Compliance Standards And Regulations That Keep The Cloud Secure

This is the fifth in a series of posts that will drill deeper into cloud security and some of the key questions it sparks. In the fourth installment, I highlighted network security in the cloud. In this fifth installment, I will highlight compliance and regulations that keep the cloud secure.

To ensure that your data is secure in our data centers and our cloud, Rackspace must adhere to certain compliance standards and regulations. These standards ensure that you can trust us with your data and that our security practices are up to snuff.

There are a host of security compliance standards and regulations out there. Here is a primer on some of the ones to which Rackspace adheres.

PCI Compliance

I often hear customers and prospects ask whether or not we are PCI compliant. PCI DSS (Payment Card Industry Data Security Standard) in short is a security standard that revolves around how and where PII (Personally Identifiable Information) resides. A lot of acronyms to be sure! Anyway, a Qualified Security Assessor (QSA) has validated Rackspace as being a PCI DSS Level 1 Service Provider. The QSA validation of our compliance to the PCI DSS covers:

  • Physical security for Rackspace data centers located in: the United Kingdom, Hong Kong and the United States
  • Network infrastructure (routers and switches) and
  • Rackspace employee access to network devices

Please note however, that simply hosting a solution with Rackspace does not make you PCI-DSS compliant. There are many intricacies involved here and I would recommend spending some time researching this topic further. The PCI Security Standards Council would be a good place to start.

SSAE 16/ISAE 3204

Formerly known as SAS70 Type II, SSAE 16 and ISAE 3402 are new international service organization-reporting stan­dards. In the US, the American Institute of Certified Public Accountants, (AICPA) created the Statement for Standards for Attestation Engagements (SSAE) No 16 to mirror the ISAE 3402. The SSAE 16 and ISAE 3402 Type II SOC 1 audit and report supersedes and effectively replaces the Statement on Auditing Standards (SAS) No. 70 Type II.

The standards defines the standards an auditor must employ in order to assess the contracted internal controls of a service organization like a hosted data center; insurance claims processor or credit processing company; or a company that provides outsourcing services that can affect the operation of the contracting enterprise.

Rackspace recognizes the needs of our international and US customers and has worked with the service auditor to have the report issued with a joint opinion that satisfies the requirements of both the ISAE 3402 and the SSAE 16. The new report, ISAE 3402 / SSAE 16 Type II SOC 1 is available to our customers and prospects.

Safe Harbor

With respect to our Safe Harbor certification: You can find more information about what is covered under our certification at Our self-certification addresses what data we collect and how we process such data. When providing information technology hosting services, Rackspace may process personal data controlled by our customers. Rackspace processes that data at your direction and in accordance with the terms of our customer agreements and a data processing agreement in place with each of our entities located in the European Union.

Safe Harbor is essentially a process for organizations in the US and EU that store customer data designed to prevent accidental information disclosure or loss. Companies certified under Safe Harbor must follow several guidelines regarding how data is collected, used, transferred and secured.

ISO 27001

Rackspace has also received certification of the ISO/IEC 27001:2005 Information Security Management System (ISMS) Standard for some of its data centers. The standard was created by the International Organization for Standardization (ISO) and is governed with the International Electro technical Commission (IEC).

ISO/IEC 27001:2005 is the formal international security standard against which organi­zations may seek independent certification of their Information Security Management System (ISMS). It is intended to be used with ISO 27002:2005, a Security Code of Practice.

ISO 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving ISMS, which is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.

That’s it for this week. I hope you found it informative. Bookmark this page to keep up with security developments at Rackspace.


  1. This is my first time on your blog and I have really enjoyed looking around this post. I will come back again in the future to check out some of the other articles related cloud security. Thanks

  2. It’s the SSAE16 SOC2 report that is equivalent to the old SAS-70 type-2 document. By comparison, a SOC1 covers the financials of your organisation and the robustness of controls around how your financial statements are generated, reviewed and released.

    Your customers, I expect, will be more interested in receiving a SOC2 report under NDA as this is an independent validation of the operating control environment and its effectiveness within your organisation (including IT processes, standards and procedures). SOC2 will give regulated customers such as financials and government confidence that you have operationalised the same types of controls that they themselves are tested for.

  3. I really like your blog site and appreciate the given information about SSAE 16. We also provide SSAE16 services like SSAE16 Assessment and SSAE16 Attestation to clients all over the globe including USA. You can inform us for the further posts about SSAE16 audit and other standards and visit our official website for more information about SSAE 16 Resources.

  4. How can I request a copy of your ISAE 3402 / SSAE 16 Type II SOC 1 report for review. We are currently looking to do business with Rackspace.

    • Would be really great to get a link to a copy of ISAE 3402 / SSAE 16 Type II SOC 1 for review we have many customers especially in higher ed who are requesting this type of audit information


Please enter your comment!
Please enter your name here