News Stay informed about the latest enterprise technology news and product updates.

Does SAS 70 certification mean better data center security?

SAS 70 Type II certification has become a necessary evil for data centers that handle public companies' data. Some IT managers say SAS 70 compliance has helped improve IT security processes, but not everyone agrees.

People charged with data center physical security have the daunting responsibility of minimizing internal and external vulnerabilities and deciding which technologies and strategies should be deployed. With so much at stake, combined with the availability of numerous sophisticated technologies, it can be challenging to navigate through the myriad possibilities to find the best solutions.

S ome data center managers say that it is possible to have a definitive security plan, which just needs to be fine-tuned periodically by following guidelines laid out in the Sarbanes-Oxley Act (SOX) of 2002.

SOX was created to provide more government oversight to financial reporting practices, and has had far-reaching ramifications for the security industry. Initially viewed as a burden by IT managers, it's now seen as a useful baseline for developing a data center security plan.

SAS 70 compliance
In the ensuing years, the Statement on Auditing Standards (SAS) 70 has helped ease the reporting pressures placed from the SOX legislation for data centers in the public sector as well as those that provide services to public companies and government agencies. There are SAS 70 Type I and SAS 70 Type II certifications. The latter certifies that an organization meets SOX requirements -- specifically whether data center security measures are suitably designed and enforced, and if they are operating effectively. Check this page for a full definition of SAS 70.

On the face of it, SAS 70 appears to address more of the network security aspects of the data center, but there are significant physical security elements in it that make the standard more comprehensive overall. "In my opinion, there is nothing more important than the physical security portion in SAS 70," said Corey Needles, general manager of the Denver data center location of hosting company Latisys.

Needles warns new companies that there are some challenges associated with pursuing SAS 70 certification. "It's time-consuming and there is some capital involved in it, depending on where your starting point is with what you practice."

In my opinion, there is nothing more important than the physical security portion in SAS 70.
Corey Needles,
data center general managerLatisys

Latisys had many updated security practices in place already, and Needles said it wasn't difficult to obtain SAS 70 certification. Ultimately, SAS 70 certifications require keeping good records, following the process and having the infrastructure in place to meet the standard. After a few years of being SAS 70-compliant, Needles feels the certification has made his company better at managing its environment and control objectives.

For example, in order to comply with some SAS 70 requirements, Latisys needed to utilize some of the newer technologies. For example, SAS 70 certification requires data centers to have certain camera views set up, and these vantage points are more easily obtained with IP cameras rather than the traditional analog cameras. Latisys decided to purchase these newer cameras in part for compliance but also because it saw the technology's capabilities and its added layer of security as beneficial components to carrying out the NOC department's jobs.

Noel Rojas, vice president of corporate security of the colocation firm Terremark, said SAS 70 compliance can put additional responsibilities on security personnel, as it requires them to follow specific security protocols that may not be the easiest or most efficient ways to complete tasks. "Security procedures can sometimes impose on employee workdays, but generally they don't balk at procedures when they know it is a SAS 70 compliance issue."

Not everyone is so rosy about SAS 70 Type II certifications, however. According to a recent article on, a Gartner analyst said that because SAS 70 is a process audit, it doesn't actually make sure that the service provider is protecting the company data -- just that it is following all processes. Additionally, the data center service provider paying for the SAS 70 Type II defines the parameters of the certification and can gloss over aspects of the security that need real improvement.

Ultimately, many responsible for physical security see SAS 70 certification as a necessary evil to doing business today. Needles points out that many industries, including the healthcare and financial sectors as well as government bodies, require certification when outsourcing their data center operations to third parties.

While SAS 70 and SOX have been the largest influences on data center physical security best practices, Mike Hagan, vice president of the data center consulting firm Lee Technologies, said that for true compliance, data centers need to develop internal controls for clients and operators to follow. "Yes, SAS 70 and Sarbanes [are important], but when you say standards, it's about creating the proper training for the individuals, and the proper policies and procedures, including safety compliance and risk mitigation," said Hagan.

What did you think of this feature? Has SAS 70 Type II certification improved your data center's physical security? Write to's Matt Stansberry about your data center concerns at .

Dig Deeper on Data center design and facilities

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.