In the UK, there are approximately 400 listed data centres. Not only that, there are thousands of web hosting companies, from small digital agencies that host their customer’s websites, right up to FT250 listed hosting providers. But, how many of these meet the standards of their ISO accreditations? How many ensure their suppliers meet their security and compliance obligations? Graham Marcroft, operations & compliance director at Hyve Managed Hosting, explores the answers.
These are just some of the questions that customers should be asking about their hosting security and compliance requirements when working with a managed hosting provider, in order to ensure future-proofed security of their increasingly valuable data.
Data vs. diamonds
Our world is becoming increasingly digital and, because of this, the value of data has skyrocketed in recent years. This massive surge in value means that taking the necessary steps to protect and manage data properly should be of paramount importance for all businesses. For example, imagine someone wants to buy their partner an expensive diamond ring that they won’t wear everyday, that is just for special occasions. They find the perfect ring, a £40,000, princess-cut diamond sitting behind a window with steel bars on the inside. After the lengthy process of being granted access to the store, they have purchased the ring. But the next morning, the ring has been left on the dressing table in their house, as there is not a more secure place to put it. The ring is not anywhere near as secure as it was when it was in the shop.
Much of the data that exists is handled in a similar way. Once outside of a data centre, it is left unsecure and unprotected, not anywhere near as safe outside of the data centre as it was whilst inside it. This is a concerning prospect, especially as data itself is becoming more valuable than diamonds.
Of the approximately 400 listed data centres in the UK, just over half are ‘tier 3 enhanced’, one of the highest ratings available. This means that all of the systems are fully redundant; fail-safes are built-in throughout the entire data centre, which means they are extremely secure. Gaining physical access to a ‘tier 3 enhanced’ data centre is harder than gaining access to the Houses of Parliament. Data security is taken just as seriously. The two main information security accreditations are ISO 27001 and SOC 2, whereby an independent auditor thoroughly examines the policies, procedures, staff, infrastructure, even suppliers, of the data centre, on an annual basis, to ensure its data is as secure as possible.
So, surely the argument stands that a managed services provider (MSP) should hold the same information security accreditations, and have its systems, policies, and procedures checked to the same level as a data centre? In 2017, out of the tens of thousands of hosting providers, only 3,367 held the ISO 27001 certification. At the time of writing, finding an up-to-date list has proven surprisingly difficult, yet even if the amount of MSPs certified has doubled, there are still lots of companies who will have access to the data that an MSP manages for businesses. Overall, an MSP without SOC 2 accreditation is nowhere near as secure as a data centre.
What actually is SOC 2?
Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 is an auditing procedure designed for service providers that store customer data in the cloud to ensure that their information security measures are up to standard. SOC 2 stands for ‘System and Organisation Controls’ and is about putting well-defined policies, procedures, and practices in place and then testing them over a long period of time – not just ticking all the compliance checkboxes. Doing so effectively builds trust with customers and end-users about the secure nature and operation of an MSP and its cloud infrastructure.
What does the process involve?
The audit process involves reviewing the audit scope and developing a comprehensive plan that ensures the day-to-day running of the MSP and infrastructure falls within the audit scope. This then provides a set of policies and procedures to run the audit, which can be conducted over a specified period. Each policy and procedure is then tested, covering all aspects from staff and HR through to controls for design and operational effectiveness. Finally, the results are documented and delivered in a final report.
SOC 2 defines criteria for managing customer data based on five trust service principles, which are security, availability, processing integrity, confidentiality, and privacy.
The security principle refers to the protection of system resources against unauthorised access. Access controls help prevent potential system abuse, theft or unauthorised removal of data, misuse of the software, and improper alteration or disclosure of information. IT security tools such as network and web application firewalls (WAFs), two-factor authentication and intrusion detection are useful in preventing security breaches that can lead to unauthorised access of systems and data.
The availability principle refers to the accessibility of the managed service as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties. This principle does not address system functionality and usability but does involve security-related criteria that may affect availability. Monitoring network performance and availability, site failover and security incident handling are critical in this context.
The processing integrity principle addresses whether or not a system achieves its purpose – such as delivering the right data, at the right price, at the right time. Accordingly, data processing must be complete, valid, accurate, timely and authorised. However, processing integrity does not necessarily imply data integrity. If data contains errors prior to being input into the system, detecting them is not usually the responsibility of the processing entity. Monitoring of data processing, coupled with quality assurance procedures, can help ensure processing integrity.
Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organisations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information. Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.
The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organisation’s privacy notice, as well as with criteria set forth in the AICPA’s Generally Accepted Privacy Principles (GAPP). Personal identifiable information (PII) refers to details that can distinguish an individual, such as your name, address, or national/social security number. Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorised access.