The Importance of SSAE-16 for Cloud Backup Providers
“The objective of a service organization control report is to provide clients of a service organization and their independent auditors with information on policies, procedures and controls that may be relevant to their internal control structure and their financial statements. The clients use the report to understand the adequacy and operating effectiveness of their service provider’s controls.”
Why Does It Matter?
So why does it really matter if a cloud backup provider is SSAE-audited? Well, we all know that changes to the IT infrastructure should be documented, but do we actually do it? We know we need to perform backups, but do we actually test the backups? Our networks should also be secure, but do we do penetration testing to verify they are secure? Our systems should have restricted access, but do we review the access logs on a regular basis to make sure this is true? Being SSAE-16 audited requires cloud backup service providers to adhere to four IT best practices below:
1. Change Management
Document any changes to your IT environment that has the potential to impact the user community.
2. Physical and Logical Security
Require background checks on all employees. Your security committee should identify the individuals who are granted access to production servers. And any actions taken by these individuals should be logged and monitored by your security team.
3. Network Security
Ensure data is encrypted in flight and at rest. Perform penetration testing on the service by a third party and have your security committee review the test results.
Conduct a full back up every week and incremental backups daily. Limit your failure domain and test your backup methodology to ensure you stored what you needed and more importantly, that you can recover from that backup.
SSAE-16 and Zetta
Many companies need to comply with federal financial rules like Sarbanes-Oxley (SOX). If you have selected a cloud provider to store a copy of your financial data, then an SSAE-16 report is critical to ensure that your partner is following IT best practices when it comes to protecting your data.
The last thing you need is to get audited, only to find that your provider was unable to produce a point in time snapshot of your financial database because they did not follow basic data storage principles.
At Zetta, the management team has been managing complex IT environments for more years than they would like to admit, many with publicly traded companies and therefore, the team has gone through several SOX audits.
When they were tasked with building a technical environment that could withstand an SSAE-16 audit, they took the path of most resistance—a more difficult path that mirrors a SOX audit as demonstrated in our SSAE-16 report.
Tough Technical Standards Safeguards Data
Data is the cornerstone of the Zetta’s business model. Telling a customer they cannot access their data or worse, recover data due to issues with the infrastructure is unacceptable—and why adhering to tougher technical standards benefits our customers.
Rigid change control process: This ensures that any change to the production environment has been vetted in a controlled test environment and that any production change has been reviewed by at least three engineers.
Security: Zetta’s production environment is strictly controlled. All access has to be reviewed and granted by Zetta’s security committee which follows clear guidelines, including a responsibility matrix that governs the technical environment. Data is also encrypted in flight and at rest.
Backup methodology: Zetta has built-in redundancy at every level of its infrastructure. This redundancy is tested monthly to ensure that if a component dies the secondary component can take over seamlessly. And our recovery processes are tested weekly from customers successfully restoring their mission critical data without fail.
From the network to the storage node, Zetta has built an environment that can fortify your most precious commodity, your data.
Zetta’s SSAE-16 audit covers both internal and external (hosting companies) processes. So if you’re a publicly traded company, it means that we can provide a report to your auditor showing that our systems have been audited and are secure. It also means that individual customers don’t need to perform their own audits. You can use the SSAE-16 report in your own reporting. For companies who don’t need to file a report, you can be rest assured that our service has been inspected by a third party, so you’re not just relying on a vendor’s promise everything is secure.
Don’t get us wrong – Zetta has top experts designing and managing our cloud backup and restore and disaster recovery service offering, and we’ve got full confidence in their ability to do it right. But even so, we appreciate the security of having an outside expert look over our systems – and we’re sure you do too.