Colocation provider data centers have to achieve compliance in some instances to “keep things legal.” If you own or manage a company that requires such certifications, you already know which ones are necessary—but are you sure your colocation provider has actually achieved these security levels? From HIPAA to SSAE 16, it’s up to the client to make sure they (and their colocation provider) have the requisite paperwork in place. The major industry standards and certifications include HIPAA, PCI DSS 3.0, SSAE 16 SOC 1 Type 2, SOC 2 Type 2, and ISAE 3402. There are over 1,000 colocation data centers in North America, and you shouldn’t assume that all are fully compliant. Some don’t have clients that require these certifications, while other, smaller providers might not think it’s worth the time and money to pursue them. In order to be fully compliant, an unbiased, third-party auditing firm must confirm that a data center has successfully reached the right industry standards that are rigorous at best.
After a full audit, compliance reports are given to the data centers and can then be shared with appropriate clients. These certifications guarantee that there’s a certain level of data privacy, security, control, and availability at the data center. This is, unsurprisingly, a very challenging and expensive process for the data center provider. Each of the certifications boasts intensive and lengthy requirements. For example, HIPAA outlines physical and administrative rules, organizational safety rules, documentation procedures for policies, and an overall outline of procedures. In order to get HIPAA certified, a data center must meet the Health Information Technology for Economic and Clinical Health Act (HITECH) prerequisites.
Keeping Clients Secure
Another popular certification is the PCI DSS or the Payment Card Industry Data Security Standard. This is a must for organizations that deal with credit card transactions—which includes many e-businesses. In order to safely process payments online, an auditing company must also confirm that a data center followed the SSAE 16 SOC 1 Type 2/SOC 2 Type 2 standards, or the Statement on Standards for Attestation Engagements. All systems and controls related to availability and security must pass muster. Plus, getting compliant with the International Standards for Assurance Engagements (ISAE) is a much-needed accessory, and is designed to safeguard the public and shareholders from potential accounting problems or mistakes in other related materials.
Specifically, SSAE 16 was created for certified public accountants (CPAs), so they could better oversee controls and keep businesses, shareholders, and clients safe. Few colocation data centers in North America boast all available certifications, but that’s not important to clients who rent rack space. What’s important as a colocation client is that your data center features certifications for your specific needs (if any). Most businesses don’t have such certification requirements, since only the most vulnerable and involved in finances or data privacy have such restrictions.
Security Measures for Every Data Center
While certification isn’t always a requirement, keeping close, accurate documentation on procedures, records and systems is a must. The data center shouldn’t be leaving any gray areas or unnecessary requirements for their clients. According to a CPA who’s involved with auditing data centers, Scott Price of A-Lign, “Certifying compliance across all facilities is a significant accomplishment and an uncommon feat these days.” However, he points out that keeping the bar high and protecting a data center’s clients is something that should be standard, not an exception. For data centers that specialize in serving clients in these niche industries, it’s a fantastic way to optimize protection.
Choosing the Right Data Center
Any data center that does have a certification is required to share audit reports with anyone who requests them. The detailed reports outline exactly how the data center abides by updated rules and standards. Every year, these regulations may change, so getting re-certified is an annual task for data centers that are committed to added security. Additionally, as more data centers seek to serve niche industries (and those with higher demands), it’s likely that certification will become more common across the board.
However, certification is just one aspect to consider when shopping for a colo provider (albeit a very necessary one for those who need it). Also consider geographic location and propensity for natural disasters, the 24/7 availability of customer support, connectivity, and the general safety levels of a data center. If possible, tour the facility and build a relationship with the data center provider. This is the business that’s keeping your server(s) and online presence secure, so shopping shouldn’t be taken lightly.