Cloud transparency remains a highly coveted but seemingly elusive wish for organizations. How can you trust a cloud provider with your data if you don’t know what security controls they implement? You can get details under NDA, but how can you compare that provider’s controls with another’s to make an educated buying decision?
But there is a glimmer of hope on the horizon. The Cloud Security Alliance’s (CSA) Security, Trust and Assurance Registry (STAR), which aims to provide a standards-based public repository of cloud provider security controls, is slowly growing. Launched last August, CSA’s STAR recently added SHI International to the three other providers publishing documentation of their controls: Microsoft, Mimecast and Solutionary. On March 30, Microsoft published a self-assessment of Windows Azure to add to its Office 365 documentation. Last week, it published a self-assessment for Microsoft Dynamics CRM Online.
The Windows Azure STAR documentation provides an overview of how core Azure services meet the requirements listed in the CSA’s Cloud Controls Matrix. Microsoft maps its security practices to the CCM guidance in 11 areas, including data governance, resiliency, risk management and security architecture. The software giant produced a video interview about the Azure STAR assessment on its Trustworthy Computing Blog.
Obviously, STAR needs more cloud providers participating to be an effective tool for cloud users, but with a major provider such as Microsoft taking the lead, one can hope it will lead more providers to step up. At the RSA Conference 2012, CSA Executive Director Jim Reavis told me he expected several providers to participate in the next two to three months, which would “force their peers to do this more wholeheartedly.”
He added that he would be surprised if any of the major providers are not in the registry by the end of this year. Let’s hope that’s the case.