This is the fifth in a series of posts that will drill deeper into cloud security and some of the key questions it sparks. In the fourth installment, I highlighted network security in the cloud. In this fifth installment, I will highlight compliance and regulations that keep the cloud secure.
To ensure that your data is secure in our data centers and our cloud, Rackspace must adhere to certain compliance standards and regulations. These standards ensure that you can trust us with your data and that our security practices are up to snuff.
There are a host of security compliance standards and regulations out there. Here is a primer on some of the ones to which Rackspace adheres.
I often hear customers and prospects ask whether or not we are PCI compliant. PCI DSS (Payment Card Industry Data Security Standard) in short is a security standard that revolves around how and where PII (Personally Identifiable Information) resides. A lot of acronyms to be sure! Anyway, a Qualified Security Assessor (QSA) has validated Rackspace as being a PCI DSS Level 1 Service Provider. The QSA validation of our compliance to the PCI DSS covers:
- Physical security for Rackspace data centers located in: the United Kingdom, Hong Kong and the United States
- Network infrastructure (routers and switches) and
- Rackspace employee access to network devices
Please note however, that simply hosting a solution with Rackspace does not make you PCI-DSS compliant. There are many intricacies involved here and I would recommend spending some time researching this topic further. The PCI Security Standards Council would be a good place to start.
SSAE 16/ISAE 3204
Formerly known as SAS70 Type II, SSAE 16 and ISAE 3402 are new international service organization-reporting standards. In the US, the American Institute of Certified Public Accountants, (AICPA) created the Statement for Standards for Attestation Engagements (SSAE) No 16 to mirror the ISAE 3402. The SSAE 16 and ISAE 3402 Type II SOC 1 audit and report supersedes and effectively replaces the Statement on Auditing Standards (SAS) No. 70 Type II.
The standards defines the standards an auditor must employ in order to assess the contracted internal controls of a service organization like a hosted data center; insurance claims processor or credit processing company; or a company that provides outsourcing services that can affect the operation of the contracting enterprise.
Rackspace recognizes the needs of our international and US customers and has worked with the service auditor to have the report issued with a joint opinion that satisfies the requirements of both the ISAE 3402 and the SSAE 16. The new report, ISAE 3402 / SSAE 16 Type II SOC 1 is available to our customers and prospects.
With respect to our Safe Harbor certification: You can find more information about what is covered under our certification at https://safeharbor.export.gov/list.aspx. Our self-certification addresses what data we collect and how we process such data. When providing information technology hosting services, Rackspace may process personal data controlled by our customers. Rackspace processes that data at your direction and in accordance with the terms of our customer agreements and a data processing agreement in place with each of our entities located in the European Union.
Safe Harbor is essentially a process for organizations in the US and EU that store customer data designed to prevent accidental information disclosure or loss. Companies certified under Safe Harbor must follow several guidelines regarding how data is collected, used, transferred and secured.
Rackspace has also received certification of the ISO/IEC 27001:2005 Information Security Management System (ISMS) Standard for some of its data centers. The standard was created by the International Organization for Standardization (ISO) and is governed with the International Electro technical Commission (IEC).
ISO/IEC 27001:2005 is the formal international security standard against which organizations may seek independent certification of their Information Security Management System (ISMS). It is intended to be used with ISO 27002:2005, a Security Code of Practice.
ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving ISMS, which is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.
That’s it for this week. I hope you found it informative. Bookmark this page to keep up with security developments at Rackspace.