One of the most important features of any data center is its security.
After all, companies are trusting their mission-critical data to be contained within the facility.
In recent years, security has grown even more critical for businesses. Whether you store your data in an in-house data center or with a third-party provider, cyber-attacks and are a real and growing threat to your operations. Do they have a plan to prevent DDoS attacks?
Every year, the number of security incidents grows, and the volume of compromised data amplifies proportionally.
In the first 6 months of 2018, 3,353,172,708 records were compromised. An increase of 72% compared to the same period of 2017 according to the Breach Level Index.
Correspondingly, data protection on all levels matters more than ever. Securing your data center or choosing a compliant provider should be the core of your security strategy.
The reality is that cyber security incidents and attacks are growing more frequent and more aggressive.
What are Data Center Security Levels?
Data center security standards help enforce data protection best practices. Understanding their scope and value is essential for choosing a provider. It also plays a role in developing a long-term IT strategy that may involve extensive outsourcing.
This article covers critical data center standards and their histories of change. In addition to learning what these standards mean, businesses also need to keep in the loop with any operating updates that may affect them.
The true challenge is that many outside of the auditing realm may not fully understand the different classifications. They may not even know what to look for in a data center design and certification.
To help you make a more informed decision about your data center services, here is an overview of concepts you should understand.
Data Center Compliance
SSAE 18 Audit Standard & Certification
A long-time standard throughout the data center industry, SAS 70 was officially retired at the end of 2010. Soon after its discontinuation, many facilities shifted to SSAE 16.
However, it’s essential to understand that there is no certification for SSAE 16. It is a standard developed by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).
Complicated acronyms aside, the SSAE 16 is not something a company can achieve. It is an attestation standard used to give credibility to organizational processes. As opposed to SAS 70, SSAE 16 required service providers to “provide a written assertion regarding the effectiveness of controls.” That way, SSAE 18 introduced a more effective control of a company’s processes and systems, while SAS 70 was mostly an auditing practice.
It is important to mention that SSAE 16 used to result in a Service Organization Control (SOC or security operations center) 1 report. This report is still in use and provides insights into the company’s reporting policies and processes.
After years of existence, SSAE 16 was recently replaced with a revised version. As of May 1, 2017, it can no longer be issued, and an improved SSAE 18 is used instead.
SSAE 18 builds upon the earlier version with several significant additions. Both of them refer to the risk assessment processes, which were previously a part of SOC 2 certification only.
The updates to SSAE 18 include:
- The guidance on risk assessment. This part helps enforce organizations to assess and review potential technology risks regularly.
- Complementary Sub service Organization Controls. A new section in the standard aims to give more clarity to the activities of a specific third-party vendor.
With these changes, the updated standard aims to further improve data center monitoring. One of the most important precautionary measures against breaches and fraudulent actions, monitoring of critical systems and activities, is a foundation of secure organizations. That may have created a bit more work for a service provider, but it also takes their security to the next level.
Of the reports relevant to data centers, SOC 1 is the closest to the old SAS 70. The service organization (data center) defines internal controls against which audits are performed.
The key purpose of SOC 1 is to provide information about a service provider’s control structure. It is particularly crucial for SaaS and technology companies that offer some vital services to businesses. In that respect, they are more integrated into their clients’ processes than a general business partner or collaborator would be.
SOC 1 also applies anytime customers’ financial applications or underlying infrastructure are involved. Cloud would qualify for this type of report. However, SOC 1 does not apply to colocation providers that are not performing managed services.
SOC 2 is exclusively for service organizations whose controls are not relevant to customers’ financial applications or reporting requirements. Colocation data center facilities providing power and environmental controls would qualify here. However, unlike a SOC 1, the controls are provided (or prescribed) by the AICPA (Trust Services Principles) and audited against.
Becoming SOC 2 complaint is a more rigorous process. It requires service providers to report on all the details regarding their internal access and authorization control practices, as well as monitoring and notification processes.
SOC 3 requires an audit similar to SOC 2 (prescribed controls). However, it includes no report or testing tables. Any consumer-type organization might choose to go this route so they could post a SOC logo on their websites, etc.
Additional Compliance Standards
HIPAA and PCI DSS are two critical notions to understand when evaluating data center security.
HIPAA
HIPAA (Health Insurance Portability and Accountability Act) regulates data, Cloud storage security, and management best practices in the healthcare industry. Given the sensitive nature of healthcare data, any institution that handles them must follow strict security practices.
HIPAA compliance also touches data center providers. In fact, it applies to any organization that works with a healthcare provider and has access to medical data. HIPAA considers all such organizations Business Associate healthcare providers.
If you or your customers have access to healthcare data, you need to check if you are using a HIPAA Compliant Hosting Provider. This compliance guarantees that it can deliver the necessary levels of data safety. Also, it can provide the documentation you may need to submit to prove compliance.
PCI-DSS Payment Card Industry Data Security Standard
As for PCI DSS (Payment Card Industry Data Security Standard), it is a standard related to all types of e-commerce businesses. Any website or company that accepts online transactions must be PCI DSS verified. We have created a PCI compliance checklist to assist.
PCI DSS was developed by the PCI SSC (Payment Card Industry Security Standards Council), whose members included credit card companies such as Visa, Mastercard, American Express, etc. The key idea behind their collaborative effort to develop this standard was to help improve the safety of customers’ financial information.
PCI DSS 3.2 was recently updated. It involves a series of updates to address mobile payments. By following the pace of change in the industry, PCI remains a relevant standard for all e-commerce businesses.
Concluding Thoughts: Data Center Auditing & Compliance
Data center security auditing standards continue to evolve.
The continuous reviews and updates help them remain relevant and offer valuable insight into a company’s commitment to security. It is true that these standards generate a few questions from time to time and cannot provide a 100% guarantee on information safety.
However, they still help assess a vendor’s credibility. A managed security service provider that makes an effort to comply with government regulations is more likely to offer quality data protection. This is particularly important for SaaS and IaaS providers. Their platforms and services become vital parts of their clients’ operations and must provide advanced security.
When choosing your data center provider, understanding these standards can help you make a smarter choice. If you are unsure which one applies to the data center, you can always ask.
Check if their standards match what the AICPA and other organizations set out. That will give you peace of mind about your choice and your data safety.