Many folks reading this “outsource” some of their computing power or storage to 3rd parties. If you pay for hosting, or backup to a backup service, you’re “outsourcing”. You’re also trusting this third party to take care of your data. Have you looked at the security policies or audits of the companies you are working with? It’s not easy, and at some point, you just have to pick a company to work with and hope they’re doing things “right”.
What Can You Do?
All data centers, and some hosting companies go through an audit called an SSAE16 (previously SAS70 type 2). There are three parts to the SSAE16, and the technical security information is located in the SOC 2 report – sometimes shortened to SSAE16 type II. SOC 1 is financial information, and SOC 3 is too generic to be of much use (and many companies don’t bother) – it’s just a statement that they have been audited. Getting your hands on the SSAE16 SOC2 is almost impossible though – you’ll likely have to sign an NDA to read it, and even if you do read it, you might not understand it. It’s a list of the controls a company has that protect the confidentiality, availability and integrity of the data they have. Those controls are tested by auditors (usually over a period of 6 months), and the auditors make sure that the controls are adequate and operational (aka, they’re working like they’re meant to).
If you can find out if a company has an SSAE16 SOC 2, just the fact that they have one is a pretty good indicator that they’ve got their ducks in a row from a security perspective. After all, why would you pay to go through the audit (several hundreds of thousands of dollars) and not reasonably expect to pass? Also, the SOC 2 is meant to be shared with customer auditors and no company would want to share it if it was bad.
Companies (usually not US based ones) can also be certified against ISO 27001, which is the international security standard. I personally think that an ISO27001 certification is a better indicator of security than an SSAE16 because ISO27001 dictates specific controls that must be in place.
Review Security Policies
Many companies make a generic version of their security policies available on their web page (or perhaps with an NDA). Take a look at it and consider how reasonable it is, or compare it to what you do at home (or work). Just having a security policy isn’t sufficient – make sure it covers the topics you’re concerned about.
How to Interpret What You Find
Does the company encrypt your data? Who has control of the encryption keys? You? Them? Are you worried about your data being read – or given to a government in response to a subpoena? Consider what you are worried about and see if you can find information about what the company does about it on their web page. It also never hurts to e-mail them and ask – try the general sales e-mail first, they can usually answer your questions.
Popular Companies’ Security Information
- Google (they have an SSAE16)
- Amazon Web Services (they have ISO 27001 certification as well as SSAE16)
- DropBox (They use AWS for storage, so see Amazon’s information)
- Carbonite (hosted at Internap, which does have an SSAE16)
- Office365 (ISO 27001 certified)
- DreamHost (hosted at RagingWire – which has an SSAE16) – YOU have a lot of influence in the security of a hosted system or VPS though
- HostGator (I can’t find anything about any audits – and what I did find on their security makes me nervous)
Are there any other companies you use that you need help finding their security information? I can help in a limited capacity via the comments (ie. pass on what’s publicly available). If you’re really concerned about outsourcing and want more in-depth security information on your outsourcing company, contact me via e-mail mom at <my domain> and I can tell you about what my company does and how we might be able to help you
The comment about HostGator is a bit ominous. I believe a lot of folks leverage their service.
That’s one reason I selected it – I don’t know much about them, and their web page doesn’t give me the warm fuzzies. In some cases, (VPS or private server), the customer is responsible for security, but in others, it’s hostgator’s responsibility. If you happen to find or know of any more information on them, I’m happy to update my list. They might be willing to give customers more information. Their whole statement on “other methods are confidential” makes me nervous – but then they go on to say they’re PCI compliant for their VPS and dedicated servers (which is actually pretty strict).
This is very helpful. It looks like Carbonite has the SOC2 report now.