Outsourcing data center services: SMB security best practices

Learn best practices for outsourcing data center services and about the security and compliance considerations that influence whether an SMB should outsource data center services.

Outsourcing data center operations can be an appropriate course of action for small and medium-sized businesses (SMBs). With more stringent federal and industry compliance regulations governing the handling of specific types of data, outsourcing can help make meeting those regulations easier. In this tip, we'll briefly explain the two main types of data center outsourcing, discuss best practices for outsourcing data center services and explain why contracting with a third party for data center service can ease security and compliance efforts.

Two common types of data center outsourcing are co-location and managed hosting. Co-located facilities offer the general infrastructure to house the customer's own hardware. Managed hosting companies will take it a step further and provide not only the facility and infrastructure, but also the hardware. While it's more expensive because more services are involved, managed hosting allows the customer to focus on its business without worrying about configuring, updating and securing any server hardware. Over time, the distinction between these two types of hosting has blurred somewhat, and some hosting providers offer both services, depending on the needs of the customer.

For any SMB, the decision to outsource data center services comes with many security and compliance considerations. There are a few primary factors that should stand out to help determine if outsourcing data center operations is feasible for an SMB.

Outsourcing data center services to improve compliance

To address an ever-increasing number of U.S., Canadian and European privacy laws, companies must ensure the protection of the personal information they process and store. Examples such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and state data privacy laws, stipulate specific technical and physical security requirements.

Meeting these regulatory demands can be expensive and smaller organizations usually don't have the money to justify the investment in a traditional, compliance-friendly dedicated data center. So outsourcing data center operations should be seen as a welcome alternative.

Companies must be able to prove their compliance to regulators, auditors and assessors. Outsourcing can often help to demonstrate compliance.
Joe Malec

Perhaps, just as importantly, companies of all sizes must be able to demonstrate or prove their compliance to regulators, auditors and assessors. While it may go against conventional wisdom, outsourcing can often help to demonstrate compliance because a professional data center operation with any sort of solid reputation will have the infrastructure to protect the confidentially, availability and integrity of its customers' data. Though proof of compliance requires a lot of documentation to that effect, that's essentially what most data protection and privacy mandates call for.

For example, the National Institute of Standards and Technology (NIST) has documented best practices for implementing the HIPAA Security Rule that includes developing facility security plan, access control and validation procedures and contingency operations procedures. The documents cover areas such as the controls in place to protect electronic personal health information, how access controls is managed and data restoration. The more robust the controls in place are, the more solid the documentation will be.

Before choosing a provider, determine whether it has undergone a recognized audit or certification to prove it has met a certain set of industry best practices and certifications, such as ISO 27001. Common audits include Systrust, SAS 70 Type II or CICA 5970. Certifications include ISO27001 and the telecommunication infrastructure standard (ANSA/TIA-942). These are important because they represent an independent validation of the controls the facility has in place, and some serve as validation that an organization can contract with that provider and still maintain compliant with certain mandates. (Note: After June 15, 2011, the ISAE 3402 and SSAE 16 will replace the current SAS 70.)

Best practices for outsourcing data center services 

Be sure to think about backup and recovery. Is the data center outsourcing facility being considered part of a larger network, such as Digital Reality Trust or SunGard, which can offer dozens of locations in the U.S., Canada and Europe that can leverage each other for failover operations to ensure business continuity? If it is a single location, be sure the facility not only provides a comprehensive set of backup and recovery procedures, but also seek out proof that it can deliver them in a way that makes sense for your business. </.P>

Also consider the history and background of your potential provider. Perform some research about the company and the locations where it operates. How long has it been in business? Where is it geographically located? A facility located in southern California can introduce potential issues that may not exist in another area of the country such as seismic activity or potential water shortages. Has it experienced a breach or some other disaster? It does not hurt to do research to find out if the building housing the data center has had problems. This is especially important if it is located in a downtown office building where the probability of fire or power outage is increased due to other tenants or aged infrastructure. Information on these topics can be found by online searches on security breaches and disasters affecting the integrity of data managed by professional data center operations. There are also newsletters that follow the industry as well.

About the author:
Joe Malec is a security analyst and has published multiple articles and coauthored a monthly column on privacy, ethics and security in information technology and has been interviewed on TV and radio. He also serves as the St. Louis chapter president of the Information System Security Association.


Next Steps

Look into SIEM services to cut costs, comply with PCI DSS, HIPAA

The security value of a hosted data center

Dig Deeper on Data security and privacy

Enterprise Desktop
Cloud Computing