Keeping your business' and customers' data safe is absolutely essential.
While there are many different elements that go into fulfilling today's requirements for keeping data in the right hands, security and compliance in the colocated data centre are obviously top-of-mind for the growing number of companies that choose to outsource their data centre needs.
In 2014, a report by DCD Intelligence showed that almost a quarter of data centre space in North America is outsourced. That number is only set to increase. Pair that with a 2014 report which showed that 37 percent of outsourcing customers are likely to fire their providers if they fail to meet compliance requirements, and it’s clear that this issue is top-of-mind.
To address security and compliance in the colocated data centre, today, we're going to take a closer look at some of today's need-to-know security and compliance terms, as well as offer an overview of Telx's approach to security and compliance.
To start, we’ll take some time addressing today’s most common security and compliance terms.
The Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organisation, is a set of auditing standards from the American Institute of Certified Public Accountants (AICPA). Data centre and colocation providers in the United States typically follow SSAE 16, which is a way for a third party to measure levels and types of compliance within the world of data centres and colocation providers.
SAS 70, or the Statement on Auditing Standards No. 70, is the predecessor to SSAE 16. Though no longer in use today, SAS 70 was in use for nearly 18 years and served as the most common set of auditing standards all throughout that time.
SOC 2 examines adherence to and trialling of controls for specific criteria called Trust Service Principles (TSP). These are categorized into five reportable sections: security, availability, processing integrity, confidentiality and privacy.
SOC 3 assesses whether or not an entity meets the required standards. The report does not include the specific test methods, results or opinions of the examiner. Instead, these reports are typically brief and limited in detail.
The Payment Card Industry Data Security Standard, or PCI DSS, is a set of regulations put together by the PCI Security Standards Council, founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. PCI DSS is an information security standard for organizations that handle cardholder information.
HIPAA is perhaps the best-known set of rules on this list. Short for The Health Insurance Portability and Accountability Act of 1996, HIPAA encompasses several rules: the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, and the confidentiality provisions of the Patient Safety Rule, all of which are dedicated to the protection of individually identifiable health information.
Knowing all of the terms outlined above, we can move onto a more practical discussion of security and compliance in the colocated data centre.
Unless a data centre facility is audited by a third party, it's impossible to know how they handle their data, if they are compliant with the most current standards, and more generally, whether or not they are safe to use. A third-party audit gives a colocation customer peace of mind that their data is being handled in the right ways, and that the facility they're colocating into meets current standards.
SSAE 16, described above, is how you'll most frequently see levels and types of compliance described, at least with data centre and colocation providers in the United States. If a facility describes itself as SOC 2 compliant, for example, that means it's recently been audited against the most stringent form of SOC compliance. Compliance to other standards such as HIPAA or ISO 27001 is separate, but adds yet another level of peace of mind for colocation customers.
At Telx, all of our data centres are audited by a third party. All of our data centre facilities are compliant with SOC 2. Other facilities, like NJR2 and NJR3, are fully PCI ccompliant. Last year, all 20 of Telx's facilities became HIPAA compliant, yet another sign of our on-going commitment to our customers.
Telx’s Approach to Security and Compliance
With all of the above outlined, you may wonder how Telx approaches security and compliance more generally. You can learn more on our Compliance page, but the takeaway here is similar.
Our data centres comply with industry standards, so you can count on us to put the right controls, processes, and procedures in place to keep your assets in line with guidelines.
We offer the following assurances:
- SOC 2 compliance in all 20 of our data centres, covering trust service principles of security and availability
- SOC 3 compliance in all 20 of our data centres (click here to view our SOC 3 report)
- HIPAA compliance in all 20 of our data centres
- PCI compliance for the Clifton Data Centre Campus (NJR2 & NJR3)
Additionally, Telx builds and controls to a minimum of Type II reporting. Therefore, we can satisfy compliance on your behalf in many critical aspects, such as:
- Network and data security
Security policies, reporting and monitoring
Backup and recovery
Infrastructure and facilities management
Problem and incident management
Administrative and human resources controls
- Business continuity and disaster recovery
Monitoring and management oversight
Each year, Telx completes audit requirements to ensure that all of our data centres are SOC 2 and SOC 3 compliant. Any new facility we build is held to the same stringent requirements to maintain consistency. That way, you can rely on us to adhere to the standards your industry requires.
Regardless of whether you colocate or manage all of your own data, it's absolutely essential that you remain in-the-know about the latest industry standards and their relation to your business.
Though not comprehensive, this post does cover the most important terms and concepts you're likely to run into as you move forward in your endeavour to safely manage your business' and customers' data.
Does your business deal with sensitive information that you want to make sure is in secure hands? Read our post on the third-party auditing of Telx's data centres for more information about our SOC 2 compliance. And if have any additional questions, or if you’d like to learn more about any of the services we offer, you can see our compliance page here, or reach out to us via the contact page of our site, by Facebook, or by Twitter.