Security and compliance are often the biggest concerns that organizations have about moving applications and data to a hosted data center or the public cloud. Does the third-party provider have adequate security controls to protect our data? Are we sure that the provider isn’t mishandling our data or exposing it to unauthorized users, intentionally or unintentionally? Does the provider understand our industry’s regulatory compliance requirements? Data Center certifications offer reliable benchmarks customers can use when evaluating public cloud and data center providers.
Customers should look for data center certifications that require providers to meet minimum technical and procedural standards, and that are assessed and verified by independent, outside auditors.
SSAE 16
The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of auditing standards, and guidance on using the standards, published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). It guides auditors through the discovery and verification of the security controls implemented by data centers and service providers.
Organizations must provide auditors with a written description of their security controls, including all services the organization provides and the operational processes that affect those services. In addition, organizations must submit a written assertion that the description is accurate and representative of the organization’s objectives.
Auditors verify the controls and processes through one of two types of audits. A Type 1 audit simply verifies the description and assertion. Type 2 goes further, testing the implementation and operational effectiveness of the controls over a specified period.
SOC 2 TYPE 2
The reports generated by an SSAE 16 audit follow the Service Organization Control (SOC) framework. SOC 1 covers financial reporting, while SOC 2 is based on the five “trust principles” of security, availability, processing integrity, privacy, and confidentiality.
SOC 2 does not have rigid specifications but allows each organization to design security controls using the trust principles. Access controls, multifactor authentication, encryption, perimeter security, performance, and process monitoring, and quality assurance are among the controls used to meet SOC 2 requirements.
SOC 2 certification is critical to the evaluation of cloud and hosting providers because it offers a level of transparency into the provider’s security and compliance capabilities. A provider that meets the requirements of all five SOC 2 categories will have robust security systems capable of detecting suspicious activity and unauthorized user access. The provider will also have an incident response plan and the ability to take appropriate action to mitigate the impact of a security threat.
MSPALLIANCE CLOUD VERIFY
The MSPAlliance Cloud Verify Program is the oldest certification program for cloud computing and managed services providers (MSPs). It is based on the 10 control objectives of the Unified Certification Standard for Cloud & MSPs:
Governance
Policies and procedures
Confidentiality, privacy and service transparency
Change management
Service operations management
Information security
Data management
Physical security
Billing and reporting
Corporate health
The objectives and underlying requirements are utilized by an independent auditor to document and validate the processes of the cloud provider or MSP.
The MSPAlliance Cloud Verify Program is designed to certify that cloud providers and MSPs have met or exceeded well-established standards of excellence and client care. Every certification comes with a written report signed by a third-party accounting firm. The Cloud Verify program has been reviewed by governmental agencies and regulatory bodies worldwide and is used and accepted on five continents.
MAINSTREAM’S DATA CENTER SOLUTIONS
Mainstream Technologies annually undergoes the rigorous process of updating our SSAE 16, SOC 2, and Cloud Verify certifications to validate not only our capabilities but our commitment to protecting our customers’ systems and data. We are also compliant with government and industry regulations, including the Payment Card Industry Data Security Standard.
Our Little Rock data center incorporates multiple layers of physical and data security, including proximity- and biometrics-based access controls. Our facility also has multiple sources of conditioned power, a backup generator, and redundant cooling and humidity controls. These features help create a highly available environment for our
customers’ mission-critical systems.
These data center certifications show that our services are aligned with the strictest standards and industry best practices. Our customers can rest assured that we are prepared to help them meet their business, legal, and regulatory compliance requirements.
To learn more about how we can help you meet your hosting challenges, please send us an email.