This is a GREAT article by Liam Eagle in WHIR (Web Host Industry Review) — very relevant and very timely for businesses evaluating their IT services strategy.
To be clear, AIS is unique in the Southwestern US in having ALL THREE SOC AUDITS completed: SOC 1, SOC 2, and SOC 3.
Emphasis in red added by me.
Brian Wood, VP Marketing
Data Center Audit Standards: A Look at SAS 70, SSAE 16, SOC 1, SOC 2, and SOC 3
Hosting providers are quite frequently the operators of data centers, but they are much more frequently the customers of data centers, at the cage, rack or even server level. And for customers of data centers, an understanding of not just the facility’s design and the infrastructure that went into building out that design, but the processes that dictate a facility’s operation, are important tools in effectively weighing data center options.
Of course, it isn’t just service providers that have specific demands around the performance, security, and other aspects of a data center’s infrastructure and operation. Industries that handle sensitive data – customer financial information, health care details, credit card data – all have created their own standards for evaluating both data centers and hosted services. And compliance with industry-specific reporting standards is generally considered shorthand for evaluating the services themselves.
We hear the health care industry’s HIPAA standard, and the credit card industry’s PCI DSS standard, referenced regularly. The Uptime Institute’s tier system is a reliable means of classifying data centers. And for many years, the American Institute of Certified Public Accountants Statement on Auditing Standards No. 70 has been one of the primary measures by which the data center business assures its data security practices – and certainly one publicized by the individual data centers.
The problem with SAS 70 was the fact that, according to the AICPA, it was never intended to be used by data centers to verify security. It was meant to measure internal controls over financial reporting, whereas data centers have used it to measure their technical processes around security.
The Confusion Around “Certification”
One of the big problems with the SAS 70 report was the fact that while it was frequently represented, or interpreted, as a kind of “certification,” it is not, in fact, a certification. More importantly, it doesn’t objectively measure anything about the level of security (or anything else) maintained at a data center.
What it does measure is whether a data center operator adheres to the controls it has established for itself. There is no minimum standard for those process or benchmark for security. So, in order to glean anything from a SAS 70 audit, a customer of the data center would have to read the report themselves, and would have to know how to evaluate the quality of the processes being adhered to.
That doesn’t mean SAS 70 has necessarily been used dishonestly, or to destructive effect, in the data center business, says Sean Bruton, a senior product manager at Hosting.com, a data center and hosting company that is proactively adopting the newer standards put out by the AICPA.
“In all of the organizations we’ve built for years, our primary auditing standards have been around SAS70 and PCI,” he says. “With the SAS 70 controls, we’ve all had to develop basically our own control framework to report on, that is unique for each of us. Everyone is still doing reasonable responsible auditing of their security controls and reporting it back to the customers. It’s just that we now have the ability to step up to a report that was designed specifically for data center and IT service providers, and has a baseline metric for achieving compliance.”
The Modern AICPA Data Center Audit: SOC1, SOC2, SOC3 and SSAE16
The AICPA updated SAS 70 back in 2011 with a new set of audits and controls, including some that apply explicitly to service provider operational procedures.
SAS 70 has been replaced with the Statement on Standards for Attestation Engagements No. 16 as the new standards for auditing organizational controls. The Service Organization Control 1 report is the result of a SSAE 16 audit. In the data center business now, SSAE 16 and SOC 1 are, for the purposes of data center customers, more or less synonymous. They refer to a process that, like SAS 70, validates that an organization adheres to the controls it has laid out, and, like SAS 70, are specific to financial reporting. The process is similar, with a few minor changes, and one additional step requiring management to supply more information.
To alleviate the confusion around financial reporting audits being used to audit data center processes, the AICPA also created the SOC 2 and SOC 3 reports, which, unlike the rest, uses the AT101 standard, which includes a baseline set of IT security requirements called the Trust Services Principles.
SOC 2 and SOC 3 are more or less the same audit, but differ in the type of report produced. The SOC 2 report includes all the details of the systems audited, whereas the SOC 3 report is more of a generic certification (and yes, the word “certification” actually applies in this case).
Back when the new standards were introduced, Online Tech Co-CEO Mark Klein wrote a pretty thorough description of SSAE 16, SOC 2 and SOC 3 for Data Center Knowledge.
Adoption of the New Data Center Audit Standards
Bruton says data center companies haven’t necessarily been quick to adapt to the new standards, with many companies likely continuing with the framework they already had in place – though he reiterates that it’s unlikely there’s any deception or data center mismanagement going on as a result.
He says the SOC 2 audit requires a minimum reporting period of six months, so becoming compliant requires at least six months of data showing the company has met its control objectives. Bruton says hosting providers have begun to achieve certification, naming Hosting.com and ViaWest as examples.
Other hosting providers have made the move to the new auditing standards and certification over the last year and a half.
Online tech has also announced SOC 2 and SOC 3 compliance.
In February of 2012, managed hosting provider iNetU announced that it had completed the SOC 2 and SOC 3 audits.
Cbeyond announced compliance with the SOC 2 standard in February of 2011.
Hosting provider DBSi announced in January 2012 that its Pennsylvania data centers had completed the SOC 2 and SOC 3 audits.
How Customers Respond to Data Center Audit Info
Bruton says customers almost across the board know to look for SAS 70 or SSAE 16 audits, but most aren’t looking for all the specific details of the report, as much as they are just checking off that box.
“But when you get into the larger organizations – public companies, government and other sensitive organizations that have brought in a third party to help them assess which service providers they’re going to leverage,” he says, “those are the ones that are really going to leverage going over the report with a fine toothed comb and really making sure the way you’ve conducted your assessment is in line with their expectations.”
For hosting providers placing their infrastructure inside those data centers, the latter might be true, especially if they’re attempting to serve customers with strict compliance or regulatory requirements of their own.
How Data Center Customers Can Access the Audit Reports
While the SOC 3 report is designed to be published on the service provider’s website, or in some similar fashion, it’s similar to a badge the organization can hold up and say, we’re certified; we meet the requirements of this particular security standard.
“Soc 2 has all the juicy details,” says Bruton. “So you’ll never see any of these service providers wanting to release that publicly. To a qualified prospective customer, under NDA, sure, we’ll go over the report with you, make sure you have it on your end, and that our customers’ auditors have it, so we’re all on the same page as to how your data is being handled.”
Does a Data Center Audit Trickle Down to Service Provider Customers?
So does an AICPA audit completed by data center operator apply to the services of a service provider hosted within the facility?
“Technically, no,” says Bruton. “They can’t claim that they themselves are SSAE 16 audited, or that they’ve met the trust principles because of us. But certainly hosting with us or anyone else who has achieved this turns out to be a great resource for them, basically to be able to instill confidence in their own customers that they have the appropriate security controls in place. So, our customers will advertise all the time that they’re hosting with a SOC 2, SOC 3 certified data center, and that does have meaning to their customers.