The "security" in the tool's name is a recent addition, although security is a primary element of doing the assessment. The tool previously had a more general purpose name and was called in its alpha stage, "IT Readiness Tool for Cloud Adoption." It asks a user to complete a survey of 27 key questions, then performs an analysis and offers recommendations on the results. The only type of cloud computing that the tool recommends, at this stage of its existence, is software-as-a-service, and its recommendations, not surprisingly steer its users toward Microsoft's SaaS offerings.
The announcement of the tool was made by Adrienne Hall, general manager of Microsoft Trustworthy Computing, during her keynote at the RSA Conference Europe 2012 in London on Tuesday. Hall said in an email exchange afterward that the tool's survey has a heavy security orientation. Several of its questions come from the Cloud Controls Matrix produced by the Cloud Security Alliance, an independent standards and best practices body. In some cases, the survey questions "combine the Cloud Security Matrix questions to produce a solid baseline" of current enterprise practices, with an indication of how well they will fit into cloud operations.
The 1.0 version of the matrix was released by the Alliance in April 2010 and charted the 98 security controls needed to meet various security and compliance standards. The Microsoft tool picks up on the example of the matrix by asking its users about their security policies, how the policies are upgraded, and how frequently they're reviewed. Instead of commenting on the question, survey takers check off one of four options that place them on a scale as beginners, one of two intermediate categories, or advanced practitioners. The categories on the survey are: Getting Started, Making Progress, Almost There, Stream-lined Effort, with survey providing a description of the state of security policies in each category.
[ See how establishing a common language around security in the cloud was one of the initial goals of the Cloud Security Alliance. Read Cloud Security Alliance To Tackle Cloud Standards. ]
The tool also evaluates compliance standards that pertain to the survey taker, allowing the firm to use the resulting recommendations for "both their existing IT organization and potential cloud providers," she wrote.
Other security topics covered by the survey include data classification, assignment of roles that restrict access to data, security checks on personnel, physical controls on the compute equipment, and more.
The survey also asks about risk assessment, availability of backup power in case of a utility outage, the disaster recovery plan, and patch management process. In some cases, survey takers found to be "just getting started" in some of these areas will find the tool recommending a move to the cloud to speed their ability to meet good practice standards.
Hall said the tool might describe "how the IT area would improve if you adopted a service compliant with the best practices required for listing in the Computer Security Alliance STAR registry," she wrote, such as some of those that Microsoft can provide. STAR stands for CSA's Security, Trust and Assurance Registry, a free registry that documents security controls provide by a cloud service.