What is SSAE 18 and Why Your Data Center Needs an Attestation of Compliance
By: Rob Morris on July 16, 2019
The world of data center compliance standards is at once quite straightforward and incredibly complex. When looking at a colocation facility, potential customers usually know that compliance standards are important, but they might not know what each standard evaluates or how it could impact their business. The language describing these standards can be confusing, especially when the terminology being used could have multiple meanings or applications.
But understanding data center certifications is incredibly important for colocation customers. It’s one thing to know whether or not a facility is compliant and quite another to appreciate why the question matters in the first place. This is especially true of SSAE 18, one of the most important data center compliance standards in use today.
What is SSAE 18?
SSAE stands for Statement on Standards for Attestation Engagements. Overseen by the American Institute of Certified Public Accountants (AICPA), SSAE 18 governs the way organizations report on their various compliance controls. These reports usually come in the form of a Service Organization Control (SOC) report, which provides the information needed to accurately evaluate the risks associated with outsourced vendors. When assessing data center certifications, these reports provide the attestations of compliance.
Implemented in 2017 to replace the SSAE 16 standards, SSAE 18 imposes greater scrutiny on how companies evaluate and report on their third-party vendors. Broadly speaking, it requires companies to apply the same risk assessment standards to vendors they work with both directly and indirectly. When an organization contracts with a vendor to provide a service, that service provider potentially subcontracts some of its services out to another provider.
SSAE 18 defines these vendors as “subservice organizations” and requires them to undergo the same risk assessment to evaluate their organizational controls before the original service provider can receive an SOC attesting that they have the proper systems in place for managing risk. Put simply, it ensures that when someone enters into a relationship with a service provider of any kind, they can trust that any vendors the service provider works with meet the same compliance standards. SSAE 18 is designed to avoid a situation in which a customer might unknowingly expose their business to risk because a vendor partnered with a subservice organization that lacked appropriate risk management policies.
SSAE 18 and SOC Reports
The standards laid out by SSAE 18 directly apply to the creation of SOC reports. Originally introduced in 2011 to replace SAS 70 certifications, SOC reports come in three forms, each one relating to a different aspect of operations.
SOC 1: This engagement reports on whether a service organization has effective internal controls in place pertaining to financial reporting in order to protect client data.
SOC 2: This audit assesses internal controls related to security, including data availability, confidentiality, privacy, and processing integrity.
SOC 3: Similar to an SOC 2, this report attests to the suitability of internal security controls without providing any specific descriptions of the organization’s systems. Whereas SOC 1 and SOC 2 reports are available to customers who use the provider’s services, an SOC 3 report is intended for the general public, allowing potential customers to see that the organization is compliant without revealing any mission-critical or proprietary information about their operations and systems.
Type 1 vs Type 2 Reports
Regardless of their focus, SOC reports come in two types that focus on different stages of risk management. A Type 1 report demonstrates that an organization has the appropriate controls for managing risk in place as of the date the report is issued. When auditors complete a Type 1 report, they evaluate the design of these controls to determine whether they will be effective in practice. This report differs from a conventional audit, however, because it focuses on the policies a company has in place rather than searching for evidence of operational effectiveness.
Type 2 reports, on the other hand, focus on how effective those controls are in practice. While a Type 1 report evaluates control design and assesses implementation at a specific time, Type 2 reports look at a longer period of time (usually six months to a year) and determine whether or not the controls have proven effective in practice.
Why Your Data Center Needs to Be SSAE 18 Compliant
Organizations entrust data centers with some of their most valuable data assets. When they colocate servers or build hybrid cloud deployments over virtualized servers, they want to know that a facility has implemented the very best practices to safeguard that data at all times. If they work with a managed service provider (MSP) partner to build customized, bundled services within the data center’s environment, organizations also deserve to know that the facility’s preferred channel partners meet the same data center compliance standards.
SSAE 18 compliant SOC reporting can provide these reassurances. An SOC 1 attestation can demonstrate that a data center has the appropriate controls in place to protect and account for financial data. When it comes to security, SOC 2 reports verify that a facility’s security operations are in line with industry best practices and are able to maintain high levels of data availability while taking all necessary precautions against the potential of a data breach. Thanks to the thoroughness of SSAE 18 standards, data center customers also know that those same assurances extend to all subservice organizations with connections to the facility, eliminating the chance that some negligent, “fly-by-night” vendor could compromise data security without the customer’s knowledge.
SSAE 18 data center compliance standards ensure that facilities take responsibility not just for themselves, but also hold their vendors to the same high standards of accountability. When assessing a colocation data center, organizations should begin their evaluation by verifying that the facility is SSAE 18 compliant. Given the high value of data, companies can’t afford to take chances with subpar data centers that can’t provide assurances that they’ve implemented the best possible controls to protect their customers’ most precious assets.
About Rob Morris
Rob Morris is the Director of Program Management and the ISMS Manager. Rob chairs the vXchnge Information Security Council and manages the compliance campaigns and is our customer liaison.
Subscribe to vXchnge Blog
Speak to an Expert About Your Company's Specific Data Center Needs