Cloud Security Alliance (CSA) STAR Attestation

CSA STAR Attestation overview

The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It is dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when transitioning their IT operations to the cloud. In 2013, the CSA and the British Standards Institution launched the Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry in which cloud service providers (CSPs) can publish their CSA-related assessments based on the following components:

  • Cloud Controls Matrix (CCM): a controls framework composed of 133 control objectives covering fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a CSP.
  • Consensus Assessments Initiative Questionnaire (CAIQ): a set of more than 300 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.

Note

CSA has released CCM v4, a major update to the CCM that has 197 control objectives structured in 17 domains. Azure CSA STAR Attestation will be updated based on version 4 of the CCM during the next Azure audit cycle. CSA has also provided a CCM v4 transition timeline for cloud service providers and other organizations to start using version 4.

STAR provides two levels of assurance. CSA STAR Self-Assessment is the introductory offering at Level 1, which is free and open to all CSPs. Going further up the assurance stack, Level 2 of the STAR program involves third-party assessment-based certifications (for example, CSA STAR Attestation and CSA STAR Certification).

CSA STAR Attestation involves a rigorous independent third-party audit of a cloud provider's security posture based on a SOC 2 Type 2 audit with CCM criteria. The independent auditor that evaluates a cloud provider's offerings for STAR Attestation must be a certified public accountant (CPA) and is required to have the CSA Certificate in Cloud Security Knowledge (CCSK).

The Azure SOC 2 Type 2 audit is based on the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria, including security, availability, confidentiality, privacy, and processing integrity, and the criteria in the CCM. STAR Attestation provides an auditor's findings on the design suitability and operating effectiveness of Azure SOC 2 controls. The objective is to meet both the AICPA criteria mentioned above and requirements set forth in the CCM.

Applicability

  • Azure
  • Azure Government

Services in scope

Microsoft online services in scope for the Azure CSA STAR Attestation are the same services assessed as part of the Azure SOC 2 Type 2 attestation.

Audit reports and certificates

For Azure CCM control coverage, you can access the Azure SOC 2 Type 2 attestation report in the Azure or Azure Government portal by navigating to Home > Security Center > Regulatory compliance > Audit reports or using direct links based on your subscription (login required):

You must have an existing subscription or free trial account in Azure or Azure Government to access audit reports.

Alternatively, you can access Azure SOC audit reports via the Service Trust Portal (STP) Audit Reports - SOC Reports section. You must login to access audit reports on the STP. For more information, see Get started with the Microsoft Service Trust Portal.

Frequently asked questions

Which industry standards does the CSA CCM align with?
The CCM maps to industry-accepted security standards, regulations, and control frameworks such as ISO 27001, ISO 27017, ISO 27018, NIST SP 800-53, PCI DSS, AICPA Trust Services Criteria, NERC CIP, and many others. For the most current list, visit the CSA website.

Where can I see the CSA STAR Attestation for Azure and other Microsoft online services?
You can download the CSA STAR Attestation for Azure directly from the CSA STAR Registry. For detailed insight into services in scope and CCM control coverage, download the Azure SOC 2 Type 2 attestation report. For links to audit documentation, see Audit reports and certificates. You must have an existing subscription or free trial account in Azure or Azure Government to login. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Resources