Press Releases

Cloud Security Alliance, National Technology Security Coalition Release “Streamlining Vendor IT Security and Risk Assessments” Whitepaper

Thursday, December 20, 2018

ATLANTA (December 20, 2018) –The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the publication of “Streamlining Vendor IT Security and Risk Assessments: A perspective on standards-based assurance of cloud providers.” Written in partnership with the National Technology Security Coalition (NTSC), a non-profit, non-partisan organization that serves as the preeminent advocacy voice for Chief Information Security Officers (CISOs) across the nation, the paper calls for organizations reduce their reliance on proprietary, in-house security assessment programs related to cloud computing and instead employ the CSA’s Security, Trust & Assurance Registry (STAR) program and its associated assurance tools as core components of vetting and procuring cloud providers and services. CSA STAR is the world’s leading program for cloud provider assurance.

The paper was announced at the CSA Congress 2018 by keynote speaker Pete Chronis, CISO of Turner and NTSC Board Member: “The CSA and the NTSC are advocating for streamlining and standardizing risk assessments performed by organizations evaluating cloud service providers.We have written a joint white paper with recommendations making it easy for CISOs to implement. The more organizations adopt the principles recommended in the white paper, the more transparency we’ll see from vendors allowing everyone to benefit.”

“This whitepaper articulates the importance of cloud security at a time when third-party cloud providers create a potential weak point in an organization’s security posture,” said Jim Reavis, CEO of Cloud Security Alliance. “Proprietary, in-house IT security checklists and assessment questionnaires just can’t keep up with the rapid development and real- time evolution of cloud services. An assurance program such as CSA’s Security, Trust & Assurance Registry (STAR) program can create consistency and greater accountability and security within the cloud ecosystem.”

Through this program outlined in the whitepaper:

  • Enterprises can immediately get answers to the most common security concerns from cloud providers and address the small number of residual risks using proprietary tools. They can also speak with a unified and amplified voice to cloud providers and more easily have their priorities addressed by the market.
  • Cloud providers can more rapidly comply with popular standards and provide customers with comprehensive assurance information.
  • Regulatory bodies can reference state of the art best practices within their guidance and prevent regulations from quickly becoming obsolete.
  • The entire industry itself raises its security baseline as all consumers benefit from the efforts of providers to comply with STAR.

“CISOs constantly reference third-party risk, and especially cloud security provider risk, as one of their biggest headaches,” said Patrick Gaul, Executive Director of the NTSC. “The business model of cloud providers and the technology they provide makes it difficult for CISOs to have visibility and transparency into third-party cloud security. However, we want to avoid the pitfalls of highly prescriptive legislative or regulatory compliance requirements that do not effectively solve the root problem or promote trust. This whitepaper outlines much a less prescriptive, flexible, and standards-based program that encourages cloud providers to improve security while easing the stress on CISOs in managing the security risks associated with these providers.”

In addition to partnering on this cloud security vetting program, the CSA and the NTSC will also continue to participate in each other’s events, discuss industry issues in working groups, and collaborate on research involving cloud security. The NTSC encourages dialogue about cybersecurity issues, laws, and regulations through advocacy engagement with congressional members, regional CISO policy roundtables, and an annual DC Fly-In as part of its National CISO Policy Conference. The CSA holds many conferences, summits, events, and forums around the world to promote the use of best practices for providing security assurance within cloud computing.

About the National Technology Security Coalition (NTSC)

The National Technology Security Coalition (NTSC) is a non-profit, non-partisan organization that serves as the preeminent advocacy voice for Chief Information Security Officers (CISOs) across the nation. Through dialogue, education, and government relations, we unite both public and private sector stakeholders around policies that improve national cybersecurity standards and awareness. To learn more about joining or underwriting NTSC, visit or follow us on Twitter @NTSC_CISO.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at, and follow us on Twitter @cloudsa.

Kari Walker for the CSA
ZAG Communications

Patrick Gaul