The Microsoft approach to cloud transparency – Part VIII

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

Thank you for coming back for the exciting Part VIII of The Microsoft approach to cloud transparency

The Microsoft approach to cloud transparency

 

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)

 

Part VIII – Aligning to STAR

When mitigating risk while deploying a cloud solution, an organization must consider the cloud-specific risks described in the preceding “Cloud assurance challenges” section as well as organizational goals. Common as well as cloud-specific risks must be weighed and evaluated carefully to assure the best results for the organization.

One best practice is to proceed with the selection of a cloud provider as described earlier, by using a common framework. This approach will help mitigate risk but also help avoid the cost of engaging outside expertise and a costly independent review process, relying instead on combined efforts that represent years of expertise in the field.

Using STAR, an organization can compare  various cloud offerings, select criteria important to the organization, and document how and why a specific solution was selected. This approach  helps mature future selection efforts and adds to the organization’s knowledge base.

 

Organizations can use the control criteria in the CCM to help mitigate the risk of missing important evaluation criteria. STAR also allows organizations to use a fully developed framework to carefully compare similar offerings. In addition, it can provide a way to measure and quantify weighting factors for related criteria.

 

Come back next week for Part IX!

The Microsoft approach to cloud transparency – Part VII – Introducing STAR

Thank you for coming back for the exciting Part VII of The Microsoft approach to cloud  transparency

The Microsoft approach to cloud transparency

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)

 

Part VII – Introducing STAR

With the emergence of cloud computing and the increased market understanding of its tremendous potential to help organizations create, manage, and maintain tools to achieve growth, it has become clear that existing standards as discussed in the previous section may no longer be effective to address concerns about the rapid implementation and novel business uses of this powerful technology.

The Cloud Security Alliance (CSA) and STAR

The Cloud Security Alliance (CSA) is a not-for-profit organization that promotes the use of best practices for security assurance within cloud computing. To reduce much of the effort, ambiguity, and costs of getting the most relevant questions and information on cloud providers’ security and privacy practices, the CSA has published and maintains the Security, Trust & Assurance Registry (STAR).

 

 Per the Cloud Security Alliance at https://cloudsecurityalliance.org/star/

STAR is a “free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.”

 

STAR domains

STAR uses the following 13 domains to address cloud computing security

 

  • Cloud Computing Architectural Framework
  • Governance and Enterprise Risk Management
  • Legal and Electronic Discovery
  • Compliance and Audit
  • Information Lifecycle Management
  • Portability and Interoperability
  • Traditional Security, Business Continuity, and Disaster Recovery
  • Data Center Operations
  • Incident Response, Notification, and Remediation
  • Application Security
  • Encryption and Key Management
  • Identity and Access Management
  • Virtualization

 

Cloud Controls Matrix (CCM)

STAR uses the Cloud Controls Matrix (CCM) to provide a controls framework for understanding security, privacy, and reliability concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. This paper uses CCM version 1.2 currently the released version, which comprises a list of 100 questions. The CSA CCM provides organizations with a framework that has the needed structure, detail, and clarity with regard to information security, tailored to the service providers in the cloud industry.

Providers may choose to submit a report that documents their compliance with the CCM, and such reports are published by STAR.

 

Microsoft has published an overview of its capabilities in meeting the CCM

requirements. The goal of this STAR-registered overview is to empower customers

with information to evaluate Microsoft offerings.

 

Consumers of cloud services can then use the data contained in STAR to evaluate providers and to identify questions that would be prudent to have providers answer before moving to adopt cloud services. (STAR is a self-assessment-based process by the cloud providers, and the CSA does not audit or guarantee the responses that are provided. Microsoft has chosen to not only address each of the 100 questions in the STAR CCM but also to align the domains to the ISO 27001 certifications received by various Microsoft services to provide an additional layer of comfort to consumers of cloud services.)

 

Come back next week for Part VIII!