What does it really mean to be SAS 70 Type II / SSAE 16 Datacenter?

UPDATE: Note that SSAE 16 is the new SAS 70

Many of us have heard that a SAS 70 Type II / SSAE 16 data center is what we should be looking for in hosting provider; however what does SAS 70 Type II / SSAE 16 really mean and what does it tell us about the data centers?

First off, don’t be fooled by marketing lingo. There is no such thing as a data center being SAS 70 Type II / SSAE 16 “Certified” or SAS 70 “compliant” like many data centers and hosting companies claim.

SAS 70 Type II / SSAE 16 is an auditing statement or report (not a certification) that is conducted by a neutral third party auditing firm for the purpose of providing transparency to the customer/prospect as to what exactly service company (or hosting company in this case) is doing.

It really helps customers answer three questions:

  1. What does services does service company claim that it offers?
  2. Are the actions or “controls” that the service company has in place to guarantee that service indeed adequate to guarantee that service?
  3. Is it indeed executing on those actions and controls?

This sounds too generic, so here’s an example.

A hosting company might claim to its customer that it is “Protecting the customer’s data.”

In order to protect the data it may have identified 2 controls that are important to guarantee that service. Those two controls may be

  1. Backing up the data
  2. Installing Anti-virus on customer machines

However, are those two controls sufficient to guarantee data protection? Second, are they really doing performing backups and installing anti-virus software? It is very difficult for a customer to know the answers to those questions. The SAS 70 Type II / SSAE 16 report can help solve that concern. The third party auditor overlooks every control that the customer claims to be doing and reports on whether it is being done or not.

A customer gets a copy of that report and is then able to evaluate if this service provider at their own discretion.

Be careful

Knowing that a datacenter has gone through a SAS 70 Audit is not sufficient information to entrust your data to the datacenter. But why not?

Well, for two main reasons.

First off, the audit report may yield undesired results. A company may claim that its backing up data but the audit may show that the data was not backed up. So you have to be careful.

Second, a datacenter may not offer controls that other datacenters offer. A datacenter that does not offer backups will not be audited for backups!

The Lesson

Not all SAS 70 Type II / SSAE 16 reports are created equal!

When shopping for a hosting provider or SharePoint hosting provider for that matter, you should ask for the SAS 70 Type II / SSAE 16 report and read through it to ensure the services that the company is offering are up your standards and that the results of the audit tests are all positive.