Compliance: it may evoke thoughts of the evil Borg (Star Trek) and assimilation into a rigid, controlling system. Actually, those thoughts aren’t too far from the truth: compliance typically refers to adherence to standards set by government regulatory agencies (the alphabet soup). And for data center designers and operators who want to serve certain clienteles, resistance is indeed futile.
Major Industries Driving Compliance in Data Centers
Major industries for which regulatory compliance in data centers is a requisite for doing business include the finance sector, health care, payment cards and government contracting. Data centers dealing with information provided by or services rendered to organizations in these areas must meet certain standards set by various governments. Failure to do so essentially limits a data center’s potential clientele—a serious handicap, considering the size of these markets. For instance, the health-care market constitutes a growing portion of the U.S. gross domestic product (GDP). According to Businessweek (“Health-Care Spending to Reach 20% of U.S. Economy by 2021”), health-care spending will reach some 20% of the value of all goods and services produced in the U.S. by 2021. Companies providing data center services, especially given the government’s obsession with electronic medical records, can scarcely ignore this burgeoning market.
As mentioned, health care is a major area where compliance is critical to offering data center services. Here, the primary concern is maintaining privacy of patient records and information. Applicable laws include the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information and Technology for Economic and Clinical Health (HITECH—doesn’t the government come up with the coolest acronyms for its endless stream of legislation?) Act. Data centers that store, process or transmit electronic protected health information (ePHI) must comply with these legislative standards. Again, since health care is such a tremendous portion of the economy, neglecting compliance in this area cuts data center companies off from access to a very large base of potential customers. According to Online Tech (“Data Center Standards Cheat Sheet - From HIPAA to SOC 2”), “A HIPAA audit conducted by an independent CHP (Certified HIPAA Practitioner) and CHSS (Certified HIPAA Security Specialist) can provide a documented report to prove a data center operator has the proper policies and procedures in place to provide HIPAA hosting solutions.”
Another big name in compliance is SSAE 16 (formerly SAS 70) for dealing with financial customers. Here, financial regulations such as Sarbanes-Oxley are the focus. The Data Center Journal recently provided a brief, broad overview of SSAE 16 certification for data centers wanting to deal with customers in the financial sector (“Is Your Data Center SSAE 16 Certified”).
And speaking of GDP, the federal government is a giant organization that is the lifeblood of many contracting companies. As the U.S. government looks beyond its own data centers to other companies for IT services, another important area of compliance is the Federal Information Security Management Act (FISMA). According to Rapid7 (“FISMA Compliance”), “All government agencies, government contractors, and organizations that exchange data directly with government systems must demonstrate FISMA compliance. This includes data clearinghouses, state government departments, and government military subcontractors if data is exchanged directly with Federal government systems.” Companies providing cloud services, for instance, are in a prime position to cash in on the federal government’s move toward cloud computing as a means of reducing IT expenses—particularly capital costs.
A broader area of compliance is the Payment Card Industry (PCI) Data Security Standard (DSS), which applies to companies handling credit card information, for example. In this case, the scope of clients for whom PCI DSS compliance is critical goes beyond market segments like health care or finance. Nirix (“Meeting Regulatory Compliance”) notes that “all organizations that accept, store, process or transmit credit card details must be PCI compliant. This multidimensional security standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures to ensure a controlled and secure environment for processing the sensitive information.” PCI DSS also affects more than just companies offering data center services to customers; in particular, even companies that primarily use their data centers only internally may still deal with credit-card information. Thus, PCI DSS compliance is crucial.
Complications of Compliance
The above-mentioned compliance areas are just a few common examples. Different companies will have different compliance needs depending on the clientele they serve (or aim to serve) and on the services they provide. But complications beyond simply meeting one set of rules and standards can arise, particularly when dealing with international or multinational customers. In such cases, data center service providers may need to deal with multiple compliance standards set by different nations—with absolutely no guarantee that these standards will be mutually compatible. Indeed, regulations in one nation may contradict those of another, leading to difficulty in maintaining compliance.
Furthermore, compliance is a fiscal burden on companies. Although compliance with some set of regulations may provide an artificial competitive edge (artificial in the sense that has nothing to do necessarily with providing a superior service), it isn’t simply a matter of filling out a form or two and declaring that a facility meets certain standards. Audits can be expensive, as can be steps necessary to implement the standards prescribed by regulations. In a tight economy where companies are struggling to meet rising IT demand, sometimes on a budget that is stagnant or is not increasing quickly enough, the added financial burden of compliance can hamper more meaningful improvements to the data center. Unfortunately, this is the nature of regulations: they impose costs without producing anything of value. (Of course, better security and stricter confidentiality of user data may be beneficial and can even garner greater customer loyalty, the imposition of these attributes through a regulatory apparatus increases the associated costs without improving the outcome.)
Compliance with different standards obviously requires taking different measures, but data center operators may be required to implement protocols or develop plans for maintaining data security and confidentiality, train employees or have them agree to certain conditions, and so on. Similarly, data center designers may have to take regulatory standards into consideration when implementing security measures, such as access control and personnel authentication. Encryption standards are also a part of compliance in many cases, as transmitted data must be protected from interception and replication by unauthorized third parties.
Compliance is a large and, unfortunately, growing part of the data center business. As governments—both in the U.S. and in other nations—pass more regulations, compliance burdens on data centers become heavier. Nevertheless, meeting these regulatory standards are often necessary to accessing clienteles in various markets, ranging from health care to finance. Given the size and scope of some of these markets, companies that offer data center services can scarcely ignore them. Thus, both data center operators and designers should be aware of the need for compliance in certain situations.
Photo courtesy of purpleslog