Microsoft's Security, Audits, and Certifications page for Office 365 claims the platform supporting Office 365 services in Microsoft data centers is certified or complies with
and Office 365 Data Centers and Physical Infrastructure (Provided by Microsoft Global Foundation Services) are certified or compliant with
in this table:
Click the links in the text above to read the certifications or compliance reports. (Reading Deloitte & Touche’s SAS 70 Type II report requires signing an NDA.) Notice that the ISO 27001 certifications include specific references to “Online Services” but not “Windows Azure.” Mark Estberg’s Microsoft’s Cloud Infrastructure Receives FISMA Approval post of 12/2/2010 mentions Exchange Online and SharePoint Online, but not Windows Azure.
This Microsoft Online Services Trust Center page also asserts:
Global Foundational Services (GFS) provides infrastructure (data centers and networking) services to Microsoft online properties like Office 365, BPOS-S, BPOS-D, Dynamics CRM Online and Windows Azure. Application layer controls for Office 365 are currently planned to be evaluated first under SSAE 16 SOC 1 Type I, with evaluation under SSAE SOC 1 Type II to follow. The Office 365 SSAE 16 report will stack on top of the GFS report to provide an end-to-end representation of controls. GFS is SAS 70 Type II certified today, and will be audited against SSAE 16 at its next regularly scheduled audit." [Emphasis added.]
SSAE 16 supersedes SAS 70 for service auditor’s reporting periods ending on or after June 15, 2011. Currently, I can find no indication of whether Microsoft intends to have the Windows Azure application layer controls evaluated under SSAE 16 SOC 1 or any services to be evaluated under the new SOC 2. I am following up with Microsoft to determine their position, if any, on SSAE 16 for Windows Azure and SQL Azure.
Chris Schellman's SOC 2 for Cloud Computing article of 10/11/2011 provides a brief description of SOC 1 and a detailed analysis of the new SOC 2 examination. Chris is president of BrightLine, which claims to be "the world's only CPA firm that is accredited as a PCI QSA Company and ISO 27001 Registrar."
Jean-Philippe Courtois, President, Microsoft International, discussed ISO 27001/2 and SAS 70 for Microsoft data centers in his A Pragmatic Approach to Security in the Cloud post of 7/28/2011 to the MSDN Viewpoints blog. It's a good read but doesn't mention forthcoming SSAE 16 attestations.
Where is Windows Azure’s Trust Center and Security, Audits, and Certifications Page?
Steve Marx, a member of the Windows Azure team, responded as follows on 3/10/2009 to my Will the Azure Service Platform Undergo a SAS 70 Type I or Type II Audit Prior to Release? If Not, When? thread of 3/6/2009 in the Security for the Windows Azure Platform forum:
We are in the process of evaluating various certification requirements relative to Windows Azure with a goal toward achieving key certifications by commercial launch or shortly thereafter.
I’ve never been able to discover what the team considered to be “key certifications” nor any evidence of any specific certifications for Windows Azure to date. Several others have sought similar details in this forum without success.
Vague representations, such as the following in Charlie Kaufman and Ramanathan Venkatapathy’s Windows Azure Security Overview of August 2010 won’t suffice:
5.3 ISO 27001 Certification
Trusted third-party certification provides a well-established mechanism for demonstrating protection of customer data without giving excessive access to teams of independent auditors that may threaten the integrity of the overall platform. Windows Azure operates in the Microsoft Global Foundation Services (GFS) infrastructure, portions of which are ISO 27001-certified.
ISO27001 is recognized worldwide as one of the premiere international information security management standards. Windows Azure is in the process of evaluating further industry certifications.
In addition to the internationally recognized ISO27001 standard, Microsoft Corporation is a signatory to Safe Harbor and is committed to fulfill all of its obligations under the Safe Harbor Framework.
While responsibility for compliance with laws, regulations, and industry requirements remains with Windows Azure customers, Microsoft remains committed to helping customers achieve compliance through the features described above.
One question obviously is what “portions of which are ISO 27001-certified”? Only those used by Office 365?
Amazon Web Services’ AWS Security and Compliance Center asserts:
Certifications and Accreditations. AWS has in the past successfully completed multiple SAS70 Type II audits, and as of September 30, 2011 publishes a Service Organization Controls 1 (SOC 1) report, published under both the SSAE 16 and the ISAE 3402 professional standards. In addition, AWS has achieved ISO 27001 certification, has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS), and has received FISMA-Moderate Authority to Operate. We will continue to obtain the appropriate security certifications and conduct audits to demonstrate the security of our infrastructure and services. For more information on risk and compliance activities in the AWS cloud, consult the Amazon Web Services: Risk and Compliance whitepaper.
Notice that Amazon doesn’t limit their compliance assertions to AWS data centers but specifically includes AWS’s IaaS (services) offerings.
If Microsoft considers ISO 27001 certification and SAS 70/SSAE 16 attestation to be important to the commercial success of Office 365, why don’t the same criteria apply to Windows Azure.
The Windows Azure team should make publication of a Security, Audits, and Certifications page for Windows Azure and SQL Azure with certifications and attestations similar to Office 365’s an activity of the highest priority.