<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1078844192138377&amp;ev=PageView&amp;noscript=1">

Blog

ServerCentral's 2016 SOC 2 audit is now available!

Throughout many years of managing audit tasks and compliance programs, the most arduous part has always been gathering the proper artifacts.

  • Did we get the screen shot of one system right?
  • Where did I put that report from our vendor?
  • Who’s seen the monthly vulnerability scan reports?

Well, today ServerCentral took a large step toward making that process easier for our customers by putting our SOC 2 report online in our customer portal! 

Our report alone, though, is not always enough to satisfy your auditors and vendors.

Fear not!

Not only is our own SOC 2 available, however, but we’ve also uploaded the reports of our sub-service organizations and various data center facilities where customer solutions have been deployed. You’ll find the reports assigned to facilities where you house equipment listed alongside the ServerCentral report. All of these reports will be updated regularly with the latest versions from each of the organizations. 

Also, we're very pleased to let you know that, beginning today, when ServerCentral issues our SOC 2 report, a copy will be uploaded and made available to approved customers and contacts who have a signed NDA on file with our legal department. This means:

  • You will no longer need to request the report from your account manager.
  • You will no longer have to wait for the email notifying you when it’s made available each summer.
  • You will no longer be digging through your email archives for it when you need it for your own audit.

Simply sign in to our customer portal and you’ll see the report available under Documents -> Compliance Reports. 

 As always, if you have any questions or concerns, please do not hesitate to let us know.

Topics: Compliance Security Audit

5 Reasons You Should Care About Data Center Compliance

Day by day, businesses across the world are moving more of their operations to the cloud, relying heavily on cloud service providers to protect and secure their data from theft and loss. If they haven't dipped their toes in the big pool of cloud, maybe they've hired a managed services provider (MSP) to handle the day-to-day maintenance and availability of their systems and data or the monitoring of uptime and performance.

Regardless of the path chosen, the potential exposure and risk of business, data, and reputation loss is real. However, both of these paths also provide businesses a great deal of benefit, leading many to try and strike that perfect balance of risk vs. reward in their cloud strategy.

This is where data center compliance comes in. 

1. Your Customers Are Thinking about Cloud Security Too

Whether you're in the cloud or not, whether you use an MSP or not, your customers are having the same thoughts about cloud services and systems that you are. They see the same newspaper articles and soundbites on TV about data breaches and cloud outages that you do, and fear the loss of their personal data and business information just as keenly as you do. Being able to put that shiny logo on your site stating that you work with a SOC audited or PCI-DSS compliant data center is the first step in providing the same peace of mind to your customers that you receive yourself working with a compliance-based service provider.

2. Compliance Alone Doesn't Help You—You Need An Audit

Every marketing department out there will come up with some rating, some measurement, where their company is the best and greatest in the world. Every new car has some award as best-in-class for one of its features, and every service provider lists off stats and SLAs like they're going out of style. It's the nature of the beast. The real question, however, is how do you cut through the marketing and get to the nitty-gritty of actual system performance and security? How do you know your provider will actually deliver on what they promise, or that in the event of an actual emergency, they have the resources, the training, and the plan to recover? There are multiple compliance programs, complete with external audit components, to prove that you've met all the checkboxes on your SLAs.  

3. Compliance (with Audit) Breeds Stability And Maturity

Organizations undertaking a compliance program suitable to their industry experience something amazing: they have to sit down and think about their internal processes and procedures to optimize and document them for their program.

An audit verifies whether or not providers follow their own guidelines. What's key is the fact that there are guidelines for providers to follow.

A lot of the times, people do something on the job because "that's how it's always been done," and not because it's the best or most secure method. 

When I was working in data centers in the early 2000s, borrowing a USB stick was easy from the onsite techs and saved me in a pinch more than once. However, I'd often find the USB stick still had data from other clients, or worse—from the data center vendor itself. Audits like SAS 70, and later SOC 1 and SOC 2, help prevent situations like these. They help providers realize the need for both a data classification policy and the procedures required to secure and erase any device used by a client. This protects not only the customer, but also the provider from claims of a data breach.

4. Scale Breeds Economy

When a provider builds a managed firewall or managed SAN product for customers, they build it first from the mindset of securing customer data from other customers, and second from the mindset of customer availability and ease of use (lest they hand the keys to the kingdom to their other customers).

If I have a big SAN sitting around with 50 customers on it, and all 50 can see the other 49, all I'm doing is giving my customer base the back door they need into my other clients.

You could sign up for a free trial or demo and suddenly have access to all of the data of all of my clients, opening the door to lawsuits and potential loss. That mentality and paranoia leads to highly available and highly secure systems being locked down and compartmentalized, which benefits the clients vs. running their own systems.

After all, a SAN behind your firewall is generally secure, right? How many customers would think to properly segment the management interfaces from their application servers, or worse—how many would fail to segment the data network from the management network, giving a compromised machine in their network full access to all of their data?

Compliance programs, policies, and procedures help cloud providers secure your systems better than you can alone.

5. Not All Compliance Is Created Equal

In the past, we've reviewed that different compliance programs exist for different reasons, I won't rehash the whole argument as to why SOC 2 is the best possible compliance program for a service provider. Needless to say, however, a SOC 1 lacks the common Trust Service Principles that are common across all recipients of a SOC 2 audit. Others, like PCI-DSS, can vary wildly in how people rate themselves and how they apply the principles to systems that might store PII or card data.

Even HIPAA, splashed all over provider websites as "HIPAA Compliant," is not something that is standard to the industry. Auditors will write letters stating a provider is in suitable compliance with the principles of HIPAA and HITECH, but there is very little testing required if a provider has no access to PHI.

Remember: Picking a provider with a HIPAA letter doesn't grant you HIPAA compliance. You need to gain that on your own.

Compliance itself does not ensure that all of your data and systems are perfectly protected. Without audit, compliance is just a bunch of promises your provider wrote on paper and handed to you. Even with audit, a weak compliance program can leave gaps and fissures in your protection. Learning more on the compliance programs, reading the audit report, and picking a provider with the industry-leading SOC 2 audit report is your best option for total cloud compliance.

Topics: Compliance

My SOC is Better Than Your SOC

We’ve come a long way since the days of the SAS 70, which did little to actually test the security of a data center or managed service provider. Under a SAS 70, which was designed to test the integrity of financial reporting and not information security, an organization could make up their own set of rules to be audited against. An auditor, usually a CPA sanctioned by the American Institute of CPAs (AICPA), would "test" their client by looking for evidence that they followed each rule.

The SAS 70 is the equivalent of asking students to write their own test questions.

If the client failed their own test question, the auditor would mark them as deficient or non-compliant with that section for that testing period.

The SAS 70 was designed in a world before the Internet or widespread data communications, so in 2010, the AICPA issued two new documents governing the use of compliance engagements:

  • the Statement on Standards for Attestation Engagements Number 16 (or SSAE-16); and
  • the Attestation Standards Section 101 (or AT-101).

Much like the SAS 70, SSAE-16 rules are made up by the organization being tested and have no guarantee of actually protecting your data. 

The SSAE-16 is for a service organization that directly handles financial transactions that affect the financial reporting of their clients, while the AT-101 is for a service organization that houses the technology systems that a client uses for financial reporting. It’s an important distinction:

If your provider doesn't handle financial transactions on your behalf, they shouldn't be using the SSAE-16 report for compliance.

Therein lies the problem with compliance programs at most data centers and managed service providers. They stick with SSAE-16 because they get to keep the same rules from their days with the SAS 70 instead of adopting the strict rules of the AT-101.

In the end, the decision on compliance comes down to one important factor:

Does your service provider use the same tired controls they’ve been using for the past decade, or do they adopt the industry-leading standards with the most comprehensive set of controls available?

Your information security depends on your provider, and we do everything we can to make sure your data is safe in our care. Contact us or request a copy of our audit to get started.

Topics: Data Center Compliance

1 SOC, 2 SOC, Red Sock, Blue Sock

Compliance isn’t just a checkbox on a piece of paper to ServerCentral. From old hardware disposal to protecting vital assets and systems, security and compliance are at the core of everything we do for our clients. We first covered our commitment to compliance when Daniel Brosk, our COO, blogged about the changes the SSAE-16 SOC 1 brought from our older SAS 70 report. Today, we have another exciting new announcement about our commitment to security and compliance:

For the audit period ending June 30, 2014, ServerCentral migrated our compliance program from the SSAE-16 SOC 1 standard to the more-secure AT-101 SOC 2.

With the help of our auditors, we adopted the very stringent policies required by the Trust Service Principles (TSPs), which are dictated by the American Institute of CPAs (AICPA). These TSPs are considered the highest level of security and safety available to a data center or managed service provider, which is why ServerCentral has embraced them fully throughout every level of our organization.

Unlike the SSAE-16 SOC 1 reporting standard, the AT-101 SOC 2 has a consistent, standard set of items to test and report for our auditors.

The SOC 1 allows a data center or service provider to choose their own rules, pick their own security standards, and to hide gaping weaknesses in their program by simply not including a control covering that weakness.

The SOC 2 has leveled the playing field, forcing all providers to use the same advanced security controls to protect your data and your systems.

ServerCentral believes in holding ourselves to the highest standard when it comes to handling, securing, and managing sensitive data and systems. While other providers might continue to use the weaker SSAE-16 SOC 1 standard, we will continue to adopt more of the TSPs during this audit period until we have implemented the full suite of controls laid out by the AT-101 standard.

Over the coming weeks, I'll follow up with information about the changes that the SOC 2 will bring to our reporting environment and our audit document. Check back for more, or better yet subscribe to our blog so you receive an update as soon as information becomes available.

Request a copy of our SOC 2 report as a client or a prospective client here

Topics: Compliance

Not All SSAE 16 Reports Are Created Equal

The SSAE-16 SOC 1 report is considered to be the mark of a trustworthy technology service provider, but the reality is that every company’s SOC 1 report looks different.

While many providers offer a SOC 1 report, the SOC 1 framework itself does not have a common set of control objectives, meaning there’s no set criteria for what controls are required. I’ve seen SOC 1 reports with as few as 15 controls, and I’ve seen them with over 100 (we’re in the latter camp). While the number of controls is not directly indicative of a provider’s quality, it’s up to the report reader to consider the scope of the SOC report and ultimately decide whether the controls meet their own requirements.

As we develop new products and services, we always consider how they reinforce the existing controls in our SOC audit, and how we can make our audit even stronger. These aren’t just bullets on a PowerPoint presentation, they’re real improvements that we live and breathe.

It might surprise you to learn that the intended audience for a SOC 1 report is reviewers of financial statements.

Technology companies use the SOC 1 report because it’s a direct descendant of the SAS-70 standard, which it replaced. While the AICPA (the governing body responsible for the SAS-70 and SOC standards) would like technology providers to adopt the new SOC 2 framework, the industry has not warmed up to it just yet.

If you’re in the market for colocation, IT infrastructure, or managed services, please drop us a line and we’ll be happy to share our report as a reference as you evaluate providers. And as we kick off our audit engagement this spring, we’ll keep you updated right here as we reevaluate the SOC 2 standard.

Topics: Compliance