Data Center Security Policy | A Practical Guide for SOC 2 Compliance

By Blog, SOC 2

There are many things to consider and questions to ask yourself when setting up your data center. Should you host your data on-premise or in the cloud? If the data is cloud-hosted, who is responsible for security? Is it the company who owns the data, the cloud provider, or both?

The data center security policy outlines procedures and information security measures to prevent unauthorized physical access to your company’s data center(s) and the equipment within. Here are four things to consider when writing this policy:

Where are you going to host your data center?

There are three types of data centers:

  • On-premise
  • Cloud-hosted
  • Co-located

A self-hosted model increases your costs and security requirements, while a cloud-hosted model shifts some of those responsibilities – but makes you dependent on someone else’s infrastructure. It is up to you to understand the consequences of each decision before deciding what is best for your business. In general, small businesses host their data in the cloud to reduce costs.

Who is responsible for security in the cloud?

In theory, you can delegate all security responsibilities to your cloud service provider. But theory is not the same as practice. Cloud service providers don’t care about your security posture because you’re likely 0.00001% of their revenue. You cannot assume they will be responsible and treat their infrastructure issues with the kind of urgency you would. So if you require specific controls from your cloud service provider, you need to state it in your agreement with them up front.

Before finalizing this agreement, review the provider’s contract, documentation of SOC 2 certification, controls, and make sure they meet your security posture. Most cloud providers will provide a shared responsibility matrix to show where their responsibility ends and yours begins. Review this carefully – you might ultimately be responsible for some resource-intensive tasks like operating system management, system patching, and updates as well as managing access controls.

What do you need to consider if this is co-located or on-prem?

If hosting your data center on-prem, your organization is solely responsible for all aspects of information technology and security. This includes provisioning a system to control data center access, assigning appropriate access privileges to your staff and managing the security measures to protect the data center itself (access cards, 24/7 video surveillance and 24/7 security personnel). There should also be a periodic review of who has access to the data center and access logs. All terminal logins should be protected with two-factor authentication. Other things to consider include: routine maintenance, inspection and testing of hardware (and who the hardware is being supplied from), third-party monitoring, diesel generators, battery backups and fire suppression systems.

In a cloud-hosted model, the handling of some responsibilities shifts to a third party. You no longer have to worry about overseeing your own secure data centers, and can instead rely on the provider to monitor sensitive areas, control who can access systems, and protect your equipment from power failures. And while you can take some comfort in not having to worry about physical access anymore, the brunt of the standard information technology responsibilities – writing a data center policy, managing backups, applying patches, implementing change management – might still be all yours to manage.

What happens if there is a data center failure or a disaster?

Regardless of where your data center is hosted, you need to have a backup plan in the event of a disaster or a failure. First, you need to consider your data backups, and know not only where your backups are physically located, but whether you have documented and tested your Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). If hosted on-prem, ensure IT/security staff have data center access, as well as appropriate access privileges.

Then you need to plan for a failure at one or more of your backup locations. Cloud service providers generally have an always-on guarantee, but even the biggest and best cloud providers can experience unplanned outages and disruptions. If their service goes down, yours can too, so consider high availability and redundancy when deciding if cloud-hosting is the right fit for your company. For co-located/on-prem data centers, you might consider having a second data center for backup, but that will double your costs and responsibilities.

Regardless of where you host your infrastructure, the data center security policy is paramount. It defines and assigns the responsibilities between your organization and any cloud services providers you use, and sets expectations for who will do what in case of a disaster. Be sure these duties are agreed upon clearly before you sign contracts with any vendors; your careful planning ahead of time will save you stress, money – and potentially your reputation – when a data center emergency arises.

Tagged under: