Is it the Azure Team's intention to have a service auditor perform an AICPA Statement on Auditing Standards No 70, “Report on the Processing of Transactions by Service Organizations”, Type I or (preferably) Type II audit in time that would permit the result of the audit to be available by Azure's RTW?
Independent, third-party validation of OSSC’s approach includes Microsoft’s cloud infrastructure achieving both SAS 70 Type I and Type II attestations and ISO/IEC 27001:2005 certification. We are proud to be one of the first major online service providers to achieve ISO 27001 certification for our infrastructure. We have also gone beyond the ISO standard, which includes some 150 security controls. We have developed 291 security controls to date to account for the unique challenges of the cloud infrastructure and what it takes to mitigate some of the risks involved [Emphasis added].
Charlie is GM, Business & Risk Management, Microsoft Global Foundation Services.
Yes. I didn't mean "Microsoft's data centers" as opposed to "Windows Azure's data centers." I meant the data centers as opposed to the platform/software/service.
The question was about what certification Windows Azure has. The fact that Windows Azure runs in data centers that have a certain certification does not mean that Windows Azure itself has that certification.
If independent financial auditors of organizations who assert SAS 70 compliance for data services (internal and external) on their annual reports were to take your statement as authoritative, I believe they would be required to qualify their SAS
70 attestation for the organization's data services as a whole.
This would be fatal to Windows Azure's acceptance by most large and many medium-sized businesses.
"Global Foundational Services (GFS) provides infrastructure (data centers and networking) services to Microsoft online properties like Office 365, BPOS-S, BPOS-D, Dynamics CRM Online and Windows Azure. Application layer controls for Office
365 are currently planned to be evaluated first under SSAE 16 SOC 1 Type I, with evaluation under SSAE SOC 1 Type II to follow. The Office 365 SSAE 16 report will stack on top of the GFS report to provide an end-to-end representation of controls. GFS is SAS
70 Type II certified today, and will be audited against SSAE 16 at its next regularly scheduled audit."
SOC 2 for Cloud Computing article of 10/11/2011 provides a brief description of SOC 1 and a more detailed description of the new SOC 2 examination. Chris is president of BrightLine, which claims to be "the world's only CPA firm that is accredited as a PCI
QSA Company and ISO 27001 Registrar."
SSAE 16 supercedes SAS 70 for service auditor’s reporting periods ending on or after June 15, 2011. Currently, I can find no indication of whether Microsoft intends to have the Windows Azure application layer evaluated under the new SSAE 16 SOC 1 or
any services to be evaluated under SOC 2. I am following up with Microsoft to determine their position on SSAE 16 for Windows Azure.
Jean-Philippe Courtois, President, Microsoft International, discussed ISO 27001/2 and SAS 70 for Microsoft data centers in his
A Pragmatic Approach to Security in the Cloud post of 7/28/2011 to the MSDN Viewpoints blog. It's a good read but doesn't mention forthcoming SSAE 16 attestations.
I believe you can take my statement as authoritative. (I double-checked just to make sure.)
To be perfectly clear: the statements you're quoting are about Microsoft data centers. Windows Azure benefits from the fact that it runs on those data centers, but it has not itself been SAS 70 certified.
Since Steve Marx left the Windows Azure team, I'm not sure he is listening or has the ability to answer, but I think I may have answers.
As the Global Foundation Services datacenters are brought online they go through the process of certification depending on what they are to be used for. The datacenters hosting Windows Azure are SAS70 certified. However...
Yes, Windows Azure requires seperate compliance certifications. But thats a muddy topic because at some point the applications being hosted need to be verified for compliance, and Microsoft doesn't have control over them.