Security and Compliance in the Colocated Data Center: What You Need to Know

Keeping your business’ and customers’ data safe is absolutely essential.

While there are many different elements that go into fulfilling today’s requirements for keeping data in the right hands, security and compliance in the colocated data center are obviously top-of-mind for the growing number of companies that choose to outsource their data center needs.

In 2014, a report by DCD Intelligence showed that almost a quarter of data center space in North America is outsourced. That number is only set to increase. Pair that with a 2014 report which showed that 37 percent of outsourcing customers are likely to fire their providers if they fail to meet compliance requirements, and it’s clear that this issue is top-of-mind.

To address security and compliance in the colocated data center, today, we’re going to take a closer look at some of today’s need-to-know security and compliance terms, as well as offer an overview of Telx’s approach to security and compliance.

To start, we’ll take some time addressing today’s most common security and compliance terms.

SSAE 16

The Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, is a set of auditing standards from the American Institute of Certified Public Accountants (AICPA). Data center and colocation providers in the United States typically follow SSAE 16, which is a way for a third party to measure levels and types of compliance within the world of data centers and colocation providers.

SAS 70

SAS 70, or the Statement on Auditing Standards No. 70, is the predecessor to SSAE 16. Though no longer in use today, SAS 70 was in use for nearly 18 years and served as the most common set of auditing standards all throughout that time.

SOC 2

SOC 2 examines adherence to and testing of controls for specific criteria called Trust Service Principles (TSP). These are categorized into five reportable sections: security, availability, processing integrity, confidentiality and privacy.

SOC 3

SOC 3 assesses whether or not an entity meets the required standards. The report does not include the specific test methods, results or opinions of the examiner. Instead, these reports are typically brief and limited in detail.

PCI DSS

The Payment Card Industry Data Security Standard, or PCI DSS, is a set of regulations put together by the PCI Security Standards Council, founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. PCI DSS is an information security standard for organizations that handle cardholder information.

HIPAA

HIPAA is perhaps the best-known set of rules on this list. Short for The Health Insurance Portability and Accountability Act of 1996, HIPAA encompasses several rules: the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, and the confidentiality provisions of the Patient Safety Rule, all of which are dedicated to the protection of individually identifiable health information.

Third-Party Audits

Knowing all of the terms outlined above, we can move onto a more practical discussion of security and compliance in the colocated data center.

Unless a data center facility is audited by a third party, it’s impossible to know how they handle their data, if they are compliant with the most current standards, and more generally, whether or not they are safe to use. A third-party audit gives a colocation customer peace of mind that their data is being handled in the right ways, and that the facility they’re colocating into meets current standards.

SSAE 16, described above, is how you’ll most frequently see levels and types of compliance described, at least with data center and colocation providers in the United States. If a facility describes itself as SOC 2 compliant, for example, that means it’s recently been audited against the most stringent form of SOC compliance. Compliance to other standards such as HIPAA or ISO 27001 is separate, but adds yet another level of peace of mind for colocation customers.

At Telx, all of our data centers are audited by a third party. All of our data center facilities are compliant with SOC 2. Other facilities, like NJR2 and NJR3, are fully PCI ccompliant. Last year, all 20 of Telx’s facilities became HIPAA compliant, yet another sign of our ongoing commitment to our customers.

Telx’s Approach to Security and Compliance

With all of the above outlined, you may wonder how Telx approaches security and compliance more generally. You can learn more on our Compliance page, but the takeaway here is similar.

Our data centers comply with industry standards, so you can count on us to put the right controls, processes, and procedures in place to keep your assets in line with guidelines.

We offer the following assurances:

• SOC 2 compliance in all 20 of our data centers, covering trust service principles of security and availability
• SOC 3 compliance in all 20 of our data centers (click here to view our SOC 3 report)
• HIPAA compliance in all 20 of our data centers
• PCI compliance for the Clifton Data Center Campus (NJR2 & NJR3)

Additionally, Telx builds and controls to a minimum of Type II reporting. Therefore, we can satisfy compliance on your behalf in many critical aspects, such as:

• Access control
• Network and data security
• Physical security
• Security policies, reporting and monitoring
• Backup and recovery
• Infrastructure and facilities management
• Problem and incident management
• Administrative and human resources controls
• Business continuity and disaster recovery
• Monitoring and management oversight

Each year, Telx completes audit requirements to ensure that all of our data centers are SOC 2 and SOC 3 compliant. Any new facility we build is held to the same stringent requirements to maintain consistency. That way, you can rely on us to adhere to the standards your industry requires.

Conclusion

Regardless of whether you colocate or manage all of your own data, it’s absolutely essential that you remain in-the-know about the latest industry standards and their relation to your business.

Though not comprehensive, this post does cover the most important terms and concepts you’re likely to run into as you move forward in your endeavor to safely manage your business’ and customers’ data.

Does your business deal with sensitive information that you want to make sure is in secure hands? Read our post on the third-party auditing of Telx’s data centers for more information about our SOC 2 compliance. And if have any additional questions, or if you’d like to learn more about any of the services we offer, you can see our compliance page here, or reach out to us via the contact page of our site, by Facebook, or by Twitter.