Data Center Audit Standards: A Look at SAS 70, SSAE 16, SOC 2, and SOC 3

14 comments

Hosting providers are quite frequently the operators of data centers, but they are much more frequently the customers of data centers, at the cage, rack or even server level. And for customers of data centers, an understanding of not just the facility’s design and the infrastructure that went into building out that design, but the processes that dictate a facility’s operation, are important tools in effectively weighing data center options.

Of course, it isn’t just service providers that have specific demands around the performance, security, and other aspects of a data center’s infrastructure and operation. Industries that handle sensitive data – customer financial information, health care details, credit card data – all have created their own standards for evaluating both data centers and hosted services. And compliance with industry-specific reporting standards is generally considered shorthand for evaluating the services themselves.

We hear the health care industry’s HIPAA standard, and the credit card industry’s PCI DSS standard, referenced regularly. The Uptime Institute’s tier system is a reliable means of classifying data centers. And for many years, the American Institute of Certified Public Accountants Statement on Auditing Standards No. 70 has been one of the primary measures by which the data center business assures its data security practices – and certainly one publicized by the individual data centers.

The problem with SAS 70 was the fact that, according to the AICPA, it was never intended to be used by data centers to verify security. It was meant to measure internal controls over financial reporting, whereas data centers have used it to measure their technical processes around security.

The Confusion Around “Certification”

One of the big problems with the SAS 70 report was the fact that while it was frequently represented, or interpreted, as a kind of “certification,” it is not, in fact, a certification. More importantly, it doesn’t objectively measure anything about the level of security (or anything else) maintained at a data center.

What it does measure is whether a data center operator adheres to the controls it has established for itself. There is no minimum standard for those process or benchmark for security. So, in order to glean anything from a SAS 70 audit, a customer of the data center would have to read the report themselves, and would have to know how to evaluate the quality of the processes being adhered to.

That doesn’t mean SAS 70 has necessarily been used dishonestly, or to destructive effect, in the data center business, says Sean Bruton, a senior product manager at Hosting.com, a data center and hosting company that is proactively adopting the newer standards put out by the AICPA.

“In all of the organizations we’ve built for years, our primary auditing standards have been around SAS70 and PCI,” he says. “With the SAS 70 controls, we’ve all had to develop basically our own control framework to report on, that is unique for each of us. Everyone is still doing reasonable responsible auditing of their security controls and reporting it back to the customers. It’s just that we now have the ability to step up to a report that was designed specifically for data center and IT service providers, and has a baseline metric for achieving compliance.”

The Modern AICPA Data Center Audit: SOC1, SOC2, SOC3 and SSAE16

The AICPA updated SAS 70 back in 2011 with a new set of audits and controls, including some that apply explicitly to service provider operational procedures.

SAS 70 has been replaced with the Statement on Standards for Attestation Engagements No. 16 as the new standards for auditing organizational controls. The Service Organization Control 1 report is the result of a SSAE 16 audit. In the data center business now, SSAE 16 and SOC 1 are, for the purposes of data center customers, more or less synonymous. They refer to a process that, like SAS 70, validates that an organization adheres to the controls it has laid out, and, like SAS 70, are specific to financial reporting. The process is similar, with a few minor changes, and one additional step requiring management to supply more information.

To alleviate the confusion around financial reporting audits being used to audit data center processes, the AICPA also created the SOC 2 and SOC 3 reports, which, unlike the rest, uses the AT101 standard, which includes a baseline set of IT security requirements called the Trust Services Principles.

SOC 2 and SOC 3 are more or less the same audit, but differ in the type of report produced. The SOC 2 report includes all the details of the systems audited, whereas the SOC 3 report is more of a generic certification (and yes, the word “certification” actually applies in this case).

Back when the new standards were introduced, Online Tech Co-CEO Mark Klein wrote a pretty thorough description of SSAE 16, SOC 2 and SOC 3 for Data Center Knowledge.

Adoption of the New Data Center Audit Standards

Bruton says data center companies haven’t necessarily been quick to adapt to the new standards, with many companies likely continuing with the framework they already had in place – though he reiterates that it’s unlikely there’s any deception or data center mismanagement going on as a result.

He says the SOC 2 audit requires a minimum reporting period of six months, so becoming compliant requires at least six months of data showing the company has met its control objectives. Bruton says hosting providers have begun to achieve certification, naming Hosting.com and ViaWest as examples.

Other hosting providers have made the move to the new auditing standards and certification over the last year and a half.

Online tech has also announced SOC 2 and SOC 3 compliance.

In February of 2012, managed hosting provider iNetU announced that it had completed the SOC 2 and SOC 3 audits.

Cbeyond announced compliance with the SOC 2 standard in February of 2011.

Hosting provider DBSi announced in January 2012 that its Pennsylvania data centers had completed the SOC 2 and SOC 3 audits.

How Customers Respond to Data Center Audit Info

Bruton says customers almost across the board know to look for SAS 70 or SSAE 16 audits, but most aren’t looking for all the specific details of the report, as much as they are just checking off that box.

“But when you get into the larger organizations – public companies, government and other sensitive organizations that have brought in a third party to help them assess which service providers they’re going to leverage,” he says, “those are the ones that are really going to leverage going over the report with a fine toothed comb and really making sure the way you’ve conducted your assessment is in line with their expectations.”

For hosting providers placing their infrastructure inside those data centers, the latter might be true, especially if they’re attempting to serve customers with strict compliance or regulatory requirements of their own.

How Data Center Customers Can Access the Audit Reports

While the SOC 3 report is designed to be published on the service provider’s website, or in some similar fashion. It’s similar to a badge the organization can hold up and say, we’re certified; we meet the requirements of this particular security standard.

“Soc 2 has all the juicy details,” says Bruton. “So you’ll never see any of these service providers wanting to release that publicly. To a qualified prospective customer, under NDA, sure, we’ll go over the report with you, make sure you have it on your end, and that our customers’ auditors have it, so we’re all on the same page as to how your data is being handled.”

Does a Data Center Audit Trickle Down to Service Provider Customers?

So does an AICPA audit completed by data center operator apply to the services of a service provider hosted within the facility?

“Technically, no,” says Bruton. “They can’t claim that they themselves are SSAE 16 audited, or that they’ve met the trust principles because of us. But certainly hosting with us or anyone else who has achieved this turns out to be a great resource for them, basically to be able to instill confidence in their own customers that they have the appropriate security controls in place. So, our customers will advertise all the time that they’re hosting with a SOC 2, SOC 3 certified data center, and that does have meaning to their customers.

Talk back: Do you operate a data center of your own? Have you pursued the SOC 2 or SOC 3 certifications? Do you host within a larger provider’s data center? Does this kind of auditing, or these specific reports hold a lot of weight with you? Let us know in the comments.

Add Your Comments

  • (will not be published)

14 Comments

  1. Paul Willis

    This article has very nicely elaborated the topics of data center audit and standards. On reading this article, I could get an in-depth insight about the standards of data center and how to comply with them. Overall the blog is written in a very structured format.

    Reply
  2. Tyisha Pettaway

    Great Article. writing . I was fascinated by the insight - Does anyone know if my company would be able to grab a sample CA SR 10 form to type on ?

    Reply
  3. Very interesting Post. Thanks for sharing this. I learned something new again.

    Reply
  4. Have fun replacing the 2nd blade on the left on that router ( http://d.pr/i/qcfS/3JyRfVKB ). Use a cable organizer along the bottom for running fiber vertically up to the blades to prevent issues when it comes time to swap out the blades.

    Reply
  5. Liam and others, All of the posts contain relevant information but unfortunately you can't devote enough space to all of the nuances that apply to SOC reporting for a company. More times than I can count I have advised a company on their SOC reporting to match the expected needs of their customers. In most of these cases, the company I was advising ended up having us issue a different SOC report than they originally intended. In my opinion the market for these reports, and some of the users of the reports, are still confused about which report is appropriate. I think Jon is right that some companies may have abused the language surrounding SAS 70 and SSAE 16 to their advantage while others have innocently issued a report they truely believed was appropriate. Discussions like these are always helpful and I would be more than happy to talk further with any of you offline (twhite@elkocpa.com) to help us all collectively "get it right".

    Reply
  6. I really like your blog site and appreciate the given information about SSAE 16. We also provide SSAE16 services like SSAE16 Assessment and SSAE16 Attestation to clients all over the globe including USA. You can inform us for the further posts about SSAE16 audit and other standards and visit our official website http://www.ssae16-audits.com/ for more information about SSAE 16 Resources.

    Reply
  7. *Online Tech Co-CEO Mike Klein

    Reply
    • Post author

      Co-CEO. Thanks for pointing that out. I've updated that in the story. Just to clarify, when Klein wrote the DCK piece (March 2011) he was President and COO.

      Reply
      • Very true!

        Reply
  8. I think Sean Bruton was being very kind to say what he did. Gartner issued a press release putting it a little more bluntly in 2010, and followed up with an analyst blog post in October and last month with a report on the current status of SSAE 16 abuse. You can find those here: http://bit.ly/wEt2i5 (2010 Press Release), http://bit.ly/OlO5cc (October Analyst blog), and http://gtnr.it/S9xdbS (Gartner report last month. In his blog, French Caldwell, VP and Gartner Fellow said: "Some vendors and their auditors appear to be misusing SSAE 16 the same as they did SAS 70." Two particularly strong statements (paraphrased) in the Gartner report were: 1. Gartner has seen signs that SSAE 16/SOC 1 is being misused to represent a service organization's security posture that has not actually been assessed. 2. Gartner recommends not accepting an SSAE 16 (SOC 1) report as assurance of a service provider's security posture. About SAS70, Jay Heiser, Senior Research Vice President at Gartner said, "Given that SAS 70 cannot be considered as proof that an offered IT service is secure, it should be a matter of suspicion when a vendor insists that it is. Vendor claims to be 'SAS 70 certified' indicate either ignorance or deception, neither of which is a good basis for trust. The only thing that can conclusively be said about having a SAS 70 Type II attestation is that an auditing firm has agreed that the service provider is effectively performing those controls that they paid the auditing firm to evaluate." For more precise wording, and additional information about what to look for when getting a SOC 2 or SOC 3 for assurance regarding security, you should invest in the Gartner report (http://gtnr.it/S9xdbS).

    Reply
    • Post author

      Great post, Jon. I think I addressed part of what you're talking about, which is that a SAS 70 audit is proof of nothing in particular. But when I talked to Sean, he seemed to suggest that for a long time, it was one of the best means the data center industry had for ensuring that its own security procedures were being followed effectively. Obviously that is no longer the case. I asked him if he thought people were intentionally misrepresenting their services when they claimed to be "SAS 70 certified" and that's where we got to the point where he was saying he wasn't sure anyone was doing it to misrepresent their security. But you could be right about him being kind. I think the quote about both ignorance and deception both being bad grounds for trust was very astute.

      Reply
  9. Jayashree

    Informative article. Read this interesting whitepaper " Which SOC controls report is right for your organization" it mainly focuses on various control reporting options. Readers will find it useful @ bit.ly/SDD74Y

    Reply
    • Post author

      Thanks for the link. More info is always useful, and there is obviously a lot of fine detail out there on this subject.

      Reply