The Microsoft approach to cloud transparency – Part IX

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, Microsoft Cloud Transparency»

Thank you for coming back for the exciting Part IX of The Microsoft approach to cloud transparency


The Microsoft approach to cloud transparency


Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)


Part IX – Specific examples of Microsoft adoption of STAR controls

To provide some specific examples of how the STAR framework helps both an initial selection process and ongoing due diligence, Microsoft has selected some specific examples of STAR controls and the corresponding Microsoft responses.


Full STAR submissions downloads


Microsoft Dynamics CRM Online Submitted April 05, 2012
Microsoft Office 365 Submitted December 02, 2011
Microsoft Windows Azure Submitted March 30,2012



In the following examples, an organization can see how they can save time and money by using the CCM framework to obtain standard answers from cloud providers instead of developing their own lists of questions. For example, an organization can select the questions that are most relevant and compare the answers of Microsoft and other providers to help decide which service to select. The examples apply to Windows Azure, Office 365, and Microsoft Dynamics CRM.


CO-01 Compliance – Audit planning

 “Audit plans, activities and operational action items focusing on data duplication, access, and data boundary limitations shall be designed to minimize the risk of business process disruption. Audit activities must be planned and agreed upon in advance by stakeholders.”

Microsoft’s reply:

“Microsoft’s goals are to operate Microsoft‘s services with security as a key principle, and to give the customer accurate assurances about Microsoft‘s security. Microsoft has implemented and will maintain reasonable and appropriate technical and organizational measures, internal controls, and information security routines intended to help protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction.

Each year, Microsoft undergoes third-party audits by internationally recognized auditors to validate that Microsoft has independent attestation of compliance with Microsoft‘s policies and procedures for security, privacy, continuity, and compliance.

ISO 27001 certifications for Microsoft Dynamics CRM, Windows Azure, Office 365, and Global Foundation Services (which runs the physical infrastructure) can be found on the website of Microsoft’s external ISO auditor, the BSI Group. Additional audit information is available under NDA upon request by prospective customers.

Windows Azure, Office 365, and Microsoft Dynamics CRM Online independent audit reports and certifications are shared with customers in lieu of allowing individual customer audits. These certifications and attestations accurately represent how Microsoft obtains and meets Microsoft’s security and compliance objectives and serve as a practical mechanism to validate Microsoft’s promises for all customers.

For security and operational reasons, Windows Azure, Office 365, and Microsoft Dynamics CRM do not allow Microsoft customers to perform their own audits.

Customers are allowed to perform non-invasive penetration testing of their own application on the Windows Azure platform with prior approval.”

“Monitor and review the Information Security Management System (ISMS)” is covered under the ISO 27001 standards, specifically addressed in Clause 4.2.3. For more information, review of the publicly available ISO standards we are certified against is suggested.”


Come back next week for Part X!


Leave a Reply

Your email address will not be published. Required fields are marked *