Will the Azure Service Platform Undergo a SAS 70 Type I or Type II Audit Prior to Release? If Not, When?

Question

Is it the Azure Team's intention to have a service auditor perform an AICPA Statement on Auditing Standards No 70, “Report on the Processing of Transactions by Service Organizations”, Type I or (preferably) Type II audit in time that would permit the result of the audit to be available by Azure's RTW?

Thanks in advance,

--rj

(For those not up to date on SAS 70, see http://en.wikipedia.org/wiki/SAS_70.)

---

OakLeaf Blog

Answer 1

Additional details re SAS 70: Microsoft’s Software as a Service (SaaS): An Enterprise Perspective 2006 whitepaper by Gianpaolo Carraro and Fred Chong. Amazon Web Services: Overview of Security Processes of 9/5/2008 contains details of their intent to provide SAS 70 audits. Both are in a cross-post of the original question to the SDS forum.

--rj

---

OakLeaf Blog

Answer 2

We are in the process of evaluating various certification requirements relative to Windows Azure with a goal toward achieving key certifications by commercial launch or shortly thereafter.

Answer 3

Steve, 

Is there an update to this ? Will the Azure infrastructure announce SAS 70 Type 1 or Type 2 compliance now that Azure is released ? 

Thanks, 

Paddy  

Answer 4

Paddy,

Charlie McNerney's Securing Microsoft’s Cloud Infrastructure post announced:

Independent, third-party validation of OSSC’s approach includes Microsoft’s cloud infrastructure achieving both SAS 70 Type I and Type II attestations and ISO/IEC 27001:2005 certification. We are proud to be one of the first major online service providers to achieve ISO 27001 certification for our infrastructure. We have also gone beyond the ISO standard, which includes some 150 security controls. We have developed 291 security controls to date to account for the unique challenges of the cloud infrastructure and what it takes to mitigate some of the risks involved [Emphasis added].

Charlie is GM, Business & Risk Management, Microsoft Global Foundation Services.

The above is from my Windows Azure and Cloud Computing Posts for 10/21/2009+  post of 10/21/2009.

--rj

---

OakLeaf Blog

Answer 5

Hi,

Thanks for sharing,

SAS70

 

 

Answer 6

So, has Microsoft Azure gone through a SAS 70 Type 1 or 2 or not?  Please provide an update?

---

Greg Frazier

Answer 7

Do you have any updates on this? I am about to start a new project and the answer to this question is critical in deciding the platform that will run our service.

---

Andy

Answer 8

Microsoft obtained SAS 70 attestation for its data centers prior to the May 2009 publication date of http://www.globalfoundationservices.com/security/documents/SecuringtheMSCloudMay09.pdf

The above publication reports they also have International Organization for Standardization / International Society of Electrochemistry 27001:2005 (ISO/IEC 27001:2005).

HTH,

 

--rj

---

Microsoft Access 2010 In Depth (QUE Publishing)
OakLeaf Blog
Access 2010 Blog
Amazon Author Blog

Answer 9

Roger, those apply to Microsoft's data centers, not to Windows Azure.

Answer 10

Not to be splitting hairs Steve but since it applies to GFS datacenters, don't they apply to the Windows Azure datacenters too? :)

---

Developer Security MVP | www.steveonsecurity.com

Answer 11

Yes. I didn't mean "Microsoft's data centers" as opposed to "Windows Azure's data centers." I meant the data centers as opposed to the platform/software/service.

The question was about what certification Windows Azure has. The fact that Windows Azure runs in data centers that have a certain certification does not mean that Windows Azure itself has that certification.

Answer 12

Steve,

If independent financial auditors of organizations who assert SAS 70 compliance for data services (internal and external) on their annual reports were to take your statement as authoritative, I believe they would be required to qualify their SAS 70 attestation for the organization's data services as a whole.

This would be fatal to Windows Azure's acceptance by most large and many medium-sized businesses.

See post below. More follows today on my blog.

--rj

---

Microsoft Access 2010 In Depth (QUE Publishing)
OakLeaf Blog
Access 2010 Blog
Amazon Author Blog

Answer 13

Microsoft's Security, Audits, and Certifications page asserts Office 365 Data Centers and Physical Infrastructure (Provided by Microsoft Global Foundation Services) are certified or compliant with

• Safe Harbor
• ISO 27001
• SAS70 Type II
• FISMA

This page also asserts:

"Global Foundational Services (GFS) provides infrastructure (data centers and networking) services to Microsoft online properties like Office 365, BPOS-S, BPOS-D, Dynamics CRM Online and Windows Azure. Application layer controls for Office 365 are currently planned to be evaluated first under SSAE 16 SOC 1 Type I, with evaluation under SSAE SOC 1 Type II to follow. The Office 365 SSAE 16 report will stack on top of the GFS report to provide an end-to-end representation of controls. GFS is SAS 70 Type II certified today, and will be audited against SSAE 16 at its next regularly scheduled audit."

Chris Schellman's SOC 2 for Cloud Computing article of 10/11/2011 provides a brief description of SOC 1 and a more detailed description of the new SOC 2 examination. Chris is president of BrightLine, which claims to be "the world's only CPA firm that is accredited as a PCI QSA Company and ISO 27001 Registrar."

SSAE 16 supercedes SAS 70 for service auditor’s reporting periods ending on or after June 15, 2011. Currently, I can find no indication of whether Microsoft intends to have the Windows Azure application layer evaluated under the new SSAE 16 SOC 1 or any services to be evaluated under SOC 2. I am following up with Microsoft to determine their position on SSAE 16 for Windows Azure.

Jean-Philippe Courtois, President, Microsoft International, discussed ISO 27001/2 and SAS 70 for Microsoft data centers in his A Pragmatic Approach to Security in the Cloud post of 7/28/2011 to the MSDN Viewpoints blog. It's a good read but doesn't mention forthcoming SSAE 16 attestations.

--rj

---

Microsoft Access 2010 In Depth (QUE Publishing)
OakLeaf Blog
Access 2010 Blog
Amazon Author Blog

Answer 14

I believe you can take my statement as authoritative. (I double-checked just to make sure.)

To be perfectly clear: the statements you're quoting are about Microsoft data centers. Windows Azure benefits from the fact that it runs on those data centers, but it has not itself been SAS 70 certified.

Answer 15

Steve,

We recently moved our Cloud based product to the Azure platform and of my sales team is asked this question almost daily.

The answer seems to be Azure is not SAS 70 certified but the data centers it runs in are.

Does this mean 100% of the data centers have SAS 70 certification?

And is separate certificate of compliance required for the Azure?

Any help with this would be greatly appreciuated.

---

Tom

Answer 16

Since Steve Marx left the Windows Azure team, I'm not sure he is listening or has the ability to answer, but I think I may have answers.

As the Global Foundation Services datacenters are brought online they go through the process of certification depending on what they are to be used for. The datacenters hosting Windows Azure are SAS70 certified. However...

Yes, Windows Azure requires seperate compliance certifications. But thats a muddy topic because at some point the applications being hosted need to be verified for compliance, and Microsoft doesn't have control over them.

---

Developer Security MVP | www.syfuhs.net