Cloud Security Alliance (CSA) STAR Certification
The Cloud Security Alliance (CSA) maintains the Security, Trust & Assurance Registry (STAR), a free, publicly accessible registry where cloud service providers can publish their CSA-related assessments. STAR consists of three levels of assurance aligned with the control objectives in the CSA Cloud Controls Matrix (CCM). (The CCM covers fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service.)
- Level 1: STAR Self-Assessment
- Level 2: STAR Certification, STAR Attestation, and C-STAR Assessment
- Level 3: STAR Continuous Monitoring (program requirements are still under development by CSA)
Microsoft Azure, Microsoft Intune, and Microsoft Power BI have obtained STAR Certification, which involves a rigorous independent third-party assessment of a cloud provider’s security posture. This STAR certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the CCM. It demonstrates that a cloud service provider conforms to the applicable requirements of ISO/IEC 27001, has addressed issues critical to cloud security as outlined in the CCM, and has been assessed against the STAR Capability Maturity Model for the management of activities in CCM control areas.
During the assessment, an accredited CSA certification auditor assigns a Maturity Capability score to each of the 16 CCM control areas. The average score is then used to assign the overall level of maturity and the corresponding Bronze, Silver, or Gold award. Azure, Intune, Power BI, and Microsoft Cloud App Security were awarded Cloud Security Alliance (CSA) STAR Certification at the Gold level.
Frequently asked questions
The CCM corresponds to industry-accepted security standards, regulations, and control frameworks, such as ISO 27001, PCI DSS, HIPAA, AICPA SOC 2, NERC CIP, FedRAMP, NIST, and many more. For the most current list, visit the CSA website.
You can download the CSA STAR Certification for Azure, which also covers Intune and Power BI, from the CSA Registry.
- Level 1: CSA STAR Self-Assessment: Azure, Dynamics 365, and Office 365. The Self-Assessment is a complimentary offering from cloud service providers to document their security controls to help customers assess the security of the service.
- Level 2: CSA STAR Certification: Azure, Cloud App Security, Intune, and Power BI. STAR Certification is based on achieving ISO/IEC 27001 certification and meeting criteria specified in the CCM. It is awarded after a rigorous third-party assessment of the security controls and practices of a cloud service provider.
- Level 2: CSA STAR Attestation: Azure and Intune. CSA and the AICPA have collaborated to provide guidelines for CPAs to use in conducting SOC 2 engagements, using criteria from the AICPA (Trust Service Principles, AT 101) and the CSA CCM. STAR Attestation is based on these guidelines and is awarded after rigorous independent assessments of cloud providers.
Azure CSA STAR Certification (also covers Intune and Power BI)
Microsoft in-scope cloud services
Azure Active Directory, API Management, Application Gateway, App Service: API Apps, App Service: Mobile Apps, App Service: Web Apps, Automation, Backup, Batch, BizTalk Services, Cloud Services, Data Catalog, Data Factory, DocumentDB, Event Hubs, ExpressRoute, HDInsight, IoT Hub, Key Vault, Load Balancer, Log Analytics, Machine Learning, Media Services, Multi-Factor Authentication, Notification Hubs, Portal, Redis Cache, Remote App, Rights Management, Scheduler, Service Bus, Service Fabric, Site Recovery, SQL Database, Storage (Tables, Blobs, Queues, Disks, Files, Cool, and Premium), StorSimple, Stream Analytics, Traffic Manager, Virtual Machines, Virtual Network, VPN Gateway, and supporting Azure infrastructure services
- Microsoft Cloud App Security
- Power BI: The cloud service portion of Power BI offered as a standalone service or as included in an Office 365 branded plan or suite