We’ve probably all been guilty at least once of spouting off an IT acronym in response to a prospective customer’s question about compliance, only to see their eyes glaze over. They don’t care about a string of letters, they want to know how we’re going to solve their business problems.
And unfortunately, when it comes to security and compliance, there are a whole lot of different acronyms our Partners need to wade through.
The slew of IT compliance standards, programs, and frameworks out there today can be mind-boggling, even for IT professionals. So here we’re going to take a look at the major security standards that Sherweb’s managed cloud services and our other supported services are certified for. We’ll also talk about the best ways to explain them to customers.
SOC2 Type II Certification
Let’s start with the big one. System and Organization Control 2 is the gold standard used for assessing the quality of IT service providers. Sherweb is proud to be SOC 2 Type II-certified for seven years running.
What Is It?
SOC reports assess the reliability of service providers of many different types, including IT service providers. They receive a SOC report after completing an intensive audit of their practices and controls, performed by an independent certified public accountant. There are three different SOC reports: SOC 1 is intended only to assess financial service controls. SOC 2 and 3 both report on operational and technical service controls. They’re assessed on five ‘Trust Service Principles’: Their system’s security, availability, and integrity. As well as the confidentiality and privacy of their data handling practices.
The primary difference between SOC 2 and 3 reports are their intended audiences. SOC 3 reports are designed to be public-facing documents. SOC 2 reports offer more confidential details about the service provider’s operations, and so are only available to customers under contract and/or NDA.
At the end of the SOC audit, the CPA issues a Type I report verifying that the service provider is capable of meeting all the standards. Some providers, like Sherweb, take the audit a step further and get a Type II report, where the CPA verifies that the service provider’s standards and practices have actually been consistently applied over time.
What Customers Actually Care About
Customers just want to know that their IT assets are safe and will be available when they need them. If your customer isn’t going to know what SOC 2 is, one useful approach is to explain the underlying Trust Service Principles that Sherweb’s services are certified. You can short-hand ‘Type II’ by saying that the provider has been certified at the highest standard by an independent auditor.
Then there are customers in more heavily-regulated industries, who are often already familiar with SOC. These are easier to deal with. Saying you can put their apps and data in a SOC 2 Type-II certified cloud environment should make them relax, because it often means half their next audit is already done for them, since they’re ‘inheriting’ Sherweb’s certified practices.
SOC2 for Office 365
This is another one we’re proud to hold. Not only have we received SOC 2 certification for our own infrastructure and processes, we’re also SOC 2-certified for managing Office 365 for your customers.
What Is It?
Since Microsoft’s cloud services are already SOC 1, 2, and 3-certified, our own SOC 2 certification is validation of our practices managing your customers’ O365 tenants. For example, the reliability of our user and ACL configurations, and the confidentiality we have built into our processes for managing their user and organizational requests.
What Customers Actually Care About
One of the main concerns we’ve heard from customers resistant to cloud services is they feel that the infrastructure they rely on will be out of their control. If you’re talking to a customer with that concern you can explain that Sherweb’s O365 service practices have been independently audited and verified to be at the highest levels of reliability and confidentiality.
And unlike working with Microsoft alone, Sherweb can handle the O365 migration and onboarding top-to-bottom for your customers. They’ll have a dedicated migration specialist and 24/7 support available for all issues, not just ones Microsoft internally classifies as ‘critical.’
PCI-DSS Compliance
Our Performance Cloud platform is compliant with the Payment Card Industry Data Security Standard, verified annually by an independent auditor.
What Is It?
Any business that wants to process, store, or transact credit card payments needs to run PCI-DSS compliant network infrastructure or IaaS. The DSS was originally developed to protect against credit card fraud, but over time as threats have evolved, it’s become the de facto payment card security standard. It has 12 underlying and lengthy key requirements. These group together into six requirement categories, which we’ve found are more meaningful to customers. They stipulate that a service provider must:
- Maintain a Secure Network
- Maintain a Vulnerability Management Program
- Maintain an Infosec Policy
- Protect Cardholder Data
- Use Strong Access Control
- Regularly Monitor and Test Infrastructure
What Customers Actually Care About
Unless your customers are doing cash-only business they should care about this. They’ll want to know that their own customers’ transaction data will be handled securely. Which in turn protects both their own finances and their reputation.
You can tell them that moving to Sherweb Performance Cloud infrastructure puts their transactions on a platform that meets the strict standards of the payment card industry’s governing body.
MS Azure Compliance Portfolio
Sherweb is also a service provider for Azure, which supports a variety of different compliance standards on its own. It meets SOC 2 and 3, and PCI-DSS standards, just like Sherweb’s own offerings. But we can also stand up Azure environments that meet many other standards that your customers may care about. Three of the most important are ISO-27001, FedRAMP, and HITRUST for HIPAA.
What Are They and Why Do They Matter?
First, Azure is ISO-27001 compliant. This standard mandates that an organization have more than just a certain number of security controls in place, they need a fully-fledged information security management system to keep those controls organized and up to date.
Often times, startups or smaller customers going for private funding will benefit from showing——or may need to show—investors that they have an infosec management system (ISMS) in place. Showing that their cloud services are ISO-27001 compliant makes that easy. Also, state, provincial, and federal programs will sometimes require this certification to award contracts.
Speaking of Federal compliance, Azure and O365 also meet FedRAMP standards. FedRAMP mandates a set of controls as part of an overall security program that contractors for many US Federal agencies need to hold.
If your customers already do business with the US government they should be familiar with this, and be happy to hear that you can easily provision compliant environments. And if you hear from customers who are thinking about pursuing a US government contract it’s worth pointing out that this is a program they’ll need to comply with, and that you’re able to provision what they need.
Azure environments can also be configured according to the HITRUST Common Security Framework. This is a set of security standards designed to ensure IT infrastructure meets HIPAA patient data privacy requirements. Penalties for HIPAA breaches can easily reach into the millions of dollars.
Provisioning a HIPAA-compliant computing environment on in-house infrastructure is usually time-consuming and cumbersome. So you can tell your customers that migrating to Azure means they can deploy HIPAA-compliant environments using predefined blueprints basically on demand, without weeks, months, or even years of planning.
These are just some of the standards that Sherweb can make Azure environments compliant with. The platform is also able to work with GDPR and a variety of other European, global, US, and industry-specific requirements.
It’s All About Trust
That’s a lot of security standards. What all of this boils down to is that when you’re sitting across the table from a prospective customer, no matter what industry, and they ask if their data is safe with you, you can reply, “yes” with confidence. Sherweb’s service portfolio gives you secure, compliant IaaS options for any customer need.
If you have a tricky security issue, feel free to contact Sherweb’s cloud experts for help finding the right solution for your customer.