03-17-09 | Blog Post
Update: SAS 70 reports only on controls related to financial reporting. If you need assurance of controls directly related to data centers, including privacy, security and availability, look for a SOC 2 report.
SAS 70 was replaced by SSAE 16 in June 2011.
Selecting a co-location provider is an important decision. Some co-location providers are willing to submit to independent audits and then fund the equipment and process investments necessary to complete the full audit. Online Tech recently completed our own SAS 70 audit at all three Michigan data centers because we know this process offers our clients the following benefits:
If you’re thinking of building out your own data center, don’t forget to budget SAS 70 auditing costs. They can easily run over $100,000 per year. Or, when you outsource your data center, selecting a vendor who has already made the SAS-70 investments saves you on investing in these same costs and other security costs. For example, by sharing a copy of the SAS 70 report from your co-location provider to your PCI or CISP provider you can often reduce the costs for those audits.
Visiting data centers of prospective co-location providers is an important part of the selection process. But visits are expensive. They take time and expertise. The visits themselves take time. Then there’s the time to debrief – So, Jenny, what did you think of that data center?” By reviewing a SAS-70 audit report you can learn immediately what controls are in place and if the data center has been reviewed for completeness and audited by a CPA expert.
Co-location providers all claim to be secure. But a provider who voluntarily goes through a SAS 70 audit is paying more than lip service. They have hired a third party auditor to test and confirm the controls that underlie the ability to truly deliver a secure environment.
While you can do your own visits to make sure a datacenter is secure, and your own network review to make sure a network is secure, it’s much more difficult to confirm the riskiest portion of data center operations – the processes.
Some of the world’s best hackers have relied on “social engineering” to gain access. See www.kevinmitnick.com for one of the most famous cases which served as the inspiration for the movie War Games. Social engineering is the process of tricking people to divulge passwords and other critical information. How do you know that your provider is only making changes to your equipment as directed by you? How do you know someone else isn’t calling your provider and posing as one of your employees? What processes or procedures does your provider have to assure this doesn’t happen? In a SAS 70 audit they will actually test the controls you claim, so you don’t have to worry.
Today’s 24×7 always-on hosted world requires some of the highest reliabilities the industry has had to deliver. Leading the charge is redundancy – of everything. Redundancy of power, network, servers, storage and even entire data centers make up the bulk of the investment towards every higher degrees of reliability. A SAS 70 audit ensures that claims of backup systems including generator for power, additional cooling units and UPS (Universal Power Supply) infrastructure are in place and properly managed.
Hardware failure can often be attributed lack of preventative maintenance of critical infrastructure components and other “pre-failure investments”. The SAS 70 audit assures that any claim of preventative maintenance is backed up with proper documentation and service records.
But, like security, many service interruptions happen due to human error. Changes made to the wrong device, changes improperly engineered or improperly managed are all very common root causes of failure. At the heart of a great data center operation is strict management of all changes –called change management. The SAS 70 audit will assure you any claims regarding change management exist and are followed. The result is higher reliability.
SAS 70 has become a well known and respected standard for data centers. Claiming you use only SAS-70 audited providers is a strategic advantage.
By selecting a SAS 70 provider, you show your prospects and clients that you take security seriously. To be competitive with any hosted application (e.g. SaaS), you will have to host your information in a SAS 70 audited environment.
Besides, let’s say you are a fast growing SaaS provider with 30 customers. Currently none of your customers require you to locate in a SAS 70 audited data center. Then you have an opportunity to land that really large corporate customer but they require a SAS 70 environment. What do you do now? Are you going to have two providers? Are you going to move your other 30 customers? If you anticipate growth, and you want to compete, you’ll have to choose a SAS 70 audited provider.
A SAS 70 data center may be required for you to win clients in certain regulated industries. Certain types of data, by regulation, require that physical, logical and process controls be in place. Specifically, Section 404 of Sarbanes-Oxley, calls for testing of internal IT controls that relate to financial reporting, even for outsourced IT functions. HIPAA also has specific data handling controls that can be confirmed with a SAS 70 audit report. PCI and CISP compliance can be more easily accomplished by starting with a SAS 70 audit.
The same principle mentioned above that applied to competition applies to regulation. Say you have a wonderful online database used by many industries hosted at a data center that is not SAS 70 audited. Then you land a really large opportunity with a hospital but they require that you have a SAS 70 audited provider. What do you do? Do you move all your other customers? That’s expensive. Do you pay for the audit? That’s really expensive. Do you support two infrastructures and two providers? That’s really, really expensive. Start with a SAS 70 audited provider even if today you aren’t sure you need it.