The Microsoft approach to cloud transparency – Part VII – Introducing STAR

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!
This entry is part of a wonderful series, Microsoft Cloud Transparency»

Thank you for coming back for the exciting Part VII of The Microsoft approach to cloud  transparency

The Microsoft approach to cloud transparency

Using the Cloud Security Alliance’s Security, Trust & Assurance Registry (STAR)


Part VII – Introducing STAR

With the emergence of cloud computing and the increased market understanding of its tremendous potential to help organizations create, manage, and maintain tools to achieve growth, it has become clear that existing standards as discussed in the previous section may no longer be effective to address concerns about the rapid implementation and novel business uses of this powerful technology.

The Cloud Security Alliance (CSA) and STAR

The Cloud Security Alliance (CSA) is a not-for-profit organization that promotes the use of best practices for security assurance within cloud computing. To reduce much of the effort, ambiguity, and costs of getting the most relevant questions and information on cloud providers’ security and privacy practices, the CSA has published and maintains the Security, Trust & Assurance Registry (STAR).


 Per the Cloud Security Alliance at

STAR is a “free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with.”


STAR domains

STAR uses the following 13 domains to address cloud computing security


  • Cloud Computing Architectural Framework
  • Governance and Enterprise Risk Management
  • Legal and Electronic Discovery
  • Compliance and Audit
  • Information Lifecycle Management
  • Portability and Interoperability
  • Traditional Security, Business Continuity, and Disaster Recovery
  • Data Center Operations
  • Incident Response, Notification, and Remediation
  • Application Security
  • Encryption and Key Management
  • Identity and Access Management
  • Virtualization


Cloud Controls Matrix (CCM)

STAR uses the Cloud Controls Matrix (CCM) to provide a controls framework for understanding security, privacy, and reliability concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. This paper uses CCM version 1.2 currently the released version, which comprises a list of 100 questions. The CSA CCM provides organizations with a framework that has the needed structure, detail, and clarity with regard to information security, tailored to the service providers in the cloud industry.

Providers may choose to submit a report that documents their compliance with the CCM, and such reports are published by STAR.


Microsoft has published an overview of its capabilities in meeting the CCM

requirements. The goal of this STAR-registered overview is to empower customers

with information to evaluate Microsoft offerings.


Consumers of cloud services can then use the data contained in STAR to evaluate providers and to identify questions that would be prudent to have providers answer before moving to adopt cloud services. (STAR is a self-assessment-based process by the cloud providers, and the CSA does not audit or guarantee the responses that are provided. Microsoft has chosen to not only address each of the 100 questions in the STAR CCM but also to align the domains to the ISO 27001 certifications received by various Microsoft services to provide an additional layer of comfort to consumers of cloud services.)


Come back next week for Part VIII!


Leave a Reply

Your email address will not be published. Required fields are marked *