Day by day, businesses across the world are moving more of their operations to the cloud, relying heavily on cloud service providers to protect and secure their data from theft and loss. If they haven't dipped their toes in the big pool of cloud, maybe they've hired a managed services provider (MSP) to handle the day-to-day maintenance and availability of their systems and data or the monitoring of uptime and performance.
Regardless of the path chosen, the potential exposure and risk of business, data, and reputation loss is real. However, both of these paths also provide businesses a great deal of benefit, leading many to try and strike that perfect balance of risk vs. reward in their cloud strategy.
This is where data center compliance comes in.
1. Your Customers Are Thinking about Cloud Security Too
Whether you're in the cloud or not, whether you use an MSP or not, your customers are having the same thoughts about cloud services and systems that you are. They see the same newspaper articles and soundbites on TV about data breaches and cloud outages that you do, and fear the loss of their personal data and business information just as keenly as you do. Being able to put that shiny logo on your site stating that you work with a SOC audited or PCI-DSS compliant data center is the first step in providing the same peace of mind to your customers that you receive yourself working with a compliance-based service provider.
2. Compliance Alone Doesn't Help You—You Need An Audit
Every marketing department out there will come up with some rating, some measurement, where their company is the best and greatest in the world. Every new car has some award as best-in-class for one of its features, and every service provider lists off stats and SLAs like they're going out of style. It's the nature of the beast. The real question, however, is how do you cut through the marketing and get to the nitty-gritty of actual system performance and security? How do you know your provider will actually deliver on what they promise, or that in the event of an actual emergency, they have the resources, the training, and the plan to recover? There are multiple compliance programs, complete with external audit components, to prove that you've met all the checkboxes on your SLAs.
3. Compliance (with Audit) Breeds Stability And Maturity
Organizations undertaking a compliance program suitable to their industry experience something amazing: they have to sit down and think about their internal processes and procedures to optimize and document them for their program.
An audit verifies whether or not providers follow their own guidelines. What's key is the fact that there are guidelines for providers to follow.
A lot of the times, people do something on the job because "that's how it's always been done," and not because it's the best or most secure method.
When I was working in data centers in the early 2000s, borrowing a USB stick was easy from the onsite techs and saved me in a pinch more than once. However, I'd often find the USB stick still had data from other clients, or worse—from the data center vendor itself. Audits like SAS 70, and later SOC 1 and SOC 2, help prevent situations like these. They help providers realize the need for both a data classification policy and the procedures required to secure and erase any device used by a client. This protects not only the customer, but also the provider from claims of a data breach.
4. Scale Breeds Economy
When a provider builds a managed firewall or managed SAN product for customers, they build it first from the mindset of securing customer data from other customers, and second from the mindset of customer availability and ease of use (lest they hand the keys to the kingdom to their other customers).
If I have a big SAN sitting around with 50 customers on it, and all 50 can see the other 49, all I'm doing is giving my customer base the back door they need into my other clients.
You could sign up for a free trial or demo and suddenly have access to all of the data of all of my clients, opening the door to lawsuits and potential loss. That mentality and paranoia leads to highly available and highly secure systems being locked down and compartmentalized, which benefits the clients vs. running their own systems.
After all, a SAN behind your firewall is generally secure, right? How many customers would think to properly segment the management interfaces from their application servers, or worse—how many would fail to segment the data network from the management network, giving a compromised machine in their network full access to all of their data?
Compliance programs, policies, and procedures help cloud providers secure your systems better than you can alone.
5. Not All Compliance Is Created Equal
In the past, we've reviewed that different compliance programs exist for different reasons, I won't rehash the whole argument as to why SOC 2 is the best possible compliance program for a service provider. Needless to say, however, a SOC 1 lacks the common Trust Service Principles that are common across all recipients of a SOC 2 audit. Others, like PCI-DSS, can vary wildly in how people rate themselves and how they apply the principles to systems that might store PII or card data.
Even HIPAA, splashed all over provider websites as "HIPAA Compliant," is not something that is standard to the industry. Auditors will write letters stating a provider is in suitable compliance with the principles of HIPAA and HITECH, but there is very little testing required if a provider has no access to PHI.
Remember: Picking a provider with a HIPAA letter doesn't grant you HIPAA compliance. You need to gain that on your own.
Compliance itself does not ensure that all of your data and systems are perfectly protected. Without audit, compliance is just a bunch of promises your provider wrote on paper and handed to you. Even with audit, a weak compliance program can leave gaps and fissures in your protection. Learning more on the compliance programs, reading the audit report, and picking a provider with the industry-leading SOC 2 audit report is your best option for total cloud compliance.