What a stroke of luck! We’ve gone an entire week without a feature or capacity update to SharePoint Online! Whew!
That means I can catch up on sharing some other important news, including the fact that last month, Windows Azure became the very first cloud service provider to pass a new security compliance audit that is recommended by the Cloud Security Alliance (CSA).
This week, I’ll fill you in on that achievement, for which Microsoft deserves far more recognition than it has received.
Cloud Security Alliance Resource
The Cloud Security Alliance (CSA) is a non-profit organization that promotes best practices for security assurance in cloud computing. Its membership is a Who’s Who of powerhouse cloud service providers, including biggies such as Microsoft, Yammer, Amazon Web Services, Google, Citrix, Box, eBay, and Rackspace.
An equally impressive group of consultants, integrators, and other related organizations rounds out the list. Some absent members are noticeable as well, such as Apple and Dropbox, too—which would certainly inform my choice of cloud providers.
It’s really challenging for customers to evaluate cloud service offerings. How do you cut through the “marketing hype” and noise to learn just how secure, available, and compliant a service really is?
To address this need, the CSA established a service called the Security, Trust and Assurance Registry (STAR). STAR is a one-stop clearinghouse of information and documentation about the security controls offered by various cloud offerings. Office 365, Dynamics, and Azure cloud offerings are all included.
I highly recommend downloading and reading Microsoft’s CAI Questionnaire for Office 365. It answers a ton of questions along the lines of “How Secure Is Office 365?” and “To Which Standards Does Office 365 Comply?” GREAT reading!
Cloud Service Audit and Attestation
While STAR is an excellent resource, it’s not the same as an independent, third-party audit of the controls implemented by a cloud service. As a customer, you would want third-party attestation that the controls are in fact in place correctly.
So, February of 2013, the CSA published a position paper that addressed how third-party audits could be performed of security controls of cloud service providers.
To make a long story short, the American Institute of Certified Public Accountants (AICPA) introduced three Service Organization Control (SOC) reporting options to replace the former reporting standard, SAS 70, which had previously been used to provide third party audits of controls. The CSA evaluated the AICPA’s approved options and identified the second of these SOC options, a SOC 2 Type 2 attestation, as the best “starting point.”
To ensure the broadest range of criteria related to cloud services would be examined—particularly to address international requirements that were not necessarily relevant to the AICPA—the CSA recommended that the SOC 2 Type 2 report be augmented with additional criteria defined by the CSA’s own Cloud Controls Matrix (CCM). The resulting report would be likely to address the assurance and reporting needs of the majority of customers of cloud services.
So an independent auditing firm issues a Service Organization Control (SOC) 2 Type 2 report in security, availability and confidentiality trust principles and the Cloud Security Alliance (CSA) Cloud Control Matrix for a cloud service provider.
That report—the “attestation”—should give customers of that cloud service everything they need to “trust” the controls implemented by that service. The combined criteria in the report—which again address a broad range of international requirements—reduces the time and cost that a customer would have to incur to evaluate cloud service offerings.
Going through such audits is no small task, and so I’m thrilled that one of Microsoft’s clouds—Windows Azure, specifically—was the first cloud service to make it. As announced on the Windows Azure blog, Deloitte and Touche, LLP, issued the attestation to CCM for Windows Azure.
This is a BIG DEAL, as far as Azure’s ability to position itself as a trustworthy, secure service. You can be sure that Office 365 and Dynamics are going through the process as well.
You can learn more about Windows Azure’s security, availability, and confidentiality controls at the Windows Azure Trust Center.