Do Data Center Audits Mean Anything? 84
1sockchuck writes "Data center service providers often tout certifications such as SAS 70, SSAE 16 and SOC 2 as evidence that they meet lofty operational standards. But some of these certifications are based on self-defined standards, and the entire situation is confusing and frustrating to customers, according to one critic, who says data center shoppers are poorly served by the jumble of acronyms and standards. Do these certifications matter when users are seeking data center space? Should they?"
Uses for Audits/Certifications (Score:5, Insightful)
Re:Not really (Score:4, Insightful)
Now, if you get your hands at the detail reports, the audit result may actually tell you something, at least if the auditors are good. But the certifications pretty much only ensure minimal standards low enough to be meaningless.
It depends on the purpose of the audit. If the purpose is to appease middle managers and the like, then the auditors (good or bad) will be able to read the request "We need to ensure we are certified for [insert current buzzword]." and see that this is nothing short of an easy way to make a costly fee. If on the other hand, the request is to find ways to break into the systems and comes from sysadmins or the like, then it is much more likely that the company wants to patch vulnerabilities.
Business is business. If a sales person sees easy money walking into the office, they will probably sell them overpriced and needless goods/services. If they see someone who knows exactly what it is they want, they will more likely give them exactly what they ask for and for a reasonable price.
If you want security and reliability... (Score:5, Insightful)
Security and reliability are processes, they are not something you can do once and then forget about. So, yes, I would say that having regular audits are a useful thing. As far as whether these specific standards are useful, the facility we have most of our servers in we have been in since before their SAS 70 audit, and their procedures were good before, but there's a noticeable improvement after. Things like a man-trap with a live security person comparing you with your on-file photo before you enter the raised floor, 2-factor auth on all doors rather than just on the key doors, maintenance lock-outs displayed more prominently, EPOs installed (not a benefit to me, but they did put alarmed doors around the EPOs to prevent the common problems).
As far as it being "based on self-defined standards", I'm ok with that. I'm ok with the requirement being that they *HAVE* standards for certain things rather than dictating what exactly those standards are. One size does not fit all, but having standards for what you do, I have found in my own business, improves quality.
Re:Conversation with an Auditor (Score:2, Insightful)
I don't understand why people have such a hard time with this Audit concept. In these cases, an Auditor audits your processes as defined by your management. It doesn't matter what your "process" does in real life. That is NOT what an Auditor is checking. You are not being graded on what you do or how you do it. An IT/Financial/Process Audit is NOT an employee performance review. Something that Engineers and Programmers can't seem to get through their thick heads.
An Auditor is providing a report to the readers that what is documented is being followed. There is also another part of the Audit where what is written is checked, but that has been too subjective for my tastes too.
Anyway, what you should have done is talked to your management that the bloody documentation needs to be updated, cause your stockholders, board, & upper management think you are doing something totally different from what you really are.
I used to have a LOT of conversations over the years similar to the above. From a former auditor point of view (with a C programming & process designer background) this is how that conversation sounds to us: ....
Me: How hot do your servers get in the DC?
Tech: We got Quad core blades running at X GHz.
Me: That's nice, but I need the info to design the cooling systems.
Tech: Dude, we got multiple quad core systems; we never even come close to capacity. How is that not good enough?!!?
Me: Irrelevant, I just need to know how hot your systems run so I can design the optimum cool solution!
Tech: But nothing is crashing, we are doing great! I don't see the problem.
Me: I don't think you are understanding me. I
Re:Not really (Score:4, Insightful)
These aren't intrusion tests they're talking about but certification audits.
My experience with those (ISO, SAS, etc.) is that a company hires someone to write up a bunch of documents to match what the auditors want to see, and tell the employees where to find it. Then the auditors come and get told/shown what they want to hear/see so they'll go away and let us get back to real work. The documentation isn't looked at again by regular employees until the next audit.
Those certs are just like professional certs like MCSE, CCNA, etc. They don't really have any bearing on whether or not you're good at what you do, but they sound good to customers/employers.