on the available information, which takes time and it’s prone to errors. Furthermore, the end-user doesn’t have the objective means (and in many cases neither the expertise) to match its organizational security requirements to the CAIQ entries.
  • Limitations in non-SPECS solutions:
    State of the practice lack of automated tools to aid (prospective) Cloud customers in the process of comparing different CSPs from a security perspective.
  • The SPECS solution:
    • STARWatch Premium will provide a novel machine-readable repository of Cloud security information.
    • Thanks to the machine-readable information to be available in STARWatch’s repositories, it’s possible to integrate SPECS’ security reasoning techniques in order to allow the side-by-side comparison of CSPs based on a baseline set of end-user requirements.
    • End-users don’t need to be security experts in order to use this new functionality, because security requirements can be specified at different levels of granularity.
    • The security comparison engine is based on state of the art, peer-reviewed techniques.

Leveraged SPECS components:
  • The Premium version of STARWatch will integrate SPECS security reasoner’s techniques (as designed in WP2)
  • Evaluate leveraging the contributed Security SLA hierarchy (WP2) in order to guarantee future integration with security SLAs specifications.

Contact & Feedback: Cloud Security Alliance,