One of the most important features of any data center is its security.
After all, companies are trusting their mission-critical data to be contained within the facility.
In recent years, security has grown even more critical for businesses. Cyber-attacks are a growing and real threat to businesses, whether they store their data at home or with a third party provider. Do they have a plan to prevent DDoS attacks?
Every year, the number of security incidents grows, and the volume of compromised data amplifies proportionally.
In the first 6 months of 2018, 3,353,172,708 records were compromised. An increase of 72% compared to the same period of 2017 according to the Breach Level Index.
Correspondingly, data protection on all levels matters more than ever. Securing your data center or choosing a compliant provider should be the core of your security strategy.
The reality is that cyber security incidents and attacks are growing more frequent and more aggressive.
What are Data Center Security Levels?
Data center security standards help enforce data protection best practices. It is important to understand their value and scope before choosing a service provider. It also plays a role in developing a long-term IT strategy that may involve extensive outsourcing.
This article covers critical data center standards and their histories of change. Businesses need to be aware of any changes to operating standards that could affect them. They may not even know what to look for in a data center design and certification.
To help you make a more informed decision about your data center services, here is an overview of concepts you should understand.
Data Center Compliance
SSAE 18 Audit Standard & Certification
A long-time standard throughout the data center industry, SAS 70 was officially retired at the end of 2010. Many facilities switched to SSAE 16 shortly after it was discontinued. It is a standard developed by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).
Complicated acronyms aside, the SSAE 16 is not something a company can achieve. It is an attestation that gives credibility to the processes of organizations. It is important to note that SSAE 16 was used to produce a Service Organization Control 1 (SOC, or security operations centre) report. This report is still in use and provides insights into the company’s reporting policies and processes.
After years of existence, SSAE 16 was recently replaced with a revised version. Since May 1, 2017, SSAE 16 is no longer issued. Instead, an improved SSAE 18 has been introduced. The updates to SSAE 18, which include:
The guidelines on risk assessment. This part helps enforce organizations to assess and review potential technology risks regularly.
Complementary Sub service Organization Controls. The standard has a new section that aims at providing more clarity on the activities of third-party vendors. Monitoring critical systems and activity is one of the most effective precautionary measures to prevent breaches and fraud. SOC 1 is closest to SAS 70 among the data center reports. The service organization (data center) defines internal controls against which audits are performed.
The key purpose of SOC 1 is to provide information about a service provider’s control structure. This is especially important for SaaS companies and technology firms that provide some essential services to businesses. They are therefore more closely integrated with their clients than would a typical business partner. Cloud computing would be eligible for this report type. SOC 1 is not applicable to colocation providers who do not provide managed services. This would include colocation data centers that provide environmental and power controls. However, unlike a SOC 1, the controls are provided (or prescribed) by the AICPA (Trust Services Principles) and audited against.
Becoming SOC 2 complaint is a more rigorous process. It requires service providers to report on all the details regarding their internal access and authorization control practices, as well as monitoring and notification processes.
SOC 3 requires an audit similar to SOC 2 (prescribed controls). It does not include a report or test tables. Any consumer-type organization might choose to go this route so they could post a SOC logo on their websites, etc.
- Additional Compliance Standards
- HIPAA and PCI DSS are two critical notions to understand when evaluating data center security.
HIPAA
HIPAA (Health Insurance Portability and Accountability Act) regulates data, Cloud storage security, and management best practices in the healthcare industry. Given the sensitive nature of healthcare data, any institution that handles them must follow strict security practices.
HIPAA compliance also touches data center providers. It applies to all organizations that work with healthcare providers and have access to medical information. HIPAA treats all of these organizations as Business Associate Healthcare Providers. It is a guarantee that the hosting provider can provide the required levels of data security. Also, it can provide the documentation you may need to submit to prove compliance.
PCI-DSS Payment Card Industry Data Security Standard
As for PCI DSS (Payment Card Industry Data Security Standard), it is a standard related to all types of e-commerce businesses. A website or business that accepts online payments must be PCI DSS certified. PCI DSS is a standard developed by the PCI SSC, whose members include credit card companies like Visa, Mastercard, American Express and others. The key idea behind their collaborative effort to develop this standard was to help improve the safety of customers’ financial information.
PCI DSS 3.2 was recently updated. The standard includes a number of updates that address mobile payments. By following the pace of change in the industry, PCI remains a relevant standard for all e-commerce businesses.
Concluding Thoughts: Data Center Auditing & Compliance
Data center security auditing standards continue to evolve.
The continuous reviews and updates help them remain relevant and offer valuable insight into a company’s commitment to security. It is true that these standards generate a few questions from time to time and cannot provide a 100% guarantee on information safety.
However, they still help assess a vendor’s credibility. Data protection is more likely from a managed security service provider who complies with government regulations. It is especially important for SaaS or IaaS service providers. Their platforms and services become vital parts of their clients’ operations and must provide advanced security.
When choosing your data center provider, understanding these standards can help you make a smarter choice. You can always ask if you’re unsure. This will allow you to feel confident about your decision and the safety of your data.
About The Author
