Windows Azure Receives SOC 2 Type 2 report with CSA CCM Attestation

  • Article

Today we’re announcing that Microsoft’s public auditor Deloitte & Touche LLP, has issued a Service Organization Control (SOC) 2 Type 2 report for Windows Azure in security, availability and confidentiality trust principles and the Cloud Security Alliance (CSA) Cloud Control Matrix.  Windows Azure is the first cloud services provider to receive the attestation to CCM by an independent, registered public accounting firm.

Last February at the RSA Conference, CSA released a position paper on the American Institute of Certified Public Accountants (“AICPA”) reporting framework, as a means of providing guidance on selecting the most appropriate audit reporting options when evaluating and selecting cloud service providers.  In the position paper, the CSA highlights that leveraging the criteria in the CSA Cloud Controls Matrix along with a SOC report is likely to meet the assurance and reporting needs of the majority of cloud services users.  The CSA’s position is that by referring to the combined criteria in the report, customers have increased confidence the service meets a broad range of international requirements while reducing the time and costs associated with understanding and evaluating cloud service providers.

The Windows Azure security, privacy and compliance strategy reflects our commitment to deliver world-class solutions and resources that help customers understand what to expect when they use Windows Azure.  The Windows Azure Standard Response to Request for Information: Security and Privacy and our Cloud Security Alliance STAR submission are the most frequently requested resources at the Windows Azure Trust Center.  We understand these resources are valuable not only in evaluating service providers, but informing and supporting our customers’ compliance programs where they rely on Windows Azure’s security controls and processes to safeguard their data and applications.

We’ve developed some important insights in undertaking this industry-first approach to simultaneous audit and attestation against multiple standards.  I’ve shared some of those insights with our Chief Security Officers’ Council and they advised me to take a more direct approach engaging in external dialogue and shining a light on the innovation we’re driving in Azure for compliance in cloud services to share ideas and resources with other practitioners.

In upcoming posts, I’ll share more insight to the Windows Azure security and compliance roadmap, our controls framework, integration through the engineering life cycle, execution across the Azure platform and partnerships with our internal customers like O365 and Global Foundation Services.  In the meantime, check out the Windows Azure Trust Center or follow me on twitter @msftlori.