Bio not provided
Apologies for any adversarial tone. That was not my intention. Given the complexities of the various controls frameworks it is difficult to craft a concise but thorough explanation of the subtle differences without ending up writing a dissertation. My main point was to highlight that SOC 2, not SSAE 16 is the appropriate report for data center controls like security, availability and processing integrity. I fully agree that Cloud companies are working to satisfy the demands of a diverse customer base coming at them with a variety of compliance requirements.
Customers continue to ask for SSAE 16 reports from cloud providers out of ignorance of available alternatives like SOC 2 or CCM attestations which I believe provide a more consistent and thorough review of cloud and data center controls. I would welcome the opportunity to provide insight on these issues via CloudTweaks or any other forum that can help get the message out.
2 years ago on How Cloud Computing Companies Make Their Data Centers Hacker-Proof
I have to take exception to the following: "The largest U.S. data centers are almost always certified by the federal government under programs like FISMA and SAS 70 Type II certification. Cloud companies that hold these designations have implemented physical and cyber security measures."
FISMA has no specific data center certification program. Under FISMA each government agency is responsible for the development of security plans for defined systems which may include third party data centers. There are federal security standards that must be met that include things like physical security and data security, however, federal security accreditation is specific to a given system, not to a given data center.
Likewise, SAS 70 (replaced by SOC 1 and SSAE 16 in June 2011) is NOT a certification of data center controls and does not guarantee that any data center with a report has acceptable "physical and cyber security measures". SSAE 16 is intended to report on controls relevant to internal controls over financial statement reporting, not of the data center, but of its customers. Every SSAE 16 (SAS 70) report is unique and there is no pre-defined criteria for physical or cyber security measures that must be in place. The SOC 2 report from the AICPA or a third party attestation based on the Cloud Security Alliance's Cloud Controls Matrix (https://cloudsecurityalliance.org/research/ccm/) would be more appropriate to get a comprehensive review of data center controls.
The closest thing to "certification" that I am aware of for data centers is the ISO 27001 certification which is a general information security standard and not specific to data centers.