Data Compliance and Data Centers: What You Need to Know19 min read
It’s best to look at data compliance and regulation as standards, which set up best practices for handling, storing, and securing data. Yes, there can be ramifications for non-compliance or failure to meet the established requirements, but even without those consequences, all businesses should be securing and protecting data anyway, customer or otherwise.
Clients turn to data centers and cloud computing providers because they typically provide security and efficiency improvements over in-house solutions, not in spite of. It is up to data providers, then, to provide those expected improvements, which should come more naturally, not just because compliance requires it.
However, compliance, and the rules and regulations related to it, still exist. So, it’s critical to understand what those requirements are, and how the average data center should be managing them. In light of that, here’s a quick breakdown of data compliance standards a data center and cloud provider should be aware of.
1. SSAE 18
Statement on Standards for Attestation Engagements, rule 18, is managed by the American Institute of Certified Public Accountants (AICPA). The goal of its passing was to replace older SSAE 16 standards and tighten requirements for reporting on third-party vendors. What that means for data center providers, is that they must apply risk assessment standards to any vendors they deal with. In the guideline, vendors are referred to as “subservice organizations,” and any partners they are working with may be responsible for risks they encounter.
So, SSAE 18 sets forth a precedent for properly reporting risk assessment of these vendors, through something called a Service Organization Control (SOC) report. SOC reports merely outline risks, and also discuss the measures companies are taking — namely data providers — to protect data they are responsible for, including customer information. It forces companies to uphold compliance, accountability, and take responsibility for everything they are doing, including how data is handled by vendors and third parties.
All forms of outsourcing to third-party vendors and service providers fall under this rule, whether it involves managed accounting services, human capital management, or hosting and security services solutions.
2. ISO/IEC 27001: 2013
The International Standardization Organization and the International Electrotechnical Commission have established 27001 to safeguard private and sensitive data. To break it down in more detail, ISO 27001 creates a general process for identifying data risks, addressing access and authentication vulnerabilities, and locking down customer information.
While a data center may be indirectly responsible for private consumer data being handled and stored by one of its high-profile clients, that doesn’t absolve the provider from privacy and security responsibilities related to said data.
In other words, data centers must take the proper precautions to protect the digital content being stored on owned servers. ISO 27001 sets forth a precedent and system for doing this and then measuring and maintaining said securities.
3. SOC 2 Type II
System and Organization Controls Type 2 audits are designed to verify and improve information security, through direct security evaluations. A SOC Type 2 report can then be provided, to customers or authorities, as evidence that the proper cybersecurity practices and policies are in place. It’s also — like many similar standards — designed to help organizations lock down the data and content they are responsible for.
As the process is Type II, it is considered the second stage in a much larger auditing process. These standards are maintained by the American Institute of CPAs, to create a level of trust and responsibility within the information technology field.
While commonly associated with the health care and medical industries, the Health Insurance Portability and Accountability Act, paired with the Health Information Technology for Economic and Clinical Health Act, aims to secure private and sensitive medical details. They are some of the most renowned standards and regulations in the information technology industry.
Safeguarding private medical data is imperative for all parties, from data providers to the companies collecting and utilizing the information directly. The U.S. Department of Health and Human Services for Civil Rights is responsible for enforcing the regulations outlined in these acts.
5. European Union’s GDPR
Called the General Data Protection Regulation, GDPR deals with Europe’s data privacy and security laws, and calls for any companies doing business with the country, directly or indirectly, to follow the guidelines.
Namely, European citizens have the “right to be forgotten” with full access and control to their personal and sensitive data. Data centers all over the world have to provide the necessary systems and protocols to facilitate that access, especially if they are serving Europe and UK-located clients. It also establishes cybersecurity and protection standards that must be met to properly secure UK consumer data.
6. PCI DSS 3.2
Called the Payment Card Industry Data Security Standard, and published by the PCI SSC, or the PCI Security Standards Council, the regulation establishes strict standards for handling and managing personal financial data. It applies to any organization that deals with electronically processed credit card payments, or the storage of said content. Of course, it also applies to companies that are taking or processing financial data.
Data centers must meet certification requirements for the standard, which aims to protect consumer data and payment information, including credit card details and beyond.
Additional Need-to-Know Details
Securing data centers, and all the data they handle, including customer and client information, is absolutely imperative to the future of business operations. Not only will a breach or attack cause severe problems for the business, but it also has far-reaching implications for everyone involved, including partners, vendors, customers, and even other major entities.
A perfect example is the attack on the Equifax credit bureau, which still has monumental implications today, many years later.
Why Is Data Center Security Important?
Data centers house some of the most critical infrastructure for all manner of organizations, including highly sensitive digital content and information. Security is one of the most important features of any data center, and the highest benefit for organizations. It is largely why they turn to data providers to handle, store, and protect content. Specialized infrastructure and systems are quickly becoming more preferred than in-house solutions.
When that security fails, it affects not just the data provider and its customers, including major organizations, but absolutely everyone that has a vested interest in that digital information, including consumers, other businesses, and so much more.
Are There Tools to Improve Compliance?
While we’re still in the early stages, there are many innovative and advanced solutions for maintaining compliance, to cut down on potential events.
For example, one strategy employs machine learning to help with risk management. This technology can analyze atypical and heterogeneous data sets to detect patterns and flags the human eye cannot. Most of it is done with the help of pre-programmed algorithms, which are developed to detect the aforementioned flags.
Can this technology be deployed right now and right this second within a data center? Yes, but what that looks like is going to change over the next few years as the technology evolves and becomes more capable.
What Happens When a Business Is Non-Compliant?
Looking at the many standards and regulations in place, it’s easy to see that non-compliance does not involve a single, easily understood consequence, but dozens, and maybe even hundreds of ramifications.
Legally, a data provider that fails to meet standards and keep up with compliance may be punishable by law, which could involve fines, shutdowns, and much more. That’s not including the responsibilities they have to customers and clients — who may or may not also take legal action. Every industry is different. Some consequences may be far more severe than others. It’s not something that any organization wants to be dealing with.
Real-time monitoring, data-driven optimization.
Immersive software, innovative sensors and expert thermal services to monitor,
manage, and maximize the power and cooling infrastructure for critical
data center environments.
Real-time monitoring, data-driven optimization.
Immersive software, innovative sensors and expert thermal services to monitor, manage, and maximize the power and cooling infrastructure for critical data center environments.
Editor-in-Chief at ReHack
Devin Partida writes about data, cybersecurity and smart tech for ReHack.com, where she is also the Editor-in-Chief.