How Microsoft Uses the Security, Trust & Assurance Registry (STAR) to Provide Greater Transparency

I have written more than a few articles on this blog focused on why it is important to provide visibility into how cloud services are being operated by cloud providers, particularly where security controls are concerned.  Security of cloud services is top of mind for customers looking to realize the benefits of cloud computing.  When cloud providers offer their customers insight into the security controls used to manage their cloud services, customers are able to evaluate whether those services meet compliance requirements they are subject to, and standards and best practices that are important to their organization.

The Cloud Security Alliance’s (CSA) Security, Trust & Assurance Registry (STAR) framework helps to provide the transparency customers are looking for.  Today we published a new whitepaper called The Microsoft approach to cloud transparency using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR).  The paper focuses on three cloud service offerings including Windows Azure, Office365 and Microsoft Dynamics CRM and provides visibility into how these services are operated using the evaluation criteria documented in the CSA STAR. Since the ISO 27000 standards family is important to many of Microsoft’s customers, the paper also outlines how Microsoft’s cloud services are operated to meet or exceed these. The paper provides an overview of various risk, governance and information security frameworks and standards to consider when looking at cloud computing as a solution including ISO/IEC 27001, the Control Objectives for Information and related Technology (COBIT) framework, and NIST Special Publication (SP) 800 series.

The CSA is a not-for-profit organization that promotes the use of best practices for security assurance within cloud computing.  The purpose of STAR is to reduce much of the effort, ambiguity, and costs associated in getting the most relevant questions and information on cloud providers’ security and privacy practices. Accessing the registry is free to everyone and helps cloud customers compare services from different cloud providers.

If you are considering using a cloud service provider, check to see if they have submitted answers to the CSA STAR to learn more about their security and privacy practices.  If the cloud provider has not submitted a self-assessment to the CSA STAR, you can use the free framework provided by the CSA to ask the cloud provider the questions that are relevant to your organization.  Understanding how your cloud provider manages security and privacy to operate their cloud services can help to minimize headaches down the road that might arise.

I encourage you to download the new whitepaper if you are interested in learning more about how Microsoft provides transparency to its customers.



About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more »