Cloud Security Alliance (CSA) STAR Attestation

CSA STAR Attestation overview

The Cloud Security Alliance (CSA) is a nonprofit organization led by a broad coalition of industry practitioners, corporations, and other important stakeholders. It's dedicated to defining best practices to help ensure a more secure cloud computing environment, and to helping potential cloud customers make informed decisions when transitioning their IT operations to the cloud. In 2013, the CSA and the British Standards Institution launched the Security, Trust, Assurance, and Risk (STAR) registry, a free, publicly accessible registry in which cloud service providers (CSPs) can publish their CSA-related assessments.

For security assessments, CSPs use the Cloud Controls Matrix (CCM) to evaluate and document their security controls. CCM is a controls framework composed of 197 control objectives covering fundamental security principles across 17 domains to help cloud customers assess the overall security risk of a CSP.

STAR provides two levels of assurance:

  • Level 1: Self-Assessment based on the Consensus Assessments Initiative Questionnaire (CAIQ). Level 1 is an introductory offering, which is free and open to all CSPs. The CAIQ contains more than 250 questions based on the CCM that a customer or cloud auditor may want to ask of CSPs to assess their compliance with CSA best practices.
  • Level 2: Independent third-party assessments such as CSA STAR Attestation and CSA STAR Certification. These assessments combine established industry standards with criteria specified in the CCM.

Note

CSA has released CCM v4, a major update to the CCM that has 197 control objectives structured in 17 domains. CCM and CAIQ have been combined in version 4. CSA has also provided a CCM v4 transition timeline for cloud service providers and other organizations to start using version 4.

CSA STAR Attestation involves a rigorous independent third-party audit of a cloud provider's security posture based on a SOC 2 Type 2 audit with CCM criteria. The independent auditor that evaluates a cloud provider's offerings for STAR Attestation must be a certified public accountant (CPA) and is required to have the CSA Certificate in Cloud Security Knowledge (CCSK).

The Azure SOC 2 Type 2 audit is based on the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria, including security, availability, confidentiality, and processing integrity, and the criteria in CCM v4. STAR Attestation provides an auditor's findings on the design suitability and operating effectiveness of Azure SOC 2 controls. The objective is to meet both the AICPA criteria mentioned previously and requirements set forth in the CCM.

Applicability

  • Azure
  • Azure Government

Services in scope

Microsoft cloud services in scope for the Azure CSA STAR Attestation are the same services assessed as part of the Azure SOC 2 Type 2 attestation.

Audit reports and certificates

For instructions on how to access audit reports and certificates, see Audit documentation.

  • To download the Azure CSA STAR Attestation, see the CSA STAR registry for Microsoft.
  • For Azure CCM control coverage, you can access the Azure SOC 2 Type 2 attestation report from the Service Trust Portal (STP) SOC reports section.

Frequently asked questions

Which industry standards does the CSA CCM align with?
The CCM maps to industry-accepted security standards, regulations, and control frameworks such as ISO 27001, ISO 27017, ISO 27018, NIST SP 800-53, PCI DSS, AICPA Trust Services Criteria, and others. For the most current list, visit the CSA website.

Where can I see the CSA STAR Attestation for Azure and other Microsoft online services?
You can download the CSA STAR Attestation for Azure directly from the CSA STAR registry. For detailed insight into services in scope and CCM control coverage, download the Azure SOC 2 Type 2 attestation report. For links to audit documentation, see Audit reports and certificates.

You must have an existing subscription or free trial account in Azure or Azure Government to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Resources