Understanding Data Center Certifications

Really awesome stuff happens inside data centers. Giant, towering constructions housing the world’s information in a cacophony of generators, fans, and electricity.

Unfortunately, data centers are also giant targets for filthy, no-fun criminals trying to make the world a better place for them and not the other billions of people they share the planet with.

That’s why data centers have securities in place to try and prevent any cyber-crimes from happening in the form of data center certifications.

Data center certifications enable data centers to keep up with the quick and ever changing trends in technology. As new or innovative technology enters the market, new legislation, codes of conduct, and more competition urges data center owners and operators to make sure they have an in compliance data center.

What Are the Best Data Center Certification Standards?

The most popular and most important data center certs are as follows:

• HIPAA
• PCI DSS
• SSAE 16
• SOC

Without those certifications, or the ability to acquire them, a data center would be scoffed at and ridiculed.

The most important aspects of people’s lives—medical records, credit card information, personal identification records—are behind walls and walls of not only physical security on-site, mountains of encryption and cyber-security are in place to protect all of that.

Now let’s delve into the meat of these certs and see why they’re so important.

What Is HIPAA?

In order for a data center to be HIPAA compliant they must first pass a rigorous audit to ensure that the facility follows the Code of Federal Regulation (CFR) set by HIPAA inspectors. The inspectors take a detail look into the inner workings of a data center to ensure that any and all data stored inside are protected and only available to those authorized to view them.

They also check to see if a Business Associate Agreement (BAA) is made between the hosting provider and clients with data that are PHI. Any violation of a patient’s PHI are reported to the Office of Civil Rights (OCR). A Business Association Agreement binds employees of both parties to report any such violations.

What Are the HIPAA Compliance Requirements for Data Storage?

Data centers must provide adequate HIPAA data security measures to protect the data of their clients. These security measures include:

• SSL Certificates & HTTPS – All types of web-based access to a patient’s PHI are encrypted and secure to prevent unauthorized connections.
• AES Encryption – Advanced Encryption Standard used to encrypt PHI stored on dedicated servers
• A Virtual or Dedicated Private Firewall Services – A secure firewall will prevent any unauthorized access to protected files.
• Remote VPN Access – Those with proper credentials will be able to access the protected network using a remote computer.
• Disaster Recovery – A documented backup recover plan in case of lost PHI or server malfunction.
• Dedicated IP Address – Private IP address that is cutoff from the public Internet
• Redundant, Isolated, and Secure database and web servers
• High speed connection with hardware that can run a variety of software and application for communication with multiple types of devices
• Separate Test Server

What Are the HIPAA Encryption Requirements?

Just like with PCI DSS compliance, to be certified as a HIPPA compliant data center, one must follow strict encryption and decryption guidelines. From hipaacentral.com:

• Encryption and Decryption – 164.312(a)(2)(iv): Implement a method to encrypt and decrypt electronic protected health information.
• Encryption – 164.312(e)(2)(ii): Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

Now that we’ve discussed health information, let’s move onto payment card security.

What is PCI Compliance?

PCI DSS standards were created in 2004 to curb high-profile security breaches by the founding brands of the PCI Security Standards Council, which include but are not limited to, American Express, Discover Financial Services, JCB International, Mastercard Worldwide and Visa Inc. International.

The Payment Card Industry Data Security Standard (PCI DSS) serves the purpose of protecting consumer security for all businesses that process transactions using credit cards.

Through the use of PCI hosting standards, server hosting procedures are implemented to ensure a secure environment for credit card processing.

The standards are updated by the Council, as needed, to stay up-to-date with new or modified requirements. To be considered PCI compliant, businesses must meet all of the required standards sufficiently.

Guaranteeing security and meeting requirements can be a tricky task for some businesses and the fine imposed for violations doesn’t make it any easier.

PCI Data Security Storage

A good rule of thumb is to never store cardholder data unless there is a legitimate and crucial business need. Those who fail to meet this rule are subject to a fine or further legal prosecution.

Check out the table below for some PCI compliant hosting Data Storage guidelines.

What Is SSAE 16?

The Statement on Standards for Attestation Engagements No. 16, or simply SSAE 16, is a set of guidelines for reporting on the level of controls at a service organization. The guidelines were created by the AICPA and went into effect June 15, 2011; replacing SAS 70 as an auditing standard for service organization.

The new standard of reporting on internal controls of a service organization was drafted in order to update organizations in the US service industry to reporting standards that complies with the International Standard on Assurance Engagements No. 3402 (ISAE 3402). There are two types of reports for SSAE 16 along with the addition of a new reporting framework, the Service Organization Control (SOC).

What Is SSAE 16 Compliance?

With the new framework of the SOC reports added to the SSAE 16 standards, SSAE 16 can now replace SAS 70 for service organizations to report on its internal business practices and system controls. The SOC reporting framework consists of 3 types of reporting standards; the SOC 1, SOC 2, and SOC 3.

SOC 1 reporting uses the SSAE 16 professional standard and is more geared towards reports on the Internal Control over Financial Reporting (ICFR).

It is designed to be a reporting standard for a business’ financial reports, highlighting its financial accounting and reporting practices. Although it is similar to the SAS 70 reports it is not relevant to service organizations like data centers which manage the IT infrastructure of multiple businesses.

SOC 2 and SOC 3 reports are issued under the guidelines set forth by the AT Section 101 attest standard. The report details the service organization’s internal system architect focusing on the following criteria:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

Due to the rise in data center hosting, SaaS, and cloud hosting, the new SOC framework was put in place by the AICPA in order to separate service organizations into different categories.

In short, an SOC 1 report detail the controls over financial reporting of an organization while SOC 2 and SOC 3 reports are about the internal controls of the system that host the financial accounts and records of an organization.

Both SOC 2 and SOC 3 reports are more relevant for a business that are looking for a detailed reports over the internal controls a data center provider have set in place to protect against security breaches and prevention of data corruption.

*Table information via pcicomplianceguide.org.