惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog
C
Check Point Blog
The GitHub Blog
The GitHub Blog
Y
Y Combinator Blog
SecWiki News
SecWiki News
有赞技术团队
有赞技术团队
Latest news
Latest news
D
DataBreaches.Net
Blog — PlanetScale
Blog — PlanetScale
Project Zero
Project Zero
H
Help Net Security
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
G
GRAHAM CLULEY
Engineering at Meta
Engineering at Meta
T
Threat Research - Cisco Blogs
腾讯CDC
P
Proofpoint News Feed
L
LINUX DO - 热门话题
C
Cisco Blogs
P
Palo Alto Networks Blog
Vercel News
Vercel News
P
Privacy International News Feed
爱范儿
爱范儿
Scott Helme
Scott Helme
L
Lohrmann on Cybersecurity
MyScale Blog
MyScale Blog
K
Kaspersky official blog
B
Blog RSS Feed
美团技术团队
Microsoft Security Blog
Microsoft Security Blog
O
OpenAI News
博客园 - 叶小钗
量子位
T
Tenable Blog
C
Cybersecurity and Infrastructure Security Agency CISA
J
Java Code Geeks
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hacker News: Ask HN
Hacker News: Ask HN
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
L
LINUX DO - 最新话题
F
Fortinet All Blogs
N
News | PayPal Newsroom
The Hacker News
The Hacker News
C
CXSECURITY Database RSS Feed - CXSecurity.com
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
博客园 - 【当耐特】
N
News and Events Feed by Topic
V
Visual Studio Blog
Google DeepMind News
Google DeepMind News
Last Week in AI
Last Week in AI

Cloud Security Alliance

SearchLeak: Copilot Data Exfiltration Exploited | CSA Zero-Trust AI Governance for Multi-Agent Systems | CSA Dangling CNAMEs: Hidden Cloud Risk | CSA Agentic Payments in Financial Services | CSA Mythos and the Future of Cybersecurity | CSA AI-Driven Cloud Risk: Defenders Lose Ground | CSA Financial Services Industry Shifts from AI Adoption to | CSA CSAI Foundation Announces RiskRubric V2 as the Next Key | CSA RiskRubric Updates: AI Risk Assessment | CSA Over 80% of Organizations that Miss 24-Hour Patch Window Report | CSA ORCHIDEAS & MAESTRO: Secure AI Design | CSA Top 6 Claude Security Risks to Watch | CSA Cloud Cost Optimization in 2026 | CSA HIPAA Rule Overhaul in 2026 | CSA AI-Driven Exploits Outsmart Detection | CSA MCP Risks CISOs Should Prepare For | CSA AI Governance for Trust and Compliance | CSA MTTP: Patch Cycles Too Slow | CSA Cloud Security Evolution: Security Teams Lead | CSA Misconfigurations Break Customer Trust in Apps | CSA Taming Shadow AI: C-Suite Strategies | CSA Agentic AI Threats: Five Powers | CSA AIUC-1: Agentic AI Governance | CSA 2026 Threat Report for CISOs | CSA Securing AI in AWS: Runtime Detection & Response | CSA SLMs, LLMs, and the DSPM Difference | CSA OT Security Timeline: Mythos and Patch Pace | CSA Blast Radius and Cloud Threat Detection | CSA State of AI Cybersecurity 2026: 92% Concerned | CSA AI in MDR for Franchise & Multi-Location Ops | CSA AI Regulation: Identity and Authorization Gap | CSA MITRE ATT&CK for Cloud: Detection Coverage Guide | CSA Shadow AI Agents: The Insider Threat | CSA Medical Device Breaches Reveal Cloud Security Gaps | CSA AISMM: AI Security Maturity Model for Cloud | CSA Globee® Awards for Artificial Intelligence (AI) Honors Cloud | CSA Patching Smarter for Mythos Security | CSA SDP v3: Identity-First Zero Trust for AI | CSA AI-Ready Security Documents Beyond STIX, OSCAL, and SARIF | CSA Penetration Testing for ISO 42001 & Trust | CSA AI Agent Posture: Data-First Security Guardrails | CSA AI Agents Go Beyond Output: Enterprise Security | CSA AI Agent Security Starts with Scope Control | CSA Identity Spoofing vs. Identity Abuse | CSA AARM: Securing the Agentic Runtime | CSA Securing the Agentic Control Plane | CSA CSAI Foundation Announces Key Milestones to Secure the Agentic | CSA Catastrophic AI Risk Controls | CSA Cloud to AI: Building Secure Programs | CSA Identity in AI Era: Zero Trust's First Pillar | CSA SDLC Visibility: Securing Multi-Cloud Development Lifecycles | CSA Cloud Risk: Top 3 Threats & AI Tools | CSA AI Agent Identity Is Solved Backwards | CSA 8 Truths About Cloud Privilege Risk | CSA AI Governance: Mature Programs | CSA Agent Access Management: Data-First Security | CSA Glasswing: AI-Driven Security for Safer Software | CSA Runtime Security: Detection & Real-Time Cloud | CSA Identity as the OS for AI Security | CSA Cloud Misconfigurations Drive Attacks at Scale | CSA Sensing AI Behavior with the WBSC Probe Library | CSA An Actionable Guide to GDPR Compliance for Startups | CSA Cloud Security LIVE 2026: AI Risk & Trust | CSA Shadow AI Agents: Enterprise Governance | CSA Rethinking Non-Human Identity Security | CSA New Cloud Security Alliance Survey Reveals 82% of Enterprises Have Unknown AI Agents in Their Environments More Than Half of Organizations Experience AI Agent Scope | CSA SANS Institute, Cloud Security Alliance, [un]prompted, and OWASP | CSA AI Agents Are Talking: Are You Listening? | CSA Software Supply Chain Security Needs an Upgrade Choosing the Right AI Standard: 7-Point Guide | CSA Audience-Driven Authorization for AI Agents | CSA A CISO's Guide to Cloud Security Architecture | CSA Who’s Behind That Action? The AI Agent Identity Crisis SSCF Adoption for SaaS Security | CSA Mythos and the Vulnpocalypse: Cloud Defenses | CSA AI Security Risks and Data Visibility | CSA From Compliance to Credibility with CAIQ/CCM | CSA The State of Cybersecurity in the Finance Sector: Six Trends to Watch EU AI Act Compliance with prEN 18286 & ISO 42001 | CSA AI Security in the Cloud: Exposure Management | CSA Rethinking Incident Response as Engineering System | CSA Defense Depends on the Creator: AI Security | CSA ATF: Zero Trust for AI Agents | CSA Cybersecurity Needs a New Data Architecture | CSA Unstructured Data Surges as Enterprises Struggle to Maintain | CSA SC Media Names Cloud Security Alliance’s Trusted AI Safety | CSA Exposed AWS Key Leads to Full Account Takeover | CSA Post-Quantum Cloud Migration for CSA Members | CSA AI Identity Security Compliance Checklist | CSA The Agentic Trust Deficit: MCP's Authentication Vacuum | CSA More Than Two-Thirds of Organizations Cannot Clearly Distinguish | CSA AI Cybersecurity 2026: Insights from 1,500 Leaders | CSA Three-Body Security: Data, AI & Identity | CSA IAM as Safety for AI-Controlled Systems | CSA Kubernetes Cost Savings and Security Debt | CSA Code to Cloud Security: Unified Exposure Management | CSA Retail Misconfigurations Attackers Exploit | CSA Rethinking Authorization for the Age of Agentic AI | CSA Enterprise AI: Guardrails to Governance | CSA
CSA STAR v4.1 Updates for Cloud Security | CSA
2026-03-31 · via Cloud Security Alliance

Written by Mike Somody.

The Cloud Security Alliance (CSA) created the Security, Trust, Assurance, and Risk (STAR) program in August of 2011 to improve transparency and security within cloud computing. This program was built upon the Cloud Controls Matrix (CCM), a selection of cloud controls designed to secure cloud service providers and customers, and is mapped to major standards like ISO 27001.

Furthering their mission, CSA STAR became a public registry for cloud providers to submit self-assessments and has continued to evolve with cloud computing advancements, as demonstrated by its latest version, CSA STAR v4.1, announced in late January 2026.

In this blog post, we’ll explore the new CCMv4.1 release, including its key updates and what cloud service providers need to know for a smooth transition.

What Is CSA STAR and Why It’s Important

CSA STAR certification enables providers to demonstrate compliance with industry best practices and validate their security posture through self-assessment, third-party audits, and continuous monitoring.

CSA STAR is important for cloud service providers and customers alike as it helps strengthen trust and transparency between the two while also providing easily accessible assessment proof to prospective partners. CSA STAR helps to connect your major standards and assessments by bridging any gaps from your annual SOC and ISO audits to cloud computing and providing a more comprehensive risk management approach.

We’ll dive into the latest iteration of the CCM, version 4.1, below and outline what changed and what these updates mean for the cloud and its providers.

The latest iteration of the CCM brings an increase in controls (now totaling 207) and sweeping updates to enhance clarity around what exactly should be addressed. The CAIQ, Level 1 self-assessment, has also been updated accordingly, with version 4.1 now featuring 283 questions.

An important consideration for those already complying with the STAR program is understanding when they need to update to CCMv4.1. CSA has established a two-year transition period from the release of the CCM, meaning come January 2028, implementation of CCMv4.1 will be required to maintain your registration. Beginning in July 2027, all new CSA STAR applicants must use CCMv4.1.

Net New Controls in CSA STAR V4.1

CCMv4.1 comes with 11 net new controls aimed at extending the coverage across critical domains like Logging and Monitoring and Security Incident Management, including:

  1. AIS-08: API Security
  2. DCS-01: Physical and Environmental Security Policy and Procedures
  3. DCS-17: Datacenter Metrics
  4. DCS-18: Datacenter Operations Resilience
  5. LOG-08: Audit Logs Sanitization
  6. SEF-07: Incident Management and Response
  7. SEF-09: Incident Records Management
  8. STA-01: Supply Chain Risk Management Policies and Procedures
  9. STA-09: Service Bill of Material (BOM)
  10. TVM-04: Threat Analysis and Modelling
  11. TVM-10: Threat Response

While the objectives and requirements within did not see much in the way of domain naming changes to controls, Infrastructure & Virtualization Security (IVS) has seen a domain name update to Infrastructure Security (I&S).

Key Control Changes in CSA STAR V4.1

In addition to the net new controls and minor updates to control ID number and verbiage, CCMv4.1 has introduced new topics to enhance the coverage and breadth of existing controls. Below is a list of these topics, highlighting the new or major control changes in specific domains:

Application & Interface Security

  • AIS‑04: Secure Application Development Lifecycle
    • What has changed: Updated guidance distinct from version 4 “Secure Application Design and Development”
  • AIS‑08: API Security (New)

Cryptography, Encryption & Key Management

  • CEK‑03: Data Protection
    • What has changed: Version 4 CEK‑03 was Data Encryption; the scope is now broader
  • CEK‑08: Service Customer Key Management Capability
    • What has changed: Version 4 CEK‑08 was “CSC Key Management Capability”; version 4.1 clarifies the specific role and increases the scope of the control

Datacenter Security

  • DCS‑01: Physical and Environmental Security Policy and Procedures (New)
  • DCS‑12: Adverse Event Response Training
    • What has changed: Increased scope from version 4 DCS‑11 “Unauthorized Access Response Training”; version 4.1 shifts focus to a broader scope of adverse events
  • DCS‑17: Datacenter Metrics (New)
  • DCS‑18: Datacenter Operations Resilience (New)

Identity & Access Management

  • IAM‑12: Unique Identities
    • What has changed: Version 4 “Uniquely Identifiable Users” sat in IAM‑13; version 4.1 has updated and renumbered this to IAM-12
  • IAM‑14: Credentials Management
    • What has changed: Consolidation and renaming of version 4 controls IAM‑15 “Passwords Management” and IAM‑02 “Strong Password Policy and Procedures”

Logging and Monitoring

  • LOG‑08: Audit Logs Sanitization (New)

Security Incident Management, E‑Discovery, & Cloud Forensics

  • SEF‑07: Incident Management and Response (New)
  • SEF‑09: Incident Records Management (New)

Supply Chain Management, Transparency, & Accountability

  • STA‑01: Supply Chain Risk Management Policies and Procedures (New; version 4.1 introduces explicit supply chain risk management policy coverage)
  • STA‑09: Service Bill of Material (BOM) (New)
  • STA‑13: Supply Chain Compliance Assessment
    • What has changed: Scope and title change from version 4 “Internal Compliance Testing” to include broader supply‑chain compliance

Threat & Vulnerability Management

Threat & Vulnerability Management has undergone significant rework in CSA STAR v4.1. A new focus on threat modeling and risk response, aimed at enabling organizations to more proactively identify and effectively manage new threats, has been established throughout the domain.

  • TVM‑02: Malware and Malicious Instructions Protection Policy and Procedures
    • What has changed: Version 4 focused on “Malware Protection”; version 4.1 expands this with the addition of “Malicious Instructions” and policy/program language
  • TVM‑04: Threat Analysis and Modelling (New)
  • TVM‑10: Threat Response (New)

What CSA STAR v4.1 Means for Cloud Service Providers

The changes and additions in CSA STAR v4.1 most notably signal increased security coverage. While many of the updates seem minor, the new specifications and framing provide cloud service providers with much broader and stronger security coverage. This also helps to better align the CCM with modern standards, furthering the mapping and cross coverage between major frameworks like SOC and ISO.

How to Prepare for CSA STAR v4.1

Following this release, the next step is planning for the transition. Performing an analysis of the new requirements in the CCM and CAIQ will help identify gaps in your control frameworks against the new CCM, providing a baseline of your cloud security posture.

After performing a gap analysis and establishing a transition plan, the process to register your Level 1 or update your Level 2 registration will feel familiar. CSA STAR still starts with your Level 1 self-assessment, involving the submission of your completed CAIQ which helps ensure secure operation of your cloud service and provides you with the foundation of your cloud security posture as an organization and to external parties. This is still the required first step to continue or begin your journey to Level 2 certification.

Mike Somody is an ISO Senior Associate with Schellman. Prior to joining Schellman in 2022, Mike worked as a Senior, Business Consultant at a Big 4 Accounting firm, specializing in Technology Risk (SOX 404/ITGC compliance). Mike also led and supported various other projects, including SDLC Implementation Evaluations, Application Controls Testing, and other Internal and External IT audits. Mike additionally has experience with CSA STAR and TISAX assessments. Mike has over 6 years of experience comprised of serving clients in various industries, including Healthcare, Industrial Products, Consumer Goods, and Real Estate. Mike is now focused on ISO 27001, 9001, and 22301 certifications, as well as CSA STAR and TISAX reporting for organizations across various industries.