There are a number of data center certification standards and best practices that colocation customers should understand in order to ensure the ideal performance of their data center facility. Some of the more important data center certification standards to pay attention to are SAS 70 Type II, SSAE 16, SOC, ISO, LEED, Uptime, and the data center tier system. If you are new to the world of data centers or you need a quick refresher on data center standards and compliance, you’ve come to the right place.
What is SAS 70 Type II Data Center Certification?
SAS 70 is an auditing standard designed to allow a 3rd party auditor – unbiased in affiliation – to render a professional opinion on the service controls of an organization. The SAS 70 report includes:
- The auditor’s professional opinion on the operating service controls of the organization question
- A full description of service controls currently in operation, as stated by the auditor
- A full description of the auditor’s tests of operating effectiveness
The report, once finished, can be:
- Customers of the organization, i.e. clients of the data center in question
- Auditors of said clients. These auditors are free to review the report to determine the validity of the data center operations
On top of this, the data center in question is wholly responsible for providing a full description of its control objectives and activities. This must be provided to users of the facility in question and user auditors.
The key factor of SAS 70 Type II is although there are benchmarks each facility must meet to be considered SAS 70 Type II certified, there are no pre-determined set of standards that a facility must meet to pass. This means the data center certification is based on other facilities and how the auditor views a single facility during his/her visit.
The SAS 70 and the SAS 70 Type II reports are certified by the Auditing Standards Board of the American Institute of Certified Public Accountants, the AICPA.
What is SSAE 16 Data Center Certification?
SSAE 16, or the Statement on Standards for Attestation Engagements, No. 16, was first certified for use in January of 2010. SSAE 16 was standardized with the sole intention of updating and replacing SAS 70. While this remains true, many data center organizations still publically list SAS 70 and SAS 70 Type II certifications to market more effectively.
SSAE 16, like SAS 70 Type II, governs the auditing standards applied to a data center facility. Like SAS 70 Type II, SSAE 16 is certified by the Auditing Standards Board of the American Institute of Certified Public Accountants, the AICPA. Additionally, it is the international equivalent of the ISAE 3402, or the International Standards for Assurance Engagements 3402.
SSAE 16 data center certification means the following for facilities:
- All data center facilities, to be certified as SSAE 16 colocation providers, must provide a detailed description of its systems as all as a written statement of operating intentions.
- Whereas the SAS 70 standard called for a description of facility controls, the SSAE 16 requires facilities to provide a description of overall systems. The difference here being overall systems refer to a larger spectrum of controls which, previously under SAS 70, were never mentioned.
- All data center facilities and auditors must provide a written statement of assertion. This statement must be written by facility management and must contain a specific number of clauses which management asserts they will hold the facility to. Essentially, the statements act as an SLA for the facility itself.
It should be noted, even if a facility had previously attained a SAS 70 Type II certification from an auditor, the SSAE 16 certification made SAS 70 Type II null, thus meaning all facilities had to reapply to attain SSAE 16 certification.
What are SOC 1, 2 & 3 Data Center Certifications?
To further complicate the issue, SOC certifications are broken into three parts. For the sake of this conversation, we will focus on the most stringent of the three, SOC 2. Whereas SOC 1 is mostly equivalent to SSAE 16 and SOC 3 is equivalent to SOC 2, with the exception of being intended for a public audience, SOC 2 compliance means the following:
- SOC 2 compliance is regulated by the same governing body as SSAE 16 and SAS 70 Type II, the AICPA.
- SOC stands for Service Organization Control
- SOC 2 compliance is conducted in coordination and with the help of AT (Attestation Standard) 101.
- SOC 2 compliance is designed specifically to address technology and cloud computing service organizations.
- SOC 2 utilizes five TSP’s, or Trust Service Principles. They are:
-
Security: All systems must be protected, both physically and virtually, against all unauthorized access attempts
-
Availability: The data center infrastructure is available for operation and use as committed to in a statement of assertion
-
Confidentiality: All information held by the organization in question, labeled as confidential, must be protected and secured in a fashion agreed to by both the provider and the client
-
Privacy: All personal information which is collected, is used, kept and disclosed in agreement with consent of privacy notice put forth by the American Institute of Certified Public Accounts and the Canadian Institute of Chartered Accountants.
-
System Processing: All system processing is accurate, timely, authorized and wholly complete
-
SOC 2, like SSAE 16 and SAS 70 Type II, requires a written statement of assertion along with a full description of the data center system. The statement must accompany a written description of the data center system.
-
The main reason SOC 2 compliance came into standard was to deal with the growing amount of tech and cloud computing platforms popping up on the market. The hope of SOC 2 standardization is to apply a more stringent set of guidelines and rules to new tech companies to make sure fly by night operations cannot get away with providing terrible business services to unknowing consumers.
What is ISO Certification?
ISO, or International Standards Compliance, is the international equivalent to SSAE 16. While both are maintained by different organizations and carry with them different structural needs, for an American based data center provider to build and utilize a data center in any international territories, that provider must acquire an ISO data center certification.
What is LEED Certification?
LEED, or Leadership in Energy and Environmental Design, is the internationally utilized green building certification system. LEED was developed by the U.S. Green Building Council in the aim to provide facility management with a solid framework to identify and implement measurable green building design. While LEED isn’t mandatory for a data center facility to operate within the United States, it is something to look for.
As we are all well aware of the energy consumption of modern data centers, the LEED certification more effectively allows the market to pick and choose which operation they deem most fit, by environmental standards.
To learn more about LEED certification, you can visit the USGBC.
What Are Data Center Tiers?
Data center tiers are the four different classifications that make up the Uptime Institute’s four tier system for identifying specific data center infrastructure design aspects. The data center tiers system is an industry standard, used to categorize data center infrastructure functionality based on common needs, in which each tier is defined by a unique set of increasingly specialized data center features.
Now that you have a general understanding of the major data center certifications, here are the basics you should know about data center tiers.
-
Data center tiers are measured in four major categories, 1 – 4. A tier one data center is the lowest level facility while a tier four facility is the highest rated.
-
A tier one data maintains 99.671% uptime annually resulting in at least 28.8 hours of downtime per year. Tier one offers no redundancy, low level cooling and power and, no backup generators.
-
Tier two facilities maintain a 99.741% uptime annually resulting in at least 22 hours of downtime per year. Tier two data centers offer limited power and cooling redundancy along with limited power outage protections.
-
Tier three facilities maintain 99.982% uptime annually resulting in at least 1.6 hours of downtime per year. Tier three facilities are N + 1 fault tolerant, maintain great cooling and power redundancy and ensure clients have at minimum, 72 hours of power outage protection. Tier three also provides multiple network uplinks and multi powered equipment.
-
Tier four facilities maintain 99.995% uptime annually resulting in at least 2.4 minutes of downtime per year. These facilities offer at least 96 hours of power outage reserves, are 2N + 1 redundant and are universally dual-powered.
While the data center tiers system is a widely-recognized way to determine a data center facility’s uptime and reliability, because of instances of design discrepancies and lack of ongoing maintenance in data centers, colocation customers should look for more data center certification standards than just the tier certification.
We hope this quick insight into data center certification standards proved useful. If you have any questions or concerns on moving forward, feel free to contact QuoteColo with some of your questions.