Selecting a colocation facility can be a tough job, involving more than simply choosing the facility with the right location or the best infrastructure services. A core requirement every colocation customer has is that their servers and data need to be secured and protected. That’s necessary not just for your own internal operations, but also as a promise to your users and customers — after all, who’s going to trust their personal information to a service that can’t protect it?
A surefire way to pick a data center that can demonstrate it understands how to protect and secure your servers is by finding one that’s SSAE-18 certified. While you might not immediately think that you’d be able to take advantage of the controls and processes required for complying with SSAE-18, there are a variety of reasons that all colocation customers can benefit from using a certified facility.
What is SSAE-18?
Statement on Standards for Attestation Engagements (SSAE) no. 18 is a standard — controlled by the American Institute of Certified Public Accountants (AICPA ) — that provides guidance on auditing methods for businesses. SSAE-18 is not a prescriptive list of steps to go through to achieve compliance, rather it’s a collection of guidelines for operating a business, along with how to report on compliance controls.
If you’re not familiar with SSAE-18, you may have heard of the previous version: SSAE-16. SSAE-18 superseded SSAE-16 on May 1, 2017, and the update is intended to clarify some of the old standards and simplify the review process. SSAE-18 demands more responsibility when dealing with third-party vendors, and each vendor is assigned a specific responsibility and schedule for performance reviews that involve audits and analysis of the findings. SSAE-18 also requires any vendors to abide by the same standards as the company they’re working with.
Businesses achieve SSAE-18 certification by running a audit of a company’s control processes. The output from running an audit is a System and Organization Controls (SOC) report that demonstrates evidence of complying with the guidelines covered in the SSAE-18 standard.
There are three different SOC reports: SOC 1, SOC 2, and SOC 3. A SOC 1 report is concerned with how service organizations implement internal controls for financial reporting. SOC 2 evaluates the controls related to security, availability, processing integrity, confidentiality, and privacy. Because SOC 1 and SOC 2 include business-sensitive material, they’re usually only distributed internally within a company or externally under an NDA. SOC 3 reports are based on SOC 2 but are less detailed (they don’t describe the compliance tests performed), making it possible to share them with the general public. SOC 3 reports provide a summary of the key information in SOC 2, and because they can be shared freely they’re often used as marketing material.
Why is SSAE-18 important for colocation?
The controls covered in SSAE-18, specially in the SOC 2 report, are beneficial for any data center providing colocation services. Those controls include things such as physical and environmental security, data privacy, and facility availability — all things that are important when selecting a data center. Complying with SSAE-18 demonstrates that a data center is a safe and secure place to house your colocated servers.
The five core principles covered by the SOC 2 report are:
- Security
- Availability
- Processing integrity
- Confidentiality
- Privacy
The first aspect of SSAE-18 compliance for data centers is guaranteeing physical security of colocation facilities. This area is covered by the security principle in the SOC 2 report. If you’re colocating your critical business infrastructure, you need assurances that your hardware is protected from unauthorized access and modification. Whether security controls are implemented with security guards, biometrics scanners, video cameras, or a combination, compliance with SSAE-18 means your servers are physically secure.
A major advantage of colocating your servers is increased availability. Data centers that supply evidence of complying with the availability principle in SOC 2 reports have controls in place to make sure your data, and the infrastructure that serves it, will be accessible to your users at all times.
The processing integrity principle of SOC 2 covers supplying sufficient data and power redundancy. On the environmental security side, compliant data centers closely monitor temperature in their facilities so that your servers always run in optimal conditions, reducing the risk of failure and loss of service.
No matter which industry you’re in, company and customer data is a vital part of every business. Establishing that only authorized users can access sensitive data is the only way to maintain confidentiality. The strict controls needed to cover the confidentiality principle in SOC 2 require protections to be put in place, so you can rest easy knowing your data won’t fall into the wrong hands.
And finally, data privacy is assured for customers that house their servers in SSAE-18 certified colocation facilities. If you’re operating in an industry dealing with sensitive data such as financial trading information or medical records, ensuring your user’s privacy is protected is a core business requirement. SSAE-18 data centers can help you meet industry regulations.
By choosing a data center that complies with SSAE-18, you get a transparent view of the foundation that you’re building your business on and the service you’re providing to your users. Plus, routine audits can catch control issues before they become a problem and control processes can be improved over time.
But SSAE-18 isn’t just useful for operating your own business — your customers also benefit knowing that your company servers are assessed against SSAE-18 and can show evidence of complying with the five principles outlined in SOC 2. Complying with SSAE-18 improves operations, tightens security, and proves a company is operating at a high standard.
Conclusion
It doesn’t matter whether you work in financial trading industry or ecommerce, you expect your colocated servers to be secure and protected, and so do your users. Because of the controls that need to be in place for SSAE-18 certified data centers, and in particular the five principles covered in SOC 2 reports, all colocation customers can benefit from choosing an SSAE-18 compliant colocation facility. You can also check out our dedicated page for SSAE-18 compliance where you can download the full results of the ColoCrossing SSAE-18 report.
