Ribose has become the first cloud service provider (CSP) outside Mainland China to complete the Cloud Security Alliance’s (CSA) C-STAR Assessment, a newly established cloud security certification scheme with a focus on Greater China.
With this latest achievement, Ribose has become one of the first organizations – and the first Software-as-a-Service CSP – certified to C-STAR Assessment, and the world’s only CSP compliant to all three of CSA’s globally recognized cloud assurance programs in the Security, Trust and Assurance Registry (STAR) family: STAR Attestation, STAR Certification, and C-STAR Assessment.
C-STAR Assessment was jointly developed by the CSA and CEPREI Certification Body as a China-focused cloud security certification that harmonizes CSA’s Cloud Controls Matrix (CCM) with Chinese national standards. As a rigorous third-party assessment of a CSP’s security management, C-STAR Assessment aligns to Chinese information security requirements compliant to the following standards:
GB/T 22080-2008 (ISO/IEC 27001:2005) Information technology – Security techniques – Information security management systems – Requirements
GB/T 22239-2008 Information security technology — Baseline for classified protection of information systems
GB/Z 28828-2012 Information security technology – Guideline for personal information protection within information systems for public and commercial services
CSA’s Cloud Control Matrix 3.0.1
Raising the bar on established international standards, C-STAR Assessment consists of additional control requirements to those of STAR Certification and STAR Attestation, requiring 29 supplementary security and privacy controls on top of CCM 3.0.1. In particular, it requires organizations to respect and protect users’ privacy in accordance with internationally accepted privacy principles, as well as Chinese and international privacy laws and regulations, with explicit requirements on the personal-identifiable information (PII) lifecycle and risk assessments on PII.
Ribose was invited by the CSA and CEPREI to participate in the C-STAR Assessment pilot scheme based on its past participation in CSA STAR – as well as its previous collaboration with CEPREI in becoming the first CSP to complete the Hong Kong / Guangdong Cloud Security Assessment Scheme (HK/GD CSAC) pilot. Stemming from its involvement in the pilot scheme, Ribose assisted in translating C-STAR documentation and controls into English and providing feedback to the C-STAR scheme.
According to Jim Reavis, Co-founder and CEO of CSA, “We congratulate Ribose on becoming the first Cloud Service Provider outside Mainland China to complete the CSA C-STAR Assessment. As a pioneer in cloud security, Ribose has unquestionably demonstrated that Chinese and international cloud security standards are fully compatible. As the world’s first CSP simultaneously certified to all three of our globally recognized assurance programs: STAR Attestation, STAR Certification, and C-STAR Assessment, Ribose has reinforced their commitment to protecting users by demonstrating their practices are triple-assured through independent validation. They definitely stand among industry role models for cloud security practices.”
“We believe C-STAR represents strong security assurance for cloud users,” said Aloysius Cheang, Managing Director APAC and the head of Standards Secretariat for the Cloud Security Alliance. “The certification process allows CSPs to simultaneously align to both international and Chinese standards, while achieving operational excellence through alignment of best practices and improved transparency. Using the CSA C-STAR Assessment, CSPs will be able to give customers greater peace of mind and a better understanding of their security management procedures.”
Mr. Zhao Guoxiang, Managing Director of CEPREI, China’s national certification body, explained, “C-STAR allows Chinese CSPs to demonstrate their commitment to cloud security, while also allowing foreign CSPs to demonstrate compliance with Chinese standards and regulations – giving them a competitive edge over other CSPs seeking to expand their operations in China. As China’s first internationally aligned cloud security assessment, C-STAR is being adopted by leading corporations including Ribose, Huawei and Bluedon – and has generated international interest from the cloud computing industry, demonstrating that Chinese and international cloud security standards are compatible and complementary.
“We would like to thank CEPREI and CSA for inviting Ribose to join the C-STAR pilot program,” said Ronald Tse, founder of Ribose. “In recent years, Asia has been a forerunner in the development of cloud security standards – with new standards being developed in Singapore, Hong Kong, Guangdong and now C-STAR, which is a nationwide Chinese standard. Based in Asia, Ribose was the first CSP to achieve Singapore’s Multi-Tier Cloud Security (MTCS, SS 584:2013) certification, where we achieved the highest security level, Level 3. We were also the first CSP to complete the HK CSAC scheme, as well as the first CSP outside mainland China to complete the C-STAR Assessment.”
Tse continued, “Ribose respects the development of regional cloud assessment schemes as each country has different cloud security requirements. Our platform is certified to multiple national, regional and international standards because we are committed to our users – wherever they are based. The need to collaborate is natural and universal.”
“Therefore, Ribose has adopted and advocates a ‘highest-bar’ approach to cloud security. By ensuring our cloud security meets the most stringent specified requirements, we are able to provide a higher level of security for all users,” concluded Tse. “Completing the C-STAR Assessment provides our international users with the benefit of tighter security oversight for greater peace of mind in working with colleagues around the globe.”