As governments around the world turn to cloud computing, security remains one of the biggest concerns. Some organizations feel nervous about giving control of their data to an outside provider, and understandably, want to proceed with caution. The great news is that there are new resources available to help public sector organizations understand what the cloud means for the security and privacy of their data, and what questions they should be asking of their cloud provider.
Just recently, the Cloud Security Alliance (CSA) announced a free, publically-accessible registry that describes the security controls of various cloud computing offerings. The registry, called CSA Security, Trust and Assurance Registry (STAR), aims to reduce the effort, ambiguity and cost of learning about cloud providers’ security and privacy practices. Open to all cloud vendors, STAR hosts their responses to specific questions pertaining to cloud security and allows vendors to submit reports showing compliance to CSA best practices. For government organizations, this means more open and transparent information to help them choose the best cloud provider for their specific security needs.
Example of use of Cloud Control Matrix and Microsoft Response
STAR offers governments two ways to evaluate a vendor: The Consensus Assessments Initiative Questionnaire (CAIQ) and the Cloud Controls Matrix (CCM). The CAIQ offers a list of more than 140 suggested questions for organizations to ask a cloud provider and gives vendors the chance to submit answers, while the CCM lets providers demonstrate their compliance to CSA guidance and principles.
This registry is a great step toward increasing transparency and helping public sector organizations discover, understand, and differentiate the security processes of cloud vendors. Microsoft currently has three cloud services registered: Office 365, Windows Azure and Microsoft Dynamics CRM Online. We invite you to check out the registry for yourself and visit our Trust Centers to learn more about Microsoft’s commitment to cloud security (Office 365 Trust Center, Windows Azure Trust Center).
Have a comment or opinion on this post? Let me know @Microsoft_Gov. Have a question for the author? Please e-mail us at firstname.lastname@example.org.