vXchnge recently conducted a next-generation data center study and we found that 88% of IT leaders are concerned about data breaches. More of more of these IT leaders are looking to information security standards like ISO 27001 data security and business performance. In this podcast, vXchnge's product manager, Sameer Aghera, explains the benefits of ISO 27001 for edge data centers.
Benjamin: Hello, and welcome to the vXchnge podcast. My name is Benjamin Hunting and today I'm speaking with Sameer Aghera who is a product manager at vXchnge. Specifically, we're talking about ISO 27001 and how it can impact data security and business performance. Sameer, thank you very much for being here with us today.
Sameer: Thanks for having me on, Ben.
Benjamin: I know data security is something that's on everyone's mind, but it's not always easy to quantify to a potential customer without getting really, really specific, because there's so many different aspects of data security that you could talk about, that you could quantify in a document that you can send to a customer. Does the ISO standard, does it provide, sort of, a universal shorthand where you can present this to a customer and say, "Here's an internationally recognized standard for security," and it's kind of a...I don't want to say a rubber stamp, but it's kind of a framework which they can easily and quickly understand?
Sameer: Absolutely. So, actually, earlier this year, vXchnge conducted a next-generation data center study and we found that 88% of IT leaders are concerned about data breaches, and you can't really blame them because we've seen some of the adverse effects with recent examples such as Sony, Target and, most recently, LinkedIn. So people are realizing that you have to be proactive about securing critical information, and ISO 27001 is the most widely accepted information security standard. It's used by companies and organizations around the world to put best practices around information security, and at the heart of ISO 27001 is this information security management system, and ISMS is a systematic approach to managing sensitive information. So, it includes everything from people and processes and procedures, as well as IT systems, which are all governed by a risk-management process, and all of these things are continuously improved upon every year. And so ISO provides a great framework to build a solid information security program in your organization.
But, with that being said, I want to make it clear that ISO 27001 does not fully prevent data security incidents from happening, but organizations such as vXchnge who follow ISO 27001 framework are aligned with the global standard and are best prepared to handle when incidents do occur. And this is actually a company-wide initiative, so to give you an example at vXchnge, every single one of our employees go through an annual security awareness training, so they're always thinking about how to protect our customers' data. Furthermore, our executives are also very involved in setting up the ISMS as well, and they're very involved and they have full buy-in about the success of the framework as well. So it really takes the entire organization to secure our customers' data, which is what we...why we have vXchnge.
And then, if you look at it moving forward, I think, with the rise of big data and the internet things, I think this is gonna put even more pressure on data security. So vXchnge is currently the only edge data center that's ISO 27001 certified, so a lot of the edge data centers are gonna be the ones handling this rise in internet of things, data. It's gonna be the first place where you'll see, kind of, the data from all these devices coming into. So we're fully equipped to handle this increasing demand.
And then, you know, finally, when you combine, I think, the controls of ISO 27001 with some of the other controls present in SSAE 16 SOC 2 that relate to environmental security as well as for credit card processing, relating to PCIDSS as well as health care information, which is covered by the HIPAA and HITECH standards, you get a robust, kind of well-rounded security program, and vXchnge is committed to the highest standards of security and that's why we abide by all these different compliance standards.
Benjamin: It's interesting that you mentioned the very public security breaches that have occurred with online companies and credit card companies, and a lot of this occurs on a global basis. It's not simply incidents occurring in the United States or in Europe, but it's distributed throughout the world. Would you think the adoption of this ISO standard would help when attracting international customers who might be reluctant to engage a data center that's in a different country, without having a clearly defined security policy that's, you know, internationally accepted and understood?
Sameer: I think, right now is a...it's an interesting time because, with Safe Harbor being struck down late last year, I think international customers, especially those in the EU, they're very nervous about transferring sensitive data across borders, and there's a lot of uncertainty about how they're gonna proceed from here with Safe Harbor no longer being in effect. So, some organizations had been agreeing to what they're calling "model clauses" which, essentially, it's an agreement between two organizations which allow them to, pretty much, abide by the EU's data protection directives, and allows them to transfer data across borders. But, there's also concerns about these model clauses that if the EU citizens' fundamental rights aren't protected through these clauses, then the clauses themselves could also be struck down the same as what happened with Safe Harbor. So there's a little bit of a conundrum going on here.
And, as I mentioned earlier, ISO 27001 is a well-known standard and is accepted across the world, and part of its effectiveness lies in the fact that organizations who are certified against it are required to maintain and constantly update policies that ensure data security. So these policies include things like information security, access control, network security, business continuity and disaster recovery, among many other things. And, furthermore, organizations such as vXchnge are required to go through annual risk assessment to gauge any potential risks, ensure that these are fixed, so continuous improvement can be made on an annual basis. And, you know, companies like vXchnge who have these policies in place really reduce the likelihood of data breaches happening, and are fully able to remediate any issues if they were to happen to one of our customers.
You know, to kind of sum that up and simply put it, I think ISO 27001 is really becoming a requirement for many international customers looking to co-locate within the U.S., and we actually take it a step further at vXchnge. We not only have processes in place to protect critical information but we also protect the physical devices that are within our data center. So we have a tool using RFID that provides real-time asset tracking, and this allows our customers, really, real-time visibility on where their assets are within any one of our data centers, at any given time, and they can go and log in to the portal, they can see exactly where specific servers or other pieces of equipment are within the data center. If they're moved, they get notifications. They can see when these assets were moved and where they were moved to. So, for international customers who really can't come to our data centers on a regular basis, this gives them an additional level of protection and peace of mind, that they know exactly where the physical locations of sensitive data lies. And all these initiatives are, really, a part of vXchnge's goal to protect our customers' brand.
Benjamin: It's really fascinating that you offer that level of...It's almost virtual, physical security because, as you said, the site inspections are not an easy thing if you're in another country, and to be able to track, you know, almost...it's almost like being there. And, it's kind of interesting also, you mentioned that vXchnge has risk assessments on a continuous basis, and many of your clients have their own security audits that they must perform, not just on their own policies and procedures but also on their vendors, their partners, and I would think that something like this ISO standard would really facilitate the merging of those two audits and not just save time but save money without, in any way, lowering the security of the data that's being stored or transmitted.
Sameer: Absolutely. So, for customers who need to run ISO 27001-compliant applications, not only does their environment - what they run the applications on - need to be ISO 27001-compliant, but the facilities or the data centers where they're co-located also have to be ISO 27001-compliant. So, for data center providers such as vXchnge, undertaking and achieving ISO 27001 really is a significant effort. Just to give you a little perspective, it took us about a year from when we started the certification process to when we got the certificate, to gain the certification, and that was after dedicating hundreds of employee hours across nearly every single department within the company. It also forced us to reevaluate and improve nearly all of our major security policies, and we also instituted new policies that went above and beyond what ISO 27001 required. And all of this was not easy, by any means, and...but by going through it I think it allows our customers now to certify their environments a lot easier and, in doing so, they can now offer different applications, different products, that they couldn't before.
And, you know, further to this, by offering the ISO 27001-compliant data centers, vXchnge can increase the reach of our customers' customers. So, we talked earlier about how ISO 27001 really is a international standard, so if you think about, now, our customers and them doing business with, potentially, other customers who are located outside the U.S., it really opens up the market for them and brings new opportunity to them which they didn't really have before and, as well, you know, relating to this, many of our customers go through very long and stringent RFE processes for potential deals and many of their potential customers ask for a lot of vXchnge's policies and procedures such as incident response or disaster recovery, whatever it may be. And, since these are all required documents to the ISO 27001 certified, we could provide this easily to our customers, which really streamlines the RFP process and helps emphasize the focus on security, not only with our customers but with vXchnge as well, and I think this really enhances our customers', you know, proposal when they're going out and trying to get new customers. So, you know, by certifying our facilities, we're really taking a lot of the burden off our customers, and allowing them to grow as a business as well.
Benjamin: That's fascinating because I think so many companies might see something like this ISO standard as a burden, as you just said it, but in reality it's opening up a world of opportunity, it's opening doors to potential partnerships and markets that they might not have had access to before, and that initial investment pays off substantially down the road, not just in the form of data security but also in the form of opportunity.
Sameer: Absolutely. Now, you know, you have a wealth of companies or potential business that you can now go after that require ISO 27001 processes to be in place, so it's really just a great benefit for our customers from security as well as just, you know, making and expanding their brand as well.
Benjamin: Sameer, thank you very much for taking the time to talk with us today about the new standard that vXchnge has embraced.
Sameer: Absolutely Ben, thank you. Thank you very much for having me.