Data Center Compliances – Do They Matter?
The following excerpt is from Datacate’s Colocation Survival Guide – get the full Guide here.
If your collocated equipment will be used to collect and store financial information, electronic Protected Health Information (e-PHI), to provide services to a government agency or engage in anything else that could be construed as sensitive, you will need to take a hard look at the compliances held by colocation provider (if any). Your customers may require that you obtain a security audit from the facility that will host your equipment, In which case you’ll need to limit your evaluation to providers whom have undergone and successfully completed an audit for SSAE 16 or SOC 2 or SOC 3 compliance – and such providers should be able to provide a report to you that attests to their compliance, once you’ve signed an required non-disclosures. In the case of e-PHI, you absolutely want to seek out a facility that has successfully passed an audit for HIPAA compliance and will sign a Business Associates Agreement (BAA) to provide assurances that they will “toe the line” with regards to compliance.
In reality, the nature of colocation means that the provider will have little or no exposure to your systems and data, so much of this compliance stuff could be construed as a formality of sorts. However, awareness and knowledge of these requirements on the part of the provider can only benefit your colocation, and in the unlikely event that some kind of breach occurs, compliant facilities have controls in place for notification and mitigation, and you may be afforded some measure of recourse.
One more consideration: if you have security requirements attached to your colocation, you will need private locking space for your equipment. That then becomes the determinate of the minimum space you must purchase, as private locking spaces are typically ½ cabinet (20U) in size, though a few providers do offer smaller locking spaces. As you may know, the facility staff reserves the right to have authorized personnel access your private space, typically at your request, but also for any other reason deemed necessary. This is yet another reason that you’ll want to deal with a facility that has passed a relevant security audit: their staff will have been trained on the protocols for allowing (and denying) access as well as what may constitute breach. This is a critically important point, as HIPAA violations can result in fines of up to $50,000 per incident with an annual maximum of $1.5 million. Know your requirements!