During Q4/2014 CSA interviewed a set of 40 selected stakeholders with respect to the usage of the CSA GRC stack and the CSA STAR repository. Obtained results shown the usefulness of both CSA research products for compliance and consulting services, however the study also identified clear need of automation. A particular interest of interviewed stakeholders was related to the use of automated decision-making tools to facilitate Cloud procurement processes where security criteria and requirements should be carefully considered. This need was further validated through an SPECS-CSA online survey in 2015, where from approximately 80 participants 77% were willing to pay for decision tools/dashboards for selecting, comparing and ranking CSP’s based on their security requirements.
STARWatch is CSA’s response to the identified needs, by delivering—in a database/machine readable format—the content of CSA’s succinct yet comprehensive list of cloud-centric control objectives defined in the Cloud Controls Matrix (CCM) and the corresponding set of control assertion questions in the Consensus Assessments Initiative Questionnaire (CAIQ).
A Premium version of STARWatch is in development now. It will leverage SPECS’ security reasoning techniques to offer the ability to compare cloud service providers by assessing their control matrix responses, and to compare those responses against the enterprise’s security requirements.
|Before SPECS||After SPECS|
Leveraged SPECS components:
- The Premium version of STARWatch will integrate SPECS security reasoner’s techniques (as designed in WP2)
- Evaluate leveraging the contributed Security SLA hierarchy (WP2) in order to guarantee future integration with security SLAs specifications.