Cloud Security Alliance (CSA) STAR Attestation

Cloud Security Alliance (CSA) STAR Attestation

The Cloud Security Alliance (CSA) maintains the Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry where cloud service providers (CSPs) can publish their CSA-related assessments. STAR consists of three levels of assurance aligned with control objectives in the CSA Cloud Controls Matrix (CCM). (The CCM covers fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service.):

  • Level 1: STAR Self-Assessment
  • Level 2: STAR Attestation, STAR Certification, and C-STAR Assessment (which are based on audits by third parties)
  • Level 3: STAR Continuous Monitoring (program requirements are still under development by CSA)

STAR Attestation involves a rigorous independent audit of a cloud provider’s security posture based on a SOC 2 Type 2 audit in combination with CCM criteria. The independent auditor that evaluates a cloud provider’s offerings for STAR Attestation must be a certified public accountant (CPA) and is required to have the CSA Certificate in Cloud Security Knowledge (CCSK).

A SOC 2 Type 2 audit is based on American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria, including security, availability, confidentiality, and processing integrity, and the criteria in the CCM. STAR Attestation provides an auditor’s findings on the design suitability and operating effectiveness of SOC 2 controls in Microsoft cloud services. The objective is to meet both the AICPA criteria mentioned above and requirements set forth in the CCM.

Based on this audit, Microsoft Azure and Microsoft Intune have been awarded CSA STAR Attestation.

Frequently asked questions

Expand all

The CCM corresponds to industry-accepted security standards, regulations, and control frameworks such as ISO/IEC 27001, PCI DSS, HIPAA, AICPA SOC 2, NERC CIP, FedRAMP, NIST, and many more. For the most current list, visit the CSA website.

You can download the CSA STAR Attestation for Azure, which also covers Intune, from the CSA Registry.

  • Level 1: CSA STAR Self-Assessment: Azure, Microsoft Dynamics 365, and Microsoft Office 365. The Self-Assessment is a complimentary offering from cloud service providers to document their security controls to help customers assess the security of the service.
  • Level 2: CSA STAR Certification: Azure, Cloud App Security, Intune, and Microsoft Power BI. STAR Certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the CCM. It is awarded after a rigorous third-party assessment of the security controls and practices of a cloud service provider.
  • Level 2: CSA STAR Attestation: Azure and Intune. CSA and the AICPA have collaborated to provide guidelines for CPAs to use in conducting SOC 2 engagements, using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA CCM. STAR Attestation is based on these guidelines and is awarded after rigorous independent assessments of cloud providers.

Attestation and certification

Microsoft in-scope cloud services

Expand all

  • Compute:

    Azure Container Service, Batch, Cloud Services, Functions, Service Fabric, Virtual Machines (including SQL VM), Virtual Machine Scale Sets

  • Networking:

    Application Gateway, Azure DNS, ExpressRoute, Load Balancer, Traffic Manager, Virtual Network, VPN Gateway

  • Storage:

    Backup, Cool Storage, Data Lake Store, Import / Export, Premium Storage, Site Recovery, Storage (Blobs, Disks, Files, Queues, Tables), StorSimple

  • Web + Mobile:

    App Service (including API Apps, Logic Apps, Mobile Apps, and Web Apps), Media Services

  • Databases:

    Azure Cosmos DB, Redis Cache, SQL Database, SQL Data Warehouse, SQL Server Stretch Database

  • Data + Analytics:

    Data Lake Analytics, HDInsight, Machine Learning, Power BI Embedded, Stream Analytics

  • Internet of Things:

    Event Hubs, IoT Hub, Notification Hubs

  • Enterprise Integration:

    API Management, Data Catalog, Service Bus

  • Security + Identity:

    Azure Active Directory (Free, Basic), Azure Active Directory B2C, Azure Information Protection (including Azure Rights Management), Key Vault, Multi-Factor Authentication

  • Developer Tools:

    Application Insights

  • Monitoring + Management:

    Automation, Azure Resource Manager, Log Analytics, Microsoft Azure Portal, Scheduler

  • Compute:

    Batch, Cloud Services, Service Fabric, Virtual Machines (including SQL VM), Virtual Machine Scale Sets

  • Networking:

    Application Gateway, ExpressRoute, Load Balancer, Traffic Manager, Virtual Network, VPN Gateway

  • Storage:

    Backup, Cool Storage, Import/Export, Premium Storage, Site Recovery, Storage (Blobs, Disks, Files, Queues, Tables), StorSimple

  • Web + Mobile:

    App Service (including API Apps, Mobile Apps, and Web Apps), Media Services

  • Databases:

    Redis Cache, SQL Database, SQL Data Warehouse, SQL Server Stretch Database

  • Data + Analytics:

    HDInsight

  • Internet of Things:

    Event Hubs, Notification Hubs

  • Enterprise Integration:

    Service Bus

  • Security + Identity:

    Azure Active Directory (Free, Basic), Azure Information Protection (including Azure Rights Management), Key Vault

  • Monitoring + Management:

    Automation, AzureAutomation, Azure Resource Manager, Log Analytics, Microsoft Azure Portal, Scheduler

  • Compute:

    Batch, Cloud Services, Service Fabric, Virtual Machines (including SQL VM), Virtual Machine Scale Sets

  • Networking:

    Application Gateway, ExpressRoute, Load Balancer, Traffic Manager, Virtual Network, VPN Gateway

  • Storage:

    Cool Storage, Premium Storage, Storage (Blobs, Disks, Files, Queues, Tables)

  • Web + Mobile:

    App Service (including API Apps, Mobile Apps, and Web Apps)

  • Databases:

    Azure Cosmos DB, Redis Cache, SQL Database, SQL Data Warehouse, SQL Server Stretch DB

  • Data + Analytics:

    HDInsight, Machine Learning, Stream Analytics

  • Internet of Things:

    Event Hubs, IoT Hub, Notification Hubs

  • Enterprise Integration:

    Service Bus

  • Security + Identity:

    Azure Active Directory (Free, Basic), Key Vault, Multi-Factor Authentication

  • Monitoring + Management:

    Azure Resource Manager, Microsoft Azure Portal, Scheduler

  • Cloud App Security
  • Graph
  • Intune
  • Microsoft Flow cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
  • Power BI

Contact Trust Center

Need help evaluating our products? Can’t find the information you need?

Looking for general technical support?

Contact Microsoft support