A common need businesses may be trying to fulfill when seeking IT services is managed hosting. Forward-thinking businesses are realizing they can keep expenses in check while strengthening security by using a shared data center infrastructure. A company that requires the use of a data center understands the cost benefits and security advantages of this service over building and maintaining a company’s own data center to house servers, storage, and networking equipment. With managed hosting, businesses get a reliable, secure environment for critical business systems with maximum uptime and reduced operational exposure. At the same time, expenses are controlled by sharing the costs of space, power, and connectivity with other firms.
But even for those businesses who do not necessarily need colocation services or managed hosting, there are huge benefits to selecting an IT service provider that has its own data centers.
When an IT service provider owns and maintains its own data centers, the service provider is not relying on a separate vendor to provide data center services for the provider. This can make resolution of issues seamless for clients if a disruption occurs as there are not multiple vendors involved between the IT service provider and the data center provider. As a client, you are dealing directly with the IT service provider to resolve all issues. And if that service provider has multiple data centers configured to provide redundancy, even better – now there is redundancy built into the systems supporting the service the IT company is supplying to clients.
Evaluating Different Data Centers
So once you recognize the value of using a full-service managed service provider (MSP) over the more common break/fix model, what considerations should you place on evaluating the MSP’s data centers? Are there certain standards for data centers?
When evaluating data centers, consider your needs. Because of your vertical market, are there certain regulation requirements you must meet? Are there certain organizational requirements you must meet? Focus on the type of data center or to what standards the data center complies. Also keep in mind that when there is a range of standards, you do not necessarily need the highest level as that may cause you to overpay for services you don’t need.
Data Center Attestation
The auditing of data centers originated from the financial world where accounting firms audit the financial results of companies. There was a need to validate the security of a data center and verify a data center is properly controlled. Over time, this auditing became more specific to data centers and now we more correctly describe the attestation standards of a data center.
When a data center has met a certain attestation level, this means that independent auditors have come in and tested that there are controls in place to make that data center compliant. There are different attestation standards a data center can meet.
- SSAE 18 (Statements for Standards for Attestation Engagements No. 18) is the current auditing standards against which data centers are managed, having replaced SSAE 16. This standard was finalized by the Auditing Standards Board of the American Institute of Certified Public Accounts (AICPA) in May 2017.
- SOC (Service Organizational Control) refers to different reports used for different purposes: SOC 1, SOC 2, and SOC 3. SOC 1 reports deal with controls over financial reporting while SOC 2 and SOC 3 reports focus on controls related to security.
- Type refers to options within SOC 1 and SOC 2 reports. For both SOC 1 and SOC 2, Type I reports describes the service organization’s system and its controls, while the Type II report also includes a description of the auditor’s tests of controls and results.
- Tier describes how much power and redundancy is built into the data center: Tier I, Tier II, Tier III, and Tier IV. Think of tiers as a classification, not a certification. The higher the tier, the more redundancy is built into the data center, and the higher the cost to use that data center. The most redundant data centers will have multiple power providers and multiple internet providers coming into the same building for redundancy.
The level of tier you need is based on your type of business and risk tolerance. This should be an important part of your initial conversations with providers. Your provider should be able to help you determine the right level of service you need without overspending on unnecessary redundancy.
(For more information about the process of hiring an MSP, see "10 Questions to Ask Before Selecting an MSP.")
Data Center Auditing Process
The process of auditing a data center to ensure compliance involves an outside party coming in to evaluate the controls put in place at that data center as well as risk management. Outside auditors will evaluate processes and procedures. They are looking for two things:
#1. Are there controls put in place?
#2. Are those controls being followed?
During the attestation process, the auditors will check for evidence that the data center company is following its stated procedures. The auditors will validate this and the attestation will be done once per year.
Auditors will verify that formal controls have been put in place and are followed in such areas as:
Organization and administration — The organization of the IS department provides for adequate segregation of incompatible duties.
Change control — Changes are made in an orderly, standard process and follow change management procedures.
Access control — Formal information security policies and procedures exist and have been communicated to employees.
Application security — Access to client proprietary data is restricted to authorized users.
Network management — Network hardware and software is appropriately designed and implemented to achieve availability, performance, and resiliency requirements.
Backup and recovery procedures — Backup and recovery plans have been developed to minimize the effect of a disaster on critical processing activities.
Other controls may also be audited depending on the data center, such as controls for HIPAA or PCI DSS.
Corserva’s Data Centers
Corserva is an IT service provider that owns and operates its own data centers in Trumbull, Connecticut and Orlando, Florida, and these data centers are audited annually by independent auditors. Our data centers have met SSAE 18 SOC 2 Type II attestation and are HIPAA and PCI compliant. Our data centers are classified as Tier III. We have found that for our customers, Tier III data centers provide the necessary redundancy without overpaying for more than what’s needed.
Our Connecticut colocation and Florida colocation services include:
- Rack space
- Monitoring
- Power redundancy
- Internet redundancy
- Data security
- Onsite workspace
- Physical security
- Remote support
In addition to colocation, many of our clients use our data centers for their own private clouds and for disaster recovery in support of their on-premise IT infrastructure. In the event of a failure at the client’s location, data restoration can be done from either of our data centers.
Corserva provides colocation, IT managed services, IT consultancy, managed security, IT monitoring, business continuity, and supply chain management. In addition to our two geographically dispersed data centers, we have our own network operations centers (NOC) for 24x7x365 remote infrastructure monitoring of our clients’ IT infrastructure.
With Corserva, when you have a problem, you have one number to call. You only need to contact Corserva, and we’ll take care of the rest.